Created
December 9, 2018 06:16
-
-
Save fahadysf/68c5cf5bdf21df9171110516f996227e to your computer and use it in GitHub Desktop.
Script to create Self-Signed CA and Server Cert (using the CA)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Parameters for the Root CA Certificate (Self-Signed) | |
| # Please Modify this according to your needs | |
| CA_KEY_SIZE="4096" | |
| # CA Certificate Subject Parameters | |
| # Please Modify these according to your needs | |
| C="SA" | |
| ST="Riyadh" | |
| O="Acme.com" | |
| OU="PA" | |
| CN="PA-AD CA" | |
| # Parameters for the Server Cert | |
| # Please Modify this according to your needs | |
| CERT_KEY_SIZE="2048" | |
| # Server Certificate Subject Parameters | |
| # Please Modify these according to your needs | |
| C_C="SA" | |
| C_ST="Riyadh" | |
| C_O="Acme.com" | |
| C_OU="PA" | |
| # Pay special attention to the CN Field (should be the FQDN of the server) | |
| C_CN="pa-ad.acme.com" | |
| # Specify any SANs you want here | |
| C_SAN1="pa-ad" | |
| C_SAN2="192.168.45.65" | |
| ### Output File Names ### | |
| # Please Modify these according to your needs | |
| CA_CRT_FILE="pa-ad-ca.crt" | |
| CA_KEY_FILE="pa-ad-ca.key" | |
| CERT_KEY_FILE="$C_CN.key" | |
| CERT_CSR_FILE="$C_CN.csr" | |
| CERT_FILE="$C_CN.crt" | |
| CA_PFX_FILE="pa-ad-ca.pfx" | |
| CERT_PFX_FILE="$C_CN.pfx" | |
| CA_PFX_PASS="yourpassword-changethis" | |
| CERT_PFX_PASS="yourpassword-changethis" | |
| # CA Cert Validitiy | |
| DURATION="7300" | |
| # Server Cert Validity | |
| CERT_DURATION="3650" | |
| # Generate a Private Key to use for the CA | |
| openssl genrsa -out $CA_KEY_FILE $CA_KEY_SIZE | |
| # Create the CA Certificate | |
| openssl req -x509 -new -nodes -key $CA_KEY_FILE -subj "/C=$C/ST=$ST/O=$O/OU=$OU/CN=$CN" -sha512 -days $DURATION -out $CA_CRT_FILE | |
| # Generate a Server Certificate signed by above CA | |
| # Step-1 Generate a key for this certificate | |
| openssl genrsa -out $CERT_KEY_FILE $CERT_KEY_SIZE | |
| # Step-2 Generate a CSR to be signed by the CA created above | |
| # Note: This requires BASH shell or equivalent. | |
| openssl req -new -sha256 -nodes -out $CERT_CSR_FILE -key $CERT_KEY_FILE -config \ | |
| <(printf "\n[req]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\n\ | |
| req_extensions = req_ext\ndistinguished_name = dn\n[ dn ]\n\ | |
| C=$C_C\nST=$C_ST\nO=$C_O\nOU=$C_OU\nCN=$C_CN\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\ | |
| [ alt_names ]\nDNS.1 = $C_SAN1\nDNS.2 = $C_SAN2") | |
| # Step-3 Sign the Certificate based on the CSR and save it. | |
| openssl x509 -req -in $CERT_CSR_FILE -CA $CA_CRT_FILE -CAkey $CA_KEY_FILE -CAcreateserial -out $CERT_FILE -days $CERT_DURATION -sha512 | |
| # Package the CA and Server Certs as PKCS12 (.pfx) files | |
| # Export the CA PFX | |
| echo "Generating CA PFX File: $CA_PFX_FILE" | |
| openssl pkcs12 -export -out $CA_PFX_FILE -inkey $CA_KEY_FILE -in $CA_CRT_FILE -passout pass:$CA_PFX_PASS | |
| #Export the Server Cert PFX | |
| echo "Generating Server Cert PFX File: $CERT_PFX_FILE" | |
| openssl pkcs12 -export -out $CERT_PFX_FILE -inkey $CERT_KEY_FILE -in $CERT_FILE -certfile $CA_CRT_FILE -passout pass:$CERT_PFX_PASS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Useful little one-shot (modify and execute) script to create Self-Signed CA and a server cert signed by that CA via Open SSL. BASH and OpenSSL are required