Skip to content

Instantly share code, notes, and snippets.

@jimmy947788

jimmy947788/Generating-RootCA.sh

Last active February 10, 2023 15:02
Show Gist options
  • Save jimmy947788/baede28df02522bb93786b5658fdf82c to your computer and use it in GitHub Desktop.
Save jimmy947788/baede28df02522bb93786b5658fdf82c to your computer and use it in GitHub Desktop.
Download ZIP
nginx
Raw
Generating-RootCA.sh
#!/bin/bash
CANAME=$1
#CANAME=Daedalus
if [[ -z "$CANAME" ]]; then
echo "Usage: $0 <CA name>"
exit 1
fi
# optional, create a directory
mkdir -p RootCA
cd RootCA
# generate aes encrypted private key
echo ""=========== Generating CA key "==========="
openssl genrsa -aes256 -out $CANAME-RootCA.key 4096
CONFIG_FILE="$CANAME-RootCA.config.txt"
cat > $CONFIG_FILE <<-EOF
[req]
prompt = no
distinguished_name = dn
[dn]
C = TW
ST = Taiwan
L = Taipei city
O = $CANAME Corp.
OU = IT
CN = $CANAME Corp
EOF
# create certificate, 1826 days = 5 years
echo "=========== Generating CA certificate ==========="
openssl req -x509 -new -nodes -key $CANAME-RootCA.key -sha256 -days 1826 -out $CANAME-RootCA.crt -config $CONFIG_FILE
Raw
Generating-SiteCrt.sh
#!/bin/bash
MYCERT=$1
ROOTCA_CRT=$2
ROOTCA_KEY=$3
#MYCERT=m-key.dev
if [[ -z "$MYCERT" ]]; then
echo "Usage: $0 <cert name> <rootca.crt> <rootca.key>"
exit 1
fi
# optional, create a directory
MYCERT_PATH=$PWD/SiteCerts
mkdir -p $MYCERT_PATH
CONFIG_FILE="$MYCERT_PATH/$MYCERT.config.txt"
# create a v3 ext file for SAN properties
echo "=========== Creating v3 ext file ==========="
cat > $CONFIG_FILE <<-EOF
[req]
default_bits = 4096
default_md = sha512
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
C = TW
ST = Taiwan
L = Taipei city
O = $MYCERT Corp.
OU = Development
emailAddress = devops@$MYCERT
CN = $MYCERT
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.$MYCERT
DNS.2 = $MYCERT
EOF
# create certificate for service
echo "=========== Generating certificate for service ==========="
openssl req -new -nodes -out $MYCERT_PATH/$MYCERT.csr -newkey rsa:4096 -keyout $MYCERT_PATH/$MYCERT.key -config $CONFIG_FILE
echo "=========== Signing certificate for service ==========="
openssl x509 -req -in $MYCERT_PATH/$MYCERT.csr -CA $ROOTCA_CRT -CAkey $ROOTCA_KEY -CAcreateserial -out $MYCERT_PATH/$MYCERT.crt -days 730 -sha256 -extfile $CONFIG_FILE
Raw
signed-SAN-certificate.sh
# !/usr/bin/env bash
# 建立所有subdomain的ssl憑證
# Set the TLD domain we want to use
BASE_DOMAIN=$1
# Days for the cert to live
DAYS=1095
# A blank passphrase
PASSPHRASE=""
# Generated configuration file
CONFIG_FILE="$BASE_DOMAIN.config.txt"
cat > $CONFIG_FILE <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
C = TW
ST = Taiwan
L = Taipei
O = chain security Corp
OU = Development
emailAddress = devops@$BASE_DOMAIN
CN = $BASE_DOMAIN
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.$BASE_DOMAIN
DNS.2 = $BASE_DOMAIN
EOF
# The file name can be anything
FILE_NAME="$BASE_DOMAIN"
# Remove previous keys
echo "Removing existing certs like $FILE_NAME.*"
chmod 770 certs/$$FILE_NAME.*
# rm $FILE_NAME.*
echo "Generating certs for $BASE_DOMAIN"
# Generate our Private Key, CSR and Certificate
# Use SHA-2 as SHA-1 is unsupported from Jan 1, 2017
openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout "certs/$FILE_NAME.key" -days $DAYS -out "certs/$FILE_NAME.crt" -passin pass:$PASSPHRASE -config "$CONFIG_FILE"
# OPTIONAL - write an info to see the details of the generated crt
openssl x509 -noout -fingerprint -text < "certs/$FILE_NAME.crt" > "certs/$FILE_NAME.info"
# Protect the key
chmod 400 "certs/$FILE_NAME.key"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment