Last active
August 5, 2017 16:47
-
-
Save gjyoung1974/a59e7ce3c089bb3ba0d091fa3645be59 to your computer and use it in GitHub Desktop.
generate self signed cert + PKCS12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # 2017 - Gordon Young : [email protected] | |
| # Bash shell script for generating self-signed certs. | |
| # Script accepts a single argument, the fqdn (DNS name) for the cert | |
| # ./gencert.sh www.test.local | |
| unameOut="$(uname -s)" | |
| case "${unameOut}" in | |
| Linux*) machine=Linux;; | |
| Darwin*) machine=Mac;; | |
| CYGWIN*) machine=Cygwin;; | |
| MINGW*) machine=MinGw;; | |
| *) machine="UNKNOWN:${unameOut}" | |
| esac | |
| DOMAIN="$1" | |
| if [ -z "$DOMAIN" ]; then | |
| echo "Usage: $(basename $0) <domain>" | |
| exit 11 | |
| fi | |
| # write a file to load the x.509 Extentions | |
| FILE="./xtns.cnf" | |
| cat <<EOM >$FILE | |
| [ v3_req ] | |
| # Extensions to add to a certificate request | |
| basicConstraints = CA:FALSE | |
| keyUsage = digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| EOM | |
| # For RSA set the validity period to the year 2030 | |
| # See the date table here for RSA modulus: https://www.keylength.com/en/4/ | |
| # Mac BSD and GNU date commands are different | |
| if [ "${machine}" == "Mac" ]; then | |
| validity=$(expr '(' $(date -jf %m%d%Y 01012030 +%s) - $(date +%s) + 86399 ')' / 86400) | |
| fi | |
| # Linux BSD and GNU date commands are different | |
| if [ "${machine}" == "Linux" ]; then | |
| validity=$(expr '(' $(date -d 2030/01/01 +%s) - $(date +%s) + 86399 ')' / 86400) | |
| fi | |
| # use a UUID as a passphrase | |
| PASSPHRASE=$(uuidgen) | |
| echo "P12 Password is: " $PASSPHRASE | |
| # Certificate details; replace items in angle brackets with your own info | |
| subj=" | |
| O=Acme, Inc. | |
| organizationalUnitName=Acme Engineering Team | |
| commonName=$DOMAIN | |
| " | |
| # Generate the server private key | |
| openssl genrsa -aes256 -passout pass:$PASSPHRASE -out $DOMAIN.key 2048 > /dev/null 2> /dev/null | |
| # Generate the CSR | |
| openssl req \ | |
| -new \ | |
| -batch \ | |
| -subj "$(echo -n "$subj" | tr "\n" "/")" \ | |
| -key $DOMAIN.key \ | |
| -passin pass:$PASSPHRASE \ | |
| -out $DOMAIN.csr \ | |
| cp $DOMAIN.key $DOMAIN.key.org | |
| # Generate the cert (good for until 2013 years) | |
| openssl x509 -req -sha256 -days $validity -in $DOMAIN.csr -extensions v3_req -extfile ./xtns.cnf -signkey $DOMAIN.key -passin pass:$PASSPHRASE -out $DOMAIN.crt > /dev/null 2> /dev/null | |
| # Package as PCKS#12 and clean up | |
| openssl pkcs12 -export -out $DOMAIN.p12 -passout pass:$PASSPHRASE -inkey $DOMAIN.key -passin pass:$PASSPHRASE -in $DOMAIN.crt > /dev/null 2> /dev/null | |
| rm $DOMAIN.key $DOMAIN.csr $DOMAIN.key.org xtns.cnf | |
| # EOD |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment