Introduction
In pentests, you often need to create X.509 certificates (e.g. for TLS) or
Certificate Authorities (CAs) to mimic secure environments during your tests.
Manually generating these certificates with tools like openssl can be
time-consuming and error-prone, especially when you’re in a hurry. Who remembers
all these commands? Whether you’re setting up a fake webserver for data
exchange, a proxy setup, a machine-in-the-middle (MITM) attack, testing secure
connections, or creating your own CA chain, manually generate these certificates
should not take much time.
To make this process easier, I’ve written a small script that automates the generation of certificates and CAs in various formats. This script lets you quickly create the certificates you need for different testing scenarios, saving you time and effort. Whether you need self-signed certificates, client-side certificates, or custom CA chains, this tool can help you focus more on the testing itself and less on the setup.
Script
The script can be found on GitHub: makecert.
The CA and certificate details have to be configured by adjusting the script:
KEYSIZE="2048"
CAFILEPREFIX="ca"
CASUBJECT="/CN=Emanuel Duss Certificate Authority/OU=emanuelduss.ch/O=Emanuel Duss/C=CH"
CASERIAL="0x23054213370666"
CAVALIDITY="730" # in days
CAPASSWORD="password"
CERTFILEPREFIX="certificate"
CERTSUBJECT="/CN=emanuelduss.ch"
CERTVALIDITY="730" # in days
CERTPASSWORD="password"
You can configure the key length, the subject, serial number, validity time and the password for both a certificate authority (CA) and a certificate.
After changing the script, everything you have to do is to execute it:
$ ./makecert
[*] Setting umask to 077...
0077
[*] Creating self-signed certificate for CA...
......+..+.............+++++++++++++++++++++++++++++++++++++++*............+...+..+............+..........+..+.+..............+.+..+..................+.............+.....+....+..+...+++++++++++++++++++++++++++++++++++++++*..+.....+.......+.....+....+...............+......+.....+.......+.....+.+......+.....+....+.................+....+...+......+.....+......+......+...+.......+....................+.......+...+..+.+......+...+...............+...+........+.........+............+...+.+.....+......+.+.........+.....+.+............+.....+.......+...+..+......+...+..........+..+...+.......+..+......+.+.........+..+...+....+..+.+.............................++++++
.......+.+.....+......+++++++++++++++++++++++++++++++++++++++*...+....+..+...+.+.....+.........+.+.....+++++++++++++++++++++++++++++++++++++++*.+.+..+............+.+..+......+....+..+...................+.........+........+....+...+..+....+.....+....+...........+.+......+........+.........+..........+..+.+........+.+...+........+.........+.+..+...+...................+.........+..........................+....+.....++++++
-----
-rw------- 1 emanuel emanuel 1330 May 1 2019 ca-cert.pem
-rw------- 1 emanuel emanuel 1704 May 1 2019 ca-key-pkcs8.pem
[*] Converting CA certificate from PEM to DER...
-rw------- 1 emanuel emanuel 940 May 1 2019 ca-cert.der
[*] Converting CA certificate from PEM to text...
-rw------- 1 emanuel emanuel 4443 May 1 2019 ca-cert.txt
[*] Converting CA key from PKCS8 PEM to DER...
-rw------- 1 emanuel emanuel 1218 May 1 2019 ca-key-pkcs8.der
[*] Converting CA key from PKCS8 PEM to PEM password protected...
-rw------- 1 emanuel emanuel 1886 May 1 2019 ca-key-pkcs8-password.pem
[*] Converting CA key from PKCS8 PEM to traditional RSA PEM...
writing RSA key
-rw------- 1 emanuel emanuel 1704 May 1 2019 ca-key-traditional.pem
[*] Converting CA key from PKCS8 PEM to traditional RSA PEM password protected...
writing RSA key
-rw------- 1 emanuel emanuel 1886 May 1 2019 ca-key-traditional-password.pem
[*] Converting CA key from PKCS8 PEM to traditional RSA DER...
writing RSA key
-rw------- 1 emanuel emanuel 1218 May 1 2019 ca-key-traditional.der
[*] Creating PKCS12 keystore...
Warning: output encryption option -nodes ignored with -export
-rw------- 1 emanuel emanuel 2707 May 1 2019 ca-pkcs12.p12
[*] Creating password protected PKCS12 keystore...
Warning: output encryption option -nodes ignored with -export
-rw------- 1 emanuel emanuel 2707 May 1 2019 ca-pkcs12-password.p12
[*] Creating certificate CSR...
........+++++++++++++++++++++++++++++++++++++++*.....+.........+.....+.+.....+.+.....+.......+......+..+............+.+++++++++++++++++++++++++++++++++++++++*..+...+..+......+.+......+.........+...+...+........+.+.....................+..+...............+.+..+...+.+......+.....+....+...+...+.........+.........+.....+.+......+........+.+..................+......+......+.....+...+...+...++++++
..+.+++++++++++++++++++++++++++++++++++++++*.+.....+.........+...+......+......+.+..+...+....+.....+++++++++++++++++++++++++++++++++++++++*..+....+...+.........+.........+.....+......+...+......+.+...+............+.....+.+............+..+......+.......+..+...+.............+..+...+....+......+........+............+..................+.+.....+.++++++
-----
-rw------- 1 emanuel emanuel 899 May 1 2019 certificate-csr.pem
-rw------- 1 emanuel emanuel 1704 May 1 2019 certificate-key-pkcs8.pem
[*] Converting certificate CSR from PEM to DER...
-rw------- 1 emanuel emanuel 610 May 1 2019 certificate-csr.der
[*] Signing the certificate...
Certificate request self-signature ok
subject=CN=emanuelduss.ch
[*] Converting certificate from PEM to DER...
-rw------- 1 emanuel emanuel 855 May 1 2019 certificate-cert.der
[*] Converting certificate from PEM to text...
-rw------- 1 emanuel emanuel 4229 May 1 2019 certificate-cert.txt
[*] Converting certificate key from PKCS8 PEM to DER...
-rw------- 1 emanuel emanuel 1218 May 1 2019 certificate-key-pkcs8.der
[*] Converting certificate key from PKCS8 PEM to PEM password protected...
-rw------- 1 emanuel emanuel 1704 May 1 2019 certificate-key-pkcs8.pem
[*] Converting certificate key from PKCS8 PEM to traditional RSA PEM...
writing RSA key
-rw------- 1 emanuel emanuel 1704 May 1 2019 certificate-key-traditional.pem
[*] Converting certificate key from PKCS8 PEM to traditional RSA PEM password protected...
writing RSA key
-rw------- 1 emanuel emanuel 1886 May 1 2019 certificate-key-traditional-password.pem
[*] Converting certificate key from PKCS8 PEM to traditional RSA DER...
writing RSA key
-rw------- 1 emanuel emanuel 1218 May 1 2019 certificate-key-traditional.der
[*] Creating PKCS12 keystore for certificate...
Warning: output encryption option -nodes ignored with -export
-rw------- 1 emanuel emanuel 2611 May 1 2019 certificate-pkcs12.p12
[*] Creating password protected PKCS12 keystore for certificate...
Warning: output encryption option -nodes ignored with -export
-rw------- 1 emanuel emanuel 2611 May 1 2019 certificate-pkcs12-password.p12
The following subcommands of openssl are used:
reqto create a self-signed certificate for the CA and to request a certificate from the CA.x509to convert certificates from PEM to DERpkcs8to convert the RSA key from PKCS8 to DER (with and without password) and to add a password to the PKCS8 key in PEM formatrsato convert from PKCS8 to traditional RSA in both PEM and DER formatpkcs12to create a PKCS12 file (with and without password)
Created Files
The script first creates a CA and then a certificate, signed by the CA. This results in the following files:
$ ls -1
ca-cert.der
ca-cert.pem
ca-cert.srl
ca-cert.txt
ca-key-pkcs8.der
ca-key-pkcs8-password.pem
ca-key-pkcs8.pem
ca-key-traditional.der
ca-key-traditional-password.pem
ca-key-traditional.pem
ca-password.txt
ca-pkcs12.p12
ca-pkcs12-password.p12
certificate-cert.der
certificate-cert.pem
certificate-cert.txt
certificate-csr.der
certificate-csr.pem
certificate-key-pkcs8.der
certificate-key-pkcs8-password.pem
certificate-key-pkcs8.pem
certificate-key-traditional.der
certificate-key-traditional-password.pem
certificate-key-traditional.pem
certificate-password.txt
certificate-pkcs12.p12
certificate-pkcs12-password.p12
So you have the certificate and key for both the CA and the certificate in all sort of formats like PKCS12, with and without password, RSA traditional and PKCS8 format in both PEM and DER encoded, and so on.
References
- OpenSSL commands manpages: https://docs.openssl.org/master/man1/