Mc Cine

Multi cert Creator is not easy-rsa

MC Cine is Open Source software and licensed under CC BY-ND 3.0. It helps you to create selfsigned SSL certificates which are able to handle multiple DNS names and/or IP addresses.

That means you can create 1 SSL certificate with a common name = http://www.secure-diversity.de and that would be valid for http://www.anotherdomain.de or/and for http://1.1.1.1, too! MC Cine is a very powerful tool. Here comes the full help for the current version:

./mccine.sh -h full
  Version: 2014-07-15 - by www.se-di.de

  This will do stuff to easily self-sign multiple/alternative FQDN/IPs. It is NOT easy-rsa!
  mccine can (easy-rsa can not) sign certs with multiple FQDNs/IPs and is not such comfortable as this tool ;o).

  When you want >1< common name only you may (but don't need to) use easy-rsa instead.
  mccine can sign single CN's, too of course.

  Getting starting is VERY easy and done in 2 simple steps!

   1) ./mccine.sh -m CA -F my.CA-SERVER.com

          You will be guided to the initial setup of your own and new CA
          and you will get at the end an example output for the next step:

   2) ./mccine.sh -m sign -F my.main-servername.com,IamNOTaFQDN,1.1.1.1 -C my.ROOT-CA.pem -i my.ROOT-CA.crt

          (You can copy & paste the ROOT-CA filenames right from step 1)
          Again you will be guided to the whole process - this time for creating your new certificate
          signed with the CA created in step 1 and with default options.

  You're done! Next time you need step <2> only because you already have a CA! Isn't that easy? :o)
  More examples and the full help are available within the specific help sections.

  Usage:
    $> ./mccine.sh -m [MODE] [options]

  MODE = usage mode. can be one of: <ROOTCA> | <SUBCA> | <sign>

  -h ROOTCA
            <ROOTCA> will create a ROOT-CA and you need to start here when using mccine the first time.
  -h SUBCA
            <SUBCA> requires a ROOT-CA! If you have one already choose this to create a signing SUB-CA.
  -h sign
            <sign> requires a ROOT- or SUB-CA! This helps you in self-signing a user cert.
  -h full
            will show all help output of the above.


    MODE = <ROOTCA>

    -m ROOTCA|CA|rootca|ca

        The ROOT-CA mode will be used normally once only. It is not recommended to sign user certs with a ROOT-CA
        and it is needed in order to create a SUB-CA (which then signing your certs).
        If you already have a CA which is able to do that (check your openssl.cnf settings!) or if you
        have created a ROOT-CA with this tool already you can skip that and proceed with <SUBCA> and / or <sign> mode.

        (Order of args is totally free and case insensitive)

        Required:
           -f|F CA CN = Common name of your ROOT-CA cert, e.g the DNS name or IP address of the CA system

        Optional:
           -c|C CA PEM file = The private key file of the signing ROOT-CA
           -d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
           -b|B CA KEY-STRENGTH = Defines the strength of the encryption key of the CA

         Defaults:
            DAYS-FOR-SIGNING = 4380 days
            CA KEY-STRENGTH = 8192 bit
            CA PEM file = <CN defined by -F arg>.pem

           Examples:
          $> ./mccine.sh -m ROOTCA -F my.CA-SERVER.com -C my.CA-server.pem -d 3650 -b 4096
          $> ./mccine.sh -m CA -F my.CA-SERVER.com


    MODE = <SUBCA>

    -m SUBCA|subca

        The SUBCA mode will be used normally once to create an intermediate CA for a specific purpose. 
        It then will be used to sign the user / mail / webservers certificates.
        Such a intermediate or SUB-CA is recommended and should be used to be secure.

        (Order of args is totally free and case insensitive)

        Required:
           -f|F CA CN = Common name of your SUB-CA cert, e.g the DNS name or IP address of the SUBCA system
           -r|R CA PEM file = The private key file of the signing ROOT-CA which will sign your cert-request
           -i|I CA CERT file = The CA certificate file of the signing ROOT-CA.

        Optional:
           -d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
           -b|B CA KEY-STRENGTH = Defines the strength of the encryption key of the CA

         Defaults:
            DAYS-FOR-SIGNING = 2190 days
            CA KEY-STRENGTH = 8192 bit
            CA PEM file = <CN-you-defined-by -F arg>.pem

         Examples:
            $> ./mccine.sh -m SUBCA -F my.subca.com -r my.ROOTca.pem -i my.ROOTca.crt
            $> ./mccine.sh -m SUBCA -F my.subca.com -r my.ROOTca.pem -i my.ROOTca.crt -d 3650 -b 4096


    MODE = <sign>

    -m SIGN|sign

         The sign mode will be your 'normal' operation mode once you have created your ROOT-CA and
         will be used to self-sign your certs with the CA you created in MODE = <CA>.

        (Order of args is totally free and case insensitive)

         Required:
            -f|F MAIN-FQDN,CNx,IP1,IPx,... = One ore multiple common name(s) AND/OR IPs of the server certificate,
                                             normally that will be the DNS name(s)/IP(s) of your target server.
            -c|C CA PEM file = The private key file of the signing ROOT-CA which will sign your cert-request
            -i|I CA CERT file = The CA certificate file of the signing ROOT-CA.

         Optional:
            -p|P CERT PEM file = The private key file of the existing/new server cert (will be created if not existing)
            -d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
            -b|B CERT KEY-STRENGTH = Defines the strength of the private key
            -s   mail|MAIL = you can define 'MAIL' as special signing mode and then create a S/MIME certificate

         Defaults:
            CERT PEM file = <CN defined by -F arg>.pem
            DAYS-FOR-SIGNING = 2190 days
            CERT KEY-STRENGTH = 4096 bit


           Examples:
             $> ./mccine.sh -m sign -F my.ssl-server.de,myhostname,1.1.1.1 -C my.SUB-CA.pem -p my.CERT.pem -d 365 -b 2048 -i my.SUB-CA.crt
             $> ./mccine.sh -m sign -s MAIL -F support@se-di.de,info@se-di.de,info@sicherevielfalt.de -C my.SUB-CA.pem -i my.SUB-CA.crt
             $> ./mccine.sh -m sign -F my.ssl-server.de -C my.SUB-CA.pem -i my.SUB-CA.crt

Download

Current stable version: mccine_v3.1.tar.gz

Print out