There are scenarios where you want to use self signed certificates for a client-server application. A typical example is when you run OpenVPN from low performance hardware. In that case Elliptic Curve key material might improve the overall performance.
The next script produces certificates and private keys for one server and 1-n amount of clients. The script also calculates the SHA256 hash of the certificates. We need that for the project of my next post.
Script usage:
C:\Scripts\> createBridgeKeysAndCerts [client certificate count]
E.g.:
C:\Scripts\> createBridgeKeysAndCerts 3
This will produce the next files:
03/19/2023 02:19 PM 684 bridgeClient1.crt
03/19/2023 02:19 PM 312 bridgeClient1.key
03/19/2023 02:19 PM 116 bridgeClient1.sha256
03/19/2023 02:19 PM 680 bridgeClient2.crt
03/19/2023 02:19 PM 312 bridgeClient2.key
03/19/2023 02:19 PM 116 bridgeClient2.sha256
03/19/2023 02:19 PM 684 bridgeClient3.crt
03/19/2023 02:19 PM 312 bridgeClient3.key
03/19/2023 02:19 PM 116 bridgeClient3.sha256
03/19/2023 02:19 PM 680 bridgeServer.crt
03/19/2023 02:19 PM 312 bridgeServer.key
03/19/2023 02:19 PM 116 bridgeServer.sha256
This the script:
@echo off
goto :BEGIN
Script: createBridgeKeysAndCerts.bat
Version: 1.0
Date: 18-Mar-2023
Prerequisite: OpenSSL (https://slproweb.com/download/Win64OpenSSL_Light-3_1_0.msi)
:BEGIN
cls
cd /D "%~dp0"
echo *** OpenVPN Bridge config builder...
set openssl="C:\Program Files\OpenSSL-Win64\bin\openssl.exe"
if not exist %openssl% goto :EOF
set clientCertCount=1
if %1.==. goto :START
echo %1| findstr /r "^[1-9][0-9]*$">nul
if %errorlevel% equ 0 set clientCertCount=%1
:START
setlocal EnableDelayedExpansion
pushd .
md .\keys >nul 2>nul
cd .\keys
REM --- Generate bridgeServer and bridgeClient keys and certs...
echo.
echo *** bridgeServer cert + key...
%openssl% ecparam -out secp384r1.pem -name secp384r1
%openssl% req -x509 -newkey ec:secp384r1.pem -keyout bridgeServer.key -out bridgeServer.crt -nodes -sha256 -days 3650 -subj "/CN=bridgeServer" >nul 2>nul
%openssl% x509 -fingerprint -sha256 -in bridgeServer.crt -noout > bridgeServer.sha256
certutil -f -decode bridgeServer.crt bridgeServer.cer >nul
echo.
echo *** bridgeClient certs + keys...
for /l %%i in (1,1,%clientCertCount%) do (
echo *** Processing client %%i...
%openssl% req -x509 -newkey ec:secp384r1.pem -keyout bridgeClient%%i.key -out bridgeClient%%i.crt -nodes -sha256 -days 3650 -subj "/CN=bridgeClient%%i" >nul 2>nul
%openssl% x509 -fingerprint -sha256 -in bridgeClient%%i.crt -noout > bridgeClient%%i.sha256
REM --- When a binary certificate (CER) is required, uncomment next line...
REM certutil -f -decode bridgeClient%%i.crt bridgeClient%%i.cer >nul
)
del /q secp384r1.pem >nul 2>nul
echo.
echo *** Keys and certs created:
dir /s | find "bridge"
REM --- Calculate and display SHA256 hash of cert(s)...
echo.
for /f "tokens=2* delims==" %%i in ('%openssl% x509 -fingerprint -sha256 -in bridgeServer.crt -noout') do set hash=%%i
echo *** bridgeServer hash : %hash%
echo.
for /l %%i in (1,1,%clientCertCount%) do (
for /f "tokens=2* delims==" %%i in ('%openssl% x509 -fingerprint -sha256 -in bridgeClient%%i.crt -noout') do set hash=%%i
echo *** bridgeClient%%i hash: !hash!
)
setlocal DisableDelayedExpansion
popd
