Clicky

20230319

Create (self signed) EC keys and certificates

There are scenarios where you want to use self signed certificates for a client-server application. A typical example is when you run OpenVPN from low performance hardware. In that case Elliptic Curve key material might improve the overall performance. 

The next script produces certificates and private keys for one server and 1-n amount of clients. The script also calculates the SHA256 hash of the certificates. We need that for the project of my next post.

Script usage:

C:\Scripts\> createBridgeKeysAndCerts [client certificate count]

E.g.:

C:\Scripts\> createBridgeKeysAndCerts 3

This will produce the next files:

03/19/2023  02:19 PM               684 bridgeClient1.crt
03/19/2023  02:19 PM               312 bridgeClient1.key
03/19/2023  02:19 PM               116 bridgeClient1.sha256
03/19/2023  02:19 PM               680 bridgeClient2.crt
03/19/2023  02:19 PM               312 bridgeClient2.key
03/19/2023  02:19 PM               116 bridgeClient2.sha256
03/19/2023  02:19 PM               684 bridgeClient3.crt
03/19/2023  02:19 PM               312 bridgeClient3.key
03/19/2023  02:19 PM               116 bridgeClient3.sha256
03/19/2023  02:19 PM               680 bridgeServer.crt
03/19/2023  02:19 PM               312 bridgeServer.key
03/19/2023  02:19 PM               116 bridgeServer.sha256

This the script:

@echo off
goto :BEGIN

    Script: createBridgeKeysAndCerts.bat
    Version: 1.0
    Date: 18-Mar-2023
    Prerequisite: OpenSSL (https://slproweb.com/download/Win64OpenSSL_Light-3_1_0.msi)

:BEGIN
cls
cd /D "%~dp0"

echo *** OpenVPN Bridge config builder...

set openssl="C:\Program Files\OpenSSL-Win64\bin\openssl.exe"
if not exist %openssl% goto :EOF

set clientCertCount=1
if %1.==. goto :START
    echo %1| findstr /r "^[1-9][0-9]*$">nul
    if %errorlevel% equ 0 set clientCertCount=%1
:START

setlocal EnableDelayedExpansion
pushd .

md .\keys >nul 2>nul
cd .\keys

REM --- Generate bridgeServer and bridgeClient keys and certs...
echo.
echo *** bridgeServer cert + key...
%openssl% ecparam -out secp384r1.pem -name secp384r1
%openssl% req -x509 -newkey ec:secp384r1.pem -keyout bridgeServer.key -out bridgeServer.crt -nodes -sha256 -days 3650 -subj "/CN=bridgeServer" >nul 2>nul
%openssl% x509 -fingerprint -sha256 -in bridgeServer.crt -noout > bridgeServer.sha256
certutil -f -decode bridgeServer.crt bridgeServer.cer >nul

echo.
echo *** bridgeClient certs + keys...
for /l %%i in (1,1,%clientCertCount%) do (

    echo *** Processing client %%i...
    %openssl% req -x509 -newkey ec:secp384r1.pem -keyout bridgeClient%%i.key -out bridgeClient%%i.crt -nodes -sha256 -days 3650 -subj "/CN=bridgeClient%%i" >nul 2>nul
    %openssl% x509 -fingerprint -sha256 -in bridgeClient%%i.crt -noout > bridgeClient%%i.sha256
REM --- When a binary certificate (CER) is required, uncomment next line...
REM    certutil -f -decode bridgeClient%%i.crt bridgeClient%%i.cer >nul
   
)


del /q secp384r1.pem >nul 2>nul
echo.
echo *** Keys and certs created:
dir /s | find "bridge"

REM --- Calculate and display SHA256 hash of cert(s)...
echo.
for /f "tokens=2* delims==" %%i in ('%openssl% x509 -fingerprint -sha256 -in bridgeServer.crt -noout') do set hash=%%i
echo *** bridgeServer hash : %hash%
echo.
for /l %%i in (1,1,%clientCertCount%) do (

    for /f "tokens=2* delims==" %%i in ('%openssl% x509 -fingerprint -sha256 -in bridgeClient%%i.crt -noout') do set hash=%%i
    echo *** bridgeClient%%i hash: !hash!

)

setlocal DisableDelayedExpansion
popd


No comments :

Post a Comment

Real Time Web Analytics