Last active
June 13, 2017 21:52
-
-
Save hummus/92070466aa09dd43dd90 to your computer and use it in GitHub Desktop.
generate self-signed ssl cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # original url: http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr | |
| set -e | |
| set -x | |
| domain="${1-$(cat /etc/hostname)}" | |
| commonname="$domain" | |
| # if the domain is a freakin IP it must also specify an IP SAN | |
| # hopefully you have a python | |
| IS_IP=$(python -c "import sys; ot=sys.argv[1].split('.'); len(ot)==4 and all([p.isdigit() for p in ot]) and all([0<int(p)<256 for p in ot]) and sys.stdout.write('1\n') or sys.stdout.write('0\n')" $domain) | |
| if [ $IS_IP -eq 0 ]; then | |
| # hostname | |
| SAN="DNS:$domain.adept.local" | |
| else | |
| # ip | |
| export SAN="IP:$domain" | |
| fi | |
| errcho (){ | |
| >&2 echo "$1" | |
| } | |
| rand_letters (){ | |
| cat /dev/urandom| tr -dc 'A-Z'|head -c $1 | |
| } | |
| # Change to your company details | |
| country=$(rand_letters 2) | |
| state=$(rand_letters 2) | |
| locality=None | |
| organization=None | |
| organizationalunit=None | |
| email=None@$domain | |
| # Optional | |
| password=password | |
| if [ -z "$domain" ] | |
| then | |
| echo "Argument not present." | |
| echo "Useage $0 [common name]" | |
| exit 99 | |
| fi | |
| errcho "Generating key request for $domain" | |
| # Generate a key | |
| openssl genrsa -des3 -passout pass:$password -out $domain.key 2048 -noout | |
| # Remove passphrase from the key. Comment the line out to keep the passphrase | |
| errcho "Removing passphrase from key" | |
| openssl rsa -in $domain.key -passin pass:$password -out $domain.key | |
| # # Create the request | |
| # errcho "Creating CSR" | |
| # CONFIG="[req] | |
| # prompt = no | |
| # req_extensions = v3_req | |
| # distinguished_name = req_distinguished_name | |
| # [req_distinguished_name] | |
| # C = $country | |
| # ST = $state | |
| # L = $locality | |
| # O = $organization | |
| # OU = $organizationalunit | |
| # CN = $commonname | |
| # emailAddress = $email | |
| # [v3_req] | |
| # basicConstraints = CA:FALSE | |
| # keyUsage = digitalSignature, keyEncipherment | |
| # subjectAltName = @alt_names | |
| # [alt_names] | |
| # DNS.1 = $domain | |
| # IP.1 = $domain | |
| # " | |
| # openssl req -new \ | |
| # -key $domain.key \ | |
| # -passin pass:$password \ | |
| # -extensions v3_req \ | |
| # -config <(echo "$CONFIG") \ | |
| # -out $domain.csr | |
| CONFIG=" | |
| [req] | |
| distinguished_name=dn | |
| [ dn ] | |
| [ ext ] | |
| basicConstraints=CA:TRUE,pathlen:0 | |
| subjectAltName=$SAN | |
| " | |
| openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \ | |
| -subj "/CN=$commonname" -x509 -extensions ext -keyout $domain.key -out $domain.crt | |
| # errcho "Self signing" | |
| # openssl x509 -req -days 365 -in $domain.csr -signkey $domain.key -out $domain.crt | |
| if [[ $GEN_CERT_PKCS12 -eq 1 ]]; then | |
| # maybe you need a single keystore file | |
| openssl pkcs12 -export -in $domain.crt -inkey $domain.key -out $domain.pkcs12 -password pass:password | |
| rm $domain.crt | |
| rm $domain.key | |
| else | |
| # normal output, nice for catting somewhere | |
| # cat $domain.csr | |
| cat $domain.key | |
| cat $domain.crt | |
| fi | |
| # rm $domain.csr |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment