Range-Software
diff --git a/‎README.md
+110 b/‎README.md
+110
diff --git a/‎conf/openssl_intermediate.cnf
+80 b/‎conf/openssl_intermediate.cnf
+80
diff --git a/‎conf/openssl_root.cnf
+63 b/‎conf/openssl_root.cnf
+63
diff --git a/‎scripts/ca_cleanup.sh
+81 b/‎scripts/ca_cleanup.sh
+81
@@ -0,0 +1,110 @@
+# Range - Certificate Authority
+
+**Range CA** is a set of tools to create own limited Certificate Authority to issue (sign), revoke and verify client or host certificates.
+
+## Setup Certificate Authority
+
+```
+./scripts/ca_setup.sh \
+    --ca-dir="/path/to/your/range-ca" \
+    --country="<iso-country-code>" \
+    --state="<state>" \
+    --location="<location>" \
+    --organization="<organization>" \
+    --organization-unit="<organization-unit>" \
+    --common-name="your-domain.com" \
+    [email protected]
+```
+NOTE: Replace above parameter values and placeholders with real values.
+
+## Cleanup Certificate Authority
+
+```
+./scripts/ca_cleanup.sh --ca-dir="/path/to/your/range-ca"
+```
+
+## Sign certificate
+
+```
+./scripts/ca_sign_certificate.sh \
+    --csr="/path/to/input_file.csr" \
+    --cert="/path/to/output_file.crt" \
+    --extension=["client_cert" or "server_cert"]
+```
+
+## Verify certificate
+
+```
+./scripts/ca_verify_certificate.sh --cert="/path/to/input_file.crt"
+```
+
+## Revoke certificate
+
+```
+./scripts/ca_revoke_certificate.sh --common-name="certificate common name" --serial="certificate serial number"
+```
+
+## Directory and file structure
+
+### Directories
+* **certs** - This directory contains the certificates generated and signed by the CA. For the root CA, this includes the root CA certificate itself. For the intermediate CA, this includes the intermediate CA certificate and any server or client certificates signed by the intermediate CA.
+* **crl** - The Certificate Revocation List (CRL) directory contains the CRLs generated by the CA. A CRL is a list of certificates that have been revoked by the CA before their expiration date.
+* **newcerts** - This directory stores a copy of each certificate signed by the CA, with the certificate's serial number as the file name. It helps maintain a backup of all issued certificates.
+* **private** - This directory contains the private keys for the CA, including the root CA and intermediate CA private keys. These keys are used to sign certificates and CRLs. The private keys should be kept secure and not shared.
+
+### Files
+* **serial** - Used to keep track of the last serial number that was used to issue a certificate.
+* **crlnumber** - Configuration directive specifying the file that contains the current CRL number.
+* **index.txt** - Database of sorts that keeps track of the certificates that have been issued by the CA.
+
+```
+range-ca/
+├── conf
+│   ├── openssl_intermediate.cnf
+│   └── openssl_root.cnf
+├── intermediateCA
+│   ├── certs
+│   │   ├── ca-chain.cert.pem
+│   │   └── intermediate.cert.pem
+│   ├── crl
+│   ├── crlnumber
+│   ├── csr
+│   ├── index.txt
+│   ├── index.txt.attr
+│   ├── newcerts
+│   ├── openssl.cnf
+│   ├── private
+│   │   └── intermediate.key.pem
+│   └── serial
+├── LICENSE
+├── README.md
+├── rootCA
+│   ├── certs
+│   │   └── ca.cert.pem
+│   ├── crl
+│   ├── crlnumber
+│   ├── csr
+│   │   └── intermediate.csr.pem
+│   ├── index.txt
+│   ├── index.txt.attr
+│   ├── index.txt.old
+│   ├── newcerts
+│   │   └── 1000.pem
+│   ├── openssl.cnf
+│   ├── private
+│   │   └── ca.key.pem
+│   ├── serial
+│   └── serial.old
+└── scripts
+    ├── ca_cleanup.sh
+    ├── ca_create_intermediate_ca.sh
+    ├── ca_create_root_ca.sh
+    ├── ca_create_signed_certificate.sh
+    ├── ca_generate_crl.sh
+    ├── ca_revoke_certificate.sh
+    ├── ca_setup.sh
+    ├── ca_sign_certificate.sh
+    └── ca_verify_certificate.sh
+```
+
+_Based on instructions from: https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/_
@@ -0,0 +1,80 @@
+[ ca ]                                                   # The default CA section
+default_ca = CA_default                                  # The default CA name
+
+[ CA_default ]                                           # Default settings for the intermediate CA
+dir               = <ca-dir>                             # Intermediate CA directory
+certs             = $dir/certs                           # Certificates directory
+crl_dir           = $dir/crl                             # CRL directory
+new_certs_dir     = $dir/newcerts                        # New certificates directory
+database          = $dir/index.txt                       # Certificate index file
+serial            = $dir/serial                          # Serial number file
+RANDFILE          = $dir/private/.rand                   # Random number file
+private_key       = $dir/private/intermediate.key.pem    # Intermediate CA private key
+certificate       = $dir/certs/intermediate.cert.pem     # Intermediate CA certificate
+crl               = $dir/crl/intermediate.crl.pem        # Intermediate CA CRL
+crlnumber         = $dir/crlnumber                       # Intermediate CA CRL number
+crl_extensions    = crl_ext                              # CRL extensions
+default_days      = 365                                  # Default number of days to certify the cert for
+default_crl_days  = 30                                   # Default CRL validity days
+default_md        = sha256                               # Default message digest
+preserve          = no                                   # Preserve existing extensions
+email_in_dn       = no                                   # Exclude email from the DN
+name_opt          = ca_default                           # Formatting options for names
+cert_opt          = ca_default                           # Certificate output options
+policy            = policy_loose                         # Certificate policy
+unique_subject    = no                                   # Allow non unique subjects
+
+[ policy_loose ]                                         # Policy for less strict validation
+countryName             = optional                       # Country is optional
+stateOrProvinceName     = optional                       # State or province is optional
+localityName            = optional                       # Locality is optional
+organizationName        = optional                       # Organization is optional
+organizationalUnitName  = optional                       # Organizational unit is optional
+commonName              = supplied                       # Must provide a common name
+emailAddress            = optional                       # Email address is optional
+
+[ req ]                                                  # Request settings
+default_bits        = 4096                               # Default key size
+distinguished_name  = req_distinguished_name             # Default DN template
+string_mask         = utf8only                           # UTF-8 encoding
+default_md          = sha256                             # Default message digest
+x509_extensions     = v3_intermediate_ca                 # Extensions for intermediate CA certificate
+
+[ req_distinguished_name ]                               # Template for the DN in the CSR
+countryName                     = <country-name>         # Country Name (2 letter code)
+stateOrProvinceName             = <state>                # State or Province Name (full name)
+localityName                    = <location>             # Locality Name (city)
+0.organizationName              = <organization>         # Organization Name (company)
+organizationalUnitName          = <organization-unit>    # Organizational Unit Name (section)
+commonName                      = <common-name>          # Common Name (your domain)
+emailAddress                    = <email>                # Email Address
+countryName_default             = <country-name>         # Country Name (2 letter code)
+stateOrProvinceName_default     = <state>                # State or Province Name (full name)
+localityName_default            = <location>             # Locality Name (city)
+0.organizationName_default      = <organization>         # Organization Name (company)
+organizationalUnitName_default  = <organization-unit>    # Organizational Unit Name (section)
+commonName_default              = <common-name>          # Common Name (your domain)
+emailAddress_default            = <email>                # Email Address
+
+[ v3_intermediate_ca ]                                      # Intermediate CA certificate extensions
+subjectKeyIdentifier = hash                                 # Subject key identifier
+authorityKeyIdentifier = keyid:always,issuer                # Authority key identifier
+basicConstraints = critical, CA:true, pathlen:0             # Basic constraints for a CA
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA
+
+[ crl_ext ]                                                 # CRL extensions
+authorityKeyIdentifier=keyid:always                         # Authority key identifier
+
+[ server_cert ]                                             # Server certificate extensions
+basicConstraints = CA:FALSE                                 # Not a CA certificate
+nsCertType = server                                         # Server certificate type
+keyUsage = critical, digitalSignature, keyEncipherment      # Key usage for a server cert
+extendedKeyUsage = serverAuth                               # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
+authorityKeyIdentifier = keyid,issuer                       # Authority key identifier linking the certificate to the issuer's public key.
+
+[ client_cert ]                                             # Client certificate extensions
+basicConstraints = CA:FALSE                                 # Not a CA certificate
+nsCertType = client, email                                  # Client certificate type
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment # Key usage for a server cert
+extendedKeyUsage = clientAuth, emailProtection              # Extended key usage for server authentication purposes (e.g., TLS/SSL client).
+authorityKeyIdentifier = keyid,issuer                       # Authority key identifier linking the certificate to the issuer's public key.
@@ -0,0 +1,63 @@
+[ ca ]                                                   # The default CA section
+default_ca = CA_default                                  # The default CA name
+
+[ CA_default ]                                           # Default settings for the CA
+dir               = <ca-dir>                             # CA directory
+certs             = $dir/certs                           # Certificates directory
+crl_dir           = $dir/crl                             # CRL directory
+new_certs_dir     = $dir/newcerts                        # New certificates directory
+database          = $dir/index.txt                       # Certificate index file
+serial            = $dir/serial                          # Serial number file
+RANDFILE          = $dir/private/.rand                   # Random number file
+private_key       = $dir/private/ca.key.pem              # Root CA private key
+certificate       = $dir/certs/ca.cert.pem               # Root CA certificate
+crl               = $dir/crl/ca.crl.pem                  # Root CA CRL
+crlnumber         = $dir/crlnumber                       # Root CA CRL number
+crl_extensions    = crl_ext                              # CRL extensions
+default_crl_days  = 30                                   # Default CRL validity days
+default_md        = sha256                               # Default message digest
+preserve          = no                                   # Preserve existing extensions
+email_in_dn       = no                                   # Exclude email from the DN
+name_opt          = ca_default                           # Formatting options for names
+cert_opt          = ca_default                           # Certificate output options
+policy            = policy_strict                        # Certificate policy
+unique_subject    = no                                   # Allow multiple certs with the same DN
+
+[ policy_strict ]                                        # Policy for stricter validation
+countryName             = match                          # Must match the issuer's country
+stateOrProvinceName     = match                          # Must match the issuer's state
+organizationName        = match                          # Must match the issuer's organization
+organizationalUnitName  = optional                       # Organizational unit is optional
+commonName              = supplied                       # Must provide a common name
+emailAddress            = optional                       # Email address is optional
+
+[ req ]                                                  # Request settings
+default_bits        = 4096                               # Default key size
+distinguished_name  = req_distinguished_name             # Default DN template
+string_mask         = utf8only                           # UTF-8 encoding
+default_md          = sha256                             # Default message digest
+prompt              = no                                 # Non-interactive mode
+
+[ req_distinguished_name ]                               # Template for the DN in the CSR
+countryName                     = <country-name>         # Country Name (2 letter code)
+stateOrProvinceName             = <state>                # State or Province Name (full name)
+localityName                    = <location>             # Locality Name (city)
+0.organizationName              = <organization>         # Organization Name (company)
+organizationalUnitName          = <organization-unit>    # Organizational Unit Name (section)
+commonName                      = <common-name>          # Common Name (your domain)
+emailAddress                    = <email>                # Email Address
+
+[ v3_ca ]                                           # Root CA certificate extensions
+subjectKeyIdentifier = hash                         # Subject key identifier
+authorityKeyIdentifier = keyid:always,issuer        # Authority key identifier
+basicConstraints = critical, CA:true                # Basic constraints for a CA
+keyUsage = critical, keyCertSign, cRLSign           # Key usage for a CA
+
+[ crl_ext ]                                         # CRL extensions
+authorityKeyIdentifier = keyid:always,issuer        # Authority key identifier
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+myName=$(basename $0 .sh)
+myPath=$(dirname $0)
+
+caDir=
+
+assert_success()
+{
+    if [ $1 -ne 0 ]
+    then
+        echo "$2" >&2
+        exit 1
+    fi
+}
+
+assert_nonempty()
+{
+    if [ -z "$1" ]
+    then
+        echo "Value is empty. $2" >&2
+        exit 1
+    fi
+}
+
+extract_cmd_parameter_value()
+{
+    echo "${1#*=}"
+}
+
+print_help()
+{
+cat <<End-of-help
+Usage: $myName.sh [OPTION]...
+
+  mandatory
+
+    --ca-dir=[PATH]                   Path to CA directory structure (default=$caDir)
+
+  optional
+
+    --help, -h, -?                    Print this help and exit
+
+End-of-help
+}
+
+while [ $# -gt 0 ]
+do
+    case $1 in
+        --ca-dir=*)
+            caDir=$(extract_cmd_parameter_value "$1")
+            ;;
+        --help | -h | -?)
+            print_help
+            exit 0
+            ;;
+        *)
+            echo "Unknown parameter '$1'" >&2
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+assert_nonempty "$caDir" "CA directory not specified"
+
+caRootDir="$caDir/rootCA"
+caIntermediateDir="$caDir/intermediateCA"
+
+caRootCommonName="${caCommonName} Root CA"
+caIntermediateCommonName="${caCommonName} Intermediate CA"
+
+echo
+echo "Remove OpenSSL CA directory structure"
+echo
+
+chmod -R u+w "$caRootDir" && \
+chmod -R u+w "$caIntermediateDir" && \
+rm -rfv "$caRootDir" && \
+rm -rfv "$caIntermediateDir"
+assert_success $? "Failed to remove CA directory structure"