Skip to content

Instantly share code, notes, and snippets.

@igolaizola

igolaizola/gencacert.sh

Last active June 18, 2021 07:48
Show Gist options
  • Save igolaizola/0b3cbd306cbef6cfa7633100259ea65b to your computer and use it in GitHub Desktop.
Save igolaizola/0b3cbd306cbef6cfa7633100259ea65b to your computer and use it in GitHub Desktop.
Download ZIP
Generate a server certificate
Raw
gencacert.sh
#!/bin/bash
#
# Generate certificate
#
# Example local:
# ./gencacert.sh acme.dev "/C=US/ST=CA/L=Acme City/O=ACME/CN=acme.dev"
# Example remote:
# curl -sSfL https://gist.githubusercontent.com/igolaizola/0b3cbd306cbef6cfa7633100259ea65b/raw/gencacert.sh | bash -s acme.dev "/C=US/ST=CA/L=Acme City/O=ACME/CN=acme.dev"
#
# If you get an error similar to "Can't load /home/user/.rnd into RNG"
# try commenting RANDFILE on your /etc/ssl/openssl.cnf
#
NAME="${1:-acme.dev}"
SUBJECT="${2:-/C=US/ST=CA/L=Acme City/O=ACME/CN=acme.dev}"
openssl req \
-new \
-newkey ec:<(openssl ecparam -name prime256v1) \
-x509 \
-days 3650 \
-nodes \
-subj "$SUBJECT CA" \
-reqexts data \
-extensions data \
-config <(cat /etc/ssl/openssl.cnf <(printf '
[data]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
')) \
-keyout "$NAME-ca-key.pem" \
-out "$NAME-ca.pem" \
openssl req \
-new \
-newkey ec:<(openssl ecparam -name prime256v1) \
-nodes \
-subj "$SUBJECT" \
-reqexts data \
-extensions data \
-config <(cat /etc/ssl/openssl.cnf <(printf '
[data]
keyUsage=digitalSignature,keyEncipherment,nonRepudiation
extendedKeyUsage=serverAuth
subjectAltName=DNS:%s
' "$NAME")) \
-keyout "$NAME-key.pem" \
-out "$NAME-req.pem"
openssl x509 -req \
-in "$NAME-req.pem" \
-CA "$NAME-ca.pem" \
-CAkey "$NAME-ca-key.pem" \
-CAcreateserial \
-out "$NAME.pem" \
-days 365 \
-sha256 \
-extensions data \
-extfile <(cat /etc/ssl/openssl.cnf <(printf '
[data]
keyUsage=digitalSignature,keyEncipherment,nonRepudiation
extendedKeyUsage=serverAuth
subjectAltName=DNS:%s
' "$NAME"))
# Generate pkcs1 version of keys
openssl ec -in "$NAME-ca-key.pem" -out "$NAME-ca-key-pkcs1.pem"
openssl ec -in "$NAME-key.pem" -out "$NAME-key-pkcs1.pem"
# Generate public keys
openssl ec -in "$NAME-key-pkcs1.pem" -pubout -out "$NAME-pub-key.pem"
Raw
gencert.sh
#!/bin/bash
#
# Generate certificate
#
# Example local:
# ./gencert.sh acme.dev "/C=US/ST=CA/L=Acme City/O=ACME/CN=acme.dev"
# Example remote:
# curl -sSfL https://gist.githubusercontent.com/igolaizola/0b3cbd306cbef6cfa7633100259ea65b/raw/gencert.sh | bash -s acme.dev "/C=US/ST=CA/L=Acme City/O=ACME/CN=acme.dev"
#
# If you get an error similar to "Can't load /home/user/.rnd into RNG"
# try commenting RANDFILE on your /etc/ssl/openssl.cnf
#
NAME="${1:-acme.dev}"
SUBJECT="${2:-/C=US/ST=CA/L=Acme City/O=ACME/CN=acme.dev}"
openssl req \
-new \
-x509 \
-days 3650 \
-newkey ec:<(openssl ecparam -name prime256v1) \
-nodes \
-subj "$SUBJECT" \
-reqexts data \
-extensions data \
-config <(cat /etc/ssl/openssl.cnf <(printf '
[data]
keyUsage=digitalSignature,keyEncipherment,nonRepudiation
extendedKeyUsage=serverAuth
subjectAltName=DNS:%s
' "$NAME")) \
-keyout "$NAME-key.pem" \
-out "$NAME.pem"
# Generate pkcs1 version of key
openssl ec -in "$NAME-key.pem" -out "$NAME-key-pkcs1.pem"
# Generate public keys
openssl ec -in "$NAME-key-pkcs1.pem" -pubout -out "$NAME-pub-key.pem"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment