Last active
September 22, 2017 19:58
-
-
Save Terrance/a5990329f7205ad796d4 to your computer and use it in GitHub Desktop.
A bash script to ease (re)generation of OpenSSL certificates.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env sh | |
| NEWROOT=0 | |
| GENROOTKEY=0 | |
| NEWCERT=0 | |
| GENCERTKEY=0 | |
| DAYS=3653 | |
| PFX=0 | |
| MERGE=0 | |
| INFO=0 | |
| NAMES="" | |
| if [ $# -eq 0 ] || ([ $# -eq 1 ] && [ "$1" = "-h" ]); then | |
| echo "cert.sh [-d <days>] [-r -k] [-c -g -x -m -i [-n <name>]...]" | |
| echo "d: custom expiry (default $DAYS)" | |
| echo "r: create new root CA certificate" | |
| echo "k: generate new key for root CA" | |
| echo "c: create new SSL certificate" | |
| echo "g: generate new key for cert" | |
| echo "x: convert to PFX format (e.g. Windows)" | |
| echo "m: merge key/cert/dhparam (e.g. ZNC)" | |
| echo "i: print cert info once done" | |
| echo "n: name of cert to process" | |
| exit | |
| fi | |
| while getopts "rkcgd:pxmin:" flag; do | |
| case "$flag" in | |
| d) DAYS="$OPTARG" ;; | |
| r) NEWROOT=1 ;; | |
| k) GENROOTKEY=1 ;; | |
| c) NEWCERT=1 ;; | |
| g) GENCERTKEY=1 ;; | |
| # p) PEM=1 ;; | |
| x) PFX=1 ;; | |
| m) MERGE=1 ;; | |
| i) INFO=1 ;; | |
| n) NAMES="$NAMES $OPTARG" ;; | |
| esac | |
| done | |
| if [ $GENROOTKEY -eq 1 ]; then | |
| echo "=> Generating root CA key..." | |
| openssl genrsa -out "rootCA.key.pem" 4096 | |
| chmod 0600 "rootCA.key.pem" | |
| if [ $NEWROOT -eq 0 ]; then | |
| echo "$(basename $0): warning, not using new root CA key yet" | |
| fi | |
| fi | |
| if [ $NEWROOT -eq 1 ]; then | |
| if [ ! -f "rootCA.cnf" ]; then | |
| echo >&2 "$(basename $0): missing config file rootCA.cnf" | |
| exit 1 | |
| fi | |
| echo "=> Creating certification authority..." | |
| openssl req -x509 -new -nodes -sha256 -key "rootCA.key.pem" -config "rootCA.cnf" -days $DAYS -out "rootCA.crt.pem" | |
| fi | |
| for name in $NAMES; do | |
| if [ $GENCERTKEY -eq 1 ]; then | |
| echo "=> Generating new private key..." | |
| openssl genrsa -out "$name.key.pem" 4096 | |
| chmod 0600 "$name.key.pem" | |
| fi | |
| if [ $NEWCERT -eq 1 ]; then | |
| if [ ! -f "$name.cnf" ]; then | |
| echo >&2 "$(basename $0): missing config file $name.cnf" | |
| fi | |
| echo "=> Generating certificate signing request..." | |
| openssl req -new -sha256 -key "$name.key.pem" -config "$name.cnf" -sha256 -out "$name.csr" | |
| if [ $? -gt 0 ]; then | |
| echo >&2 "$(basename $0): failed to generate CSR" | |
| if [ -f "$name.csr" ]; then | |
| rm "$name.csr" | |
| fi | |
| exit 3 | |
| fi | |
| echo "=> Generating new certificate..." | |
| openssl x509 -req -sha256 -in "$name.csr" -extfile "$name.cnf" -CA "rootCA.crt.pem" -CAkey "rootCA.key.pem" -CAserial "rootCA.srl" -CAcreateserial -extensions v3_req -days $DAYS -out "$name.crt.pem" | |
| rm "$name.csr" | |
| echo "=> Certificate $name.crt created!" | |
| fi | |
| if [ $PFX -eq 1 ]; then | |
| echo "=> Converting to $name.pfx..." | |
| openssl pkcs12 -export -in "$name.crt.pem" -inkey "$name.key.pem" -certfile "rootCA.crt.pem" -out "$name.pfx" | |
| chmod 0600 "$name.pfx" | |
| fi | |
| if [ $MERGE -eq 1 ]; then | |
| echo "=> Merging into $name.merge.pem..." | |
| cat "$name.key.pem" > "$name.merge.pem" | |
| cat "$name.crt.pem" > "$name.merge.pem" | |
| cat "dhparams.pem" > "$name.merge.pem" | |
| chmod 0600 "$name.merge.pem" | |
| fi | |
| if [ $INFO -eq 1 ]; then | |
| openssl x509 -text -noout -in "$name.crt.pem" | |
| fi | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment