Created
September 20, 2024 11:56
-
-
Save abiiranathan/13bd01ee95634ea3c330492eee00f24f to your computer and use it in GitHub Desktop.
Generate self-signed certificates with a single script. Useful in LAN environments or localhost
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Generate a self-signed certificate for specified hosts | |
| # and add it to the system keychain. | |
| # Requires: openssl, sudo | |
| set -euo pipefail | |
| # Configuration | |
| HOSTS="localhost,127.0.0.1" | |
| ORG="Yo Medical Files(U) Ltd" | |
| DAYS=3650 # 10 years | |
| DEPT="IT" | |
| INSTALL_CERTS="NO" | |
| RSA_KEY_SIZE=4096 | |
| # Certificate files | |
| CERTFILE="certfile.crt" | |
| KEYFILE="keyfile.key" | |
| ROOTCA="rootCA.crt" | |
| ROOTCAKEY="rootCA.key" | |
| PKCS12="${CERTFILE%.*}.p12" | |
| PKCS12_PASSWORD="" | |
| # Location details | |
| COUNTRY="UG" | |
| STATE="Kampala" | |
| CITY="Kampala" | |
| # Function to check if a command exists | |
| command_exists() { | |
| command -v "$1" >/dev/null 2>&1 | |
| } | |
| # Check required commands | |
| for cmd in openssl sudo; do | |
| if ! command_exists "$cmd"; then | |
| echo "Error: $cmd is required but not installed. Please install it and try again." | |
| exit 1 | |
| fi | |
| done | |
| # Generate the root CA if it doesn't exist | |
| if [ ! -f "$ROOTCA" ]; then | |
| echo "Generating root CA..." | |
| openssl req -new -newkey rsa:$RSA_KEY_SIZE -days "$DAYS" -nodes -x509 \ | |
| -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$DEPT/CN=Yo Medical Files Root CA" \ | |
| -keyout "$ROOTCAKEY" -out "$ROOTCA" 2>/dev/null | |
| fi | |
| # Get the first host from the HOSTS list for the CN field | |
| FIRST_HOST=$(echo "$HOSTS" | cut -d',' -f1) | |
| # Generate the certificate signing request (CSR) for the defined hosts | |
| echo "Generating CSR..." | |
| openssl req -new -newkey rsa:$RSA_KEY_SIZE -nodes \ | |
| -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$DEPT/CN=$FIRST_HOST" \ | |
| -keyout "$KEYFILE" -out "${CERTFILE%.*}.csr" 2>/dev/null | |
| # Sign the certificate with the root CA | |
| echo "Signing certificate..." | |
| openssl x509 -req -extfile <(printf "subjectAltName=DNS:${HOSTS//,/,DNS:}") \ | |
| -days "$DAYS" -in "${CERTFILE%.*}.csr" -CA "$ROOTCA" -CAkey "$ROOTCAKEY" \ | |
| -CAcreateserial -out "$CERTFILE" 2>/dev/null | |
| # Create a PKCS12 file for importing into the system keychain | |
| echo "Creating PKCS12 file..." | |
| openssl pkcs12 -export -out "$PKCS12" -inkey "$KEYFILE" -in "$CERTFILE" -certfile "$ROOTCA" \ | |
| -passout pass:"$PKCS12_PASSWORD" 2>/dev/null | |
| # Also create a PEM file for use with nginx | |
| cat "$CERTFILE" "$KEYFILE" >"${CERTFILE%.*}.pem" | |
| # Import the certificate into the system keychain | |
| if [ "$INSTALL_CERTS" == "YES" ]; then | |
| echo "Installing certificates..." | |
| if [ "$(uname)" == "Darwin" ]; then | |
| sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$ROOTCA" 2>/dev/null | |
| elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then | |
| sudo cp "$ROOTCA" /usr/local/share/ca-certificates/ | |
| sudo update-ca-certificates 2>/dev/null | |
| else | |
| echo "Unsupported operating system for automatic certificate installation." | |
| fi | |
| fi | |
| echo "Certificate generation complete." | |
| echo "Root CA: $ROOTCA" | |
| echo "Certificate: $CERTFILE" | |
| echo "PEM File: ${CERTFILE%.*}.pem" | |
| echo "Private Key: $KEYFILE" | |
| echo "PKCS12 File: $PKCS12" | |
| # Clean up | |
| rm -f "${CERTFILE%.*}.csr" rootCA.srl | |
| # Set appropriate permissions | |
| chmod 600 "$KEYFILE" "$ROOTCAKEY" "$PKCS12" | |
| chmod 644 "$CERTFILE" "$ROOTCA" "${CERTFILE%.*}.pem" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment