create self-signed server and client certificate with openssl

create-certificate.sh

#!/bin/bash

## Create self signed certificate (server and client)
##
## Combination of
##
## - https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8
## - https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/
##
## Configuration file: `openssl.cnf` contains information about the site being configured.
##
## Example content of `openssl.cnf`:
##
## OpenSSL root CA configuration file
##
## ---------------------------------------------------
## [req]
## distinguished_name = req_distinguished_name
## x509_extensions = v3_req
## prompt = no
##
## [req_distinguished_name]
## C = DE
## #ST =
## #L =
## #O =
## #OU =
## CN = your-domain.com
##
## [v3_req]
## keyUsage = critical, digitalSignature, keyAgreement
## extendedKeyUsage = serverAuth
## subjectAltName = @alt_names
##
## [alt_names]
## DNS.1 = your-domain.com
## DNS.2 = www.your-domain.com
##
## ---------------------------------------------------


OUTPUT_FOLDER="output"

[ ! -d ${OUTPUT_FOLDER} ] && mkdir ${OUTPUT_FOLDER}

## Generate CA certificate.
## Output: ca.key and ca.cer
##
echo -e "\n==> Generating CA certificate..."
## NOTE: Remove the `-nodes` flag if you want to enter a passphrase
openssl req \
    -newkey rsa:4096 \
    -keyform PEM \
    -keyout ${OUTPUT_FOLDER}/ca.key \
    -x509 \
    -days 3650 \
    -outform PEM \
    -out ${OUTPUT_FOLDER}/ca.cer \
    -config openssl.cnf \
    -nodes

## Generate server SSL key and certificate
##
## server private key
## Output: server.key
##
echo -e "\n==> Generating ssl key and certificate..."
openssl genrsa \
    -out ${OUTPUT_FOLDER}/server.key 4096

## Use server private key (`server.key`) to generate a certificate generation request
##
## Output: server.req
##
echo -e "\n==> Generating certificate generation request..."
openssl req \
    -new -key ${OUTPUT_FOLDER}/server.key \
    -out ${OUTPUT_FOLDER}/server.req \
    -sha256 \
    -config openssl.cnf

## Use the certificate generation request and the CA cert to generate the server cert
##
## Output: server.cer
##
echo -e "\n==> Generating server certificate..."
openssl x509 \
    -req \
    -in ${OUTPUT_FOLDER}/server.req \
    -CA ${OUTPUT_FOLDER}/ca.cer \
    -CAkey ${OUTPUT_FOLDER}/ca.key \
    -set_serial 100 \
    -extensions server \
    -days 1460 \
    -outform PEM \
    -out ${OUTPUT_FOLDER}/server.cer \
    -sha256

## Cleanup
rm ${OUTPUT_FOLDER}/server.req

## Generate client certificate
##
## Generate a private key for the SSL client
##
## Output: client.key
##
echo -e "\n==> Generating private key for ssl client..."
openssl genrsa \
    -out ${OUTPUT_FOLDER}/client.key 4096

## Use the client’s private key to generate a cert request
##
## Output: client.req
##
echo -e "\n==> Generating client certificate request..."
## NOTE: Remove the `-nodes` flag if you want to enter a passphrase
openssl req \
    -new -key ${OUTPUT_FOLDER}/client.key \
    -out ${OUTPUT_FOLDER}/client.req \
    -config openssl.cnf \
    -nodes

## Issue the client certificate using the cert request and the CA cert/key. 
##
## Output: client.cer
##
echo -e "\n==> Generating client certificate..."
openssl x509 \
    -req -in ${OUTPUT_FOLDER}/client.req \
    -CA ${OUTPUT_FOLDER}/ca.cer \
    -CAkey ${OUTPUT_FOLDER}/ca.key \
    -set_serial 101 \
    -extensions client \
    -days 365 \
    -outform PEM \
    -out ${OUTPUT_FOLDER}/client.cer

## Convert the client certificate and private key to pkcs#12 format for use by browsers.
##
## Output: client.p12
##
echo -e "\n==> Converting client certificate to pkcs#12..."
## NOTE: Remove the `-passout pass:` flag if you want to enter an export passphrase
openssl pkcs12 \
    -export \
    -inkey ${OUTPUT_FOLDER}/client.key \
    -in ${OUTPUT_FOLDER}/client.cer \
    -out ${OUTPUT_FOLDER}/client.p12 \
    -passout pass:

## Cleanup
rm \
    ${OUTPUT_FOLDER}/client.key \
    ${OUTPUT_FOLDER}/client.cer \
    ${OUTPUT_FOLDER}/client.req