gen_ssl_cert

README.md

gen_ssl_cert

This script generates a self-signed SSL certificate which can be used for developing web applications on your local machine. The certificate will be generated using RSA-4096 and SHA512.

Installation

Copy these two files somewhere convenient; e.g. ~/bin.

Edit openssl.cnf if you have any particular requirements.

The private key and certificate are saved to ${HOME}/.ssl/certs by default. Change the PRIVATE_DIR variable in the script to save the files somewhere else. The PRIVATE_DIR directory is created if it doesn't exist.

The private key and certificate files are named ${MACHINE_NAME}-self_signed.key and ${MACHINE_NAME}-self_signed.pem, respectively. MACHINE_NAME defaults to the value returned by the command hostname -s.

Execute the following to make the script executable:

$ chmod a+x gen_ssl_cert.sh

Use

To use, just execute the shell script:

$ gen_ssl_cert.sh

The CA DN fields are set to dummy defaults to make the generation process as automatic as possible.

After generation you can use the self-signed certificates however you please.

gen_ssl_cert.sh

#!/usr/bin/env bash

SOURCE="${BASH_SOURCE[0]}"

# While ${SOURCE} is a symlink, resolve it.
while [ -h "${SOURCE}" ]; do
  DIR="$( cd -P "$( dirname "${SOURCE}" )" && pwd )"
  SOURCE="$( readlink "${SOURCE}" )"

  # If ${SOURCE} was a relative symlink, so no '/' as prefix, need to resolve it relative to the symlink base directory.
  [[ "${SOURCE}" != /* ]] && SOURCE="${DIR}/${SOURCE}"
done
DIR="$( cd -P "$( dirname "${SOURCE}" )" && pwd )"

# Save the ${HOST} variable if it is set.
if [ ! -z "${HOST+x}" ]; then
  GSC_OLD_HOST="${HOST}"
fi

# Save the ${MACHINE_NAME} variable if it is set.
if [ ! -z "${MACHINE_NAME+x}" ]; then
  GSC_OLD_MACHINE_NAME="${MACHINE_NAME}"
fi

# Export these variables so that openssl can see them.
export HOST="$( ifconfig | grep "inet " | grep -v 127.0.0.1 | cut -f 2 -d ' ' )"
export MACHINE_NAME="$( hostname -s )"

PRIVATE_DIR="${HOME}/.ssl/certs"
CERT_NAME="${MACHINE_NAME}-self_signed"

# Make the ${PRIVATE_DIR} directory if it doesn't exist.
if [[ ! -e "${PRIVATE_DIR}" ]]; then
  mkdir -p "${PRIVATE_DIR}"
fi

# Change into the ${PRIVATE_DIR} directory and create the private key and certificate.
cd "${PRIVATE_DIR}"
openssl genrsa -out "${CERT_NAME}.key" 4096
printf "\n\n\n\n\n\n\n" | openssl req -new -x509 -key "${CERT_NAME}.key" -sha512 -out "${CERT_NAME}.pem" -days 730 -extensions v3_req -config "${DIR}/openssl.cnf" && echo

# Unset or restore the ${HOST} variable.
if [ -z "${GSC_OLD_HOST+x}" ]; then
  unset HOST
else
  export HOST="${GSC_OLD_HOST}"
fi

# Unset or restore the ${HOST} variable.
if [ -z "${GSC_OLD_MACHINE_NAME+x}" ]; then
  unset MACHINE_NAME
else
  export MACHINE_NAME="${GSC_OLD_MACHINE_NAME}"
fi

openssl.cnf

# This definition stops the following lines choking if HOME isn't defined.
HOME     = .
RANDFILE = ${ENV::HOME}/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file    = ${ENV::HOME}/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the "openssl x509" utility, name here the section
# containing the X.509v3 extensions to use:
#extensions =
# (Alternatively, use a configuration file that has only X.509v3 extensions in its main [= default] section.)

[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
#testoid1 = 1.2.3.4
# Or use config file substitution like this:
#testoid2 = ${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################

[ ca ]
default_ca = CA_default # The default ca section

####################################################################

[ CA_default ]
dir            = ./demoCA         # Where everything is kept
certs          = ${dir}/certs     # Where the issued certs are kept
crl_dir        = ${dir}/crl       # Where the issued crl are kept
database       = ${dir}/index.txt # database index file.
#unique_subject = no               # Set to 'no' to allow creation of several ctificates with same subject.
new_certs_dir  = ${dir}/newcerts  # default place for new certs.

certificate = ${dir}/cacert.pem        # The CA certificate
serial      = ${dir}/serial            # The current serial number
crlnumber   = ${dir}/crlnumber         # the current crl number must be commented out to leave a V1 CRL
crl         = ${dir}/crl.pem           # The current CRL
private_key = ${dir}/private/cakey.pem # The private key
RANDFILE    = ${dir}/private/.rand     # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

# Comment out the following two lines for the "traditional" (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs so this is commented out by default to leave
# a V1 CRL. crlnumber must also be commented out to leave a V1 CRL.
#crl_extensions = crl_ext

default_days     = 730     # how long to certify for
default_crl_days = 30      # how long before next CRL
default_md       = default # use public key default MD
preserve         = no      # keep passed DN ordering

# A few different ways of specifying how similar the request should look. For type CA, the listed attributes must be the
# same, and the optional and supplied fields are just that :-)
policy = policy_match

# For the CA policy
[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName       = match
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

# For the 'anything' policy; At this point in time, you must list all acceptable 'object' types.
[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

####################################################################

[ req ]
default_bits       = 4096
default_keyfile    = privkey.pem
distinguished_name = req_distinguished_name
attributes         = req_attributes
x509_extensions    = v3_ca                  # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
#input_password = secret
#output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = US
countryName_min     = 2
countryName_max     = 2

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = State

localityName         = Locality Name (eg, city)
localityName_default = City

0.organizationName         = Organization Name (eg, company)
0.organizationName_default = Company

organizationalUnitName         = Organizational Unit Name (eg, section)
organizationalUnitName_default = Section

commonName         = Common Name (e.g. server FQDN or YOUR name)
commonName_default = ${ENV::MACHINE_NAME}
commonName_max     = 64

emailAddress     = Email Address
emailAddress_max = 64

# SET-ex3 = SET extension number 3

[ req_attributes ]
challengePassword     = A challenge password
challengePassword_min = 4
challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]
# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software requires this to avoid interpreting an end user
# certificate as a CA.
basicConstraints = CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted the certificate can be used for anything *except*
# object signing.

# This is OK for an SSL server.
#nsCertType = server

# For an object signing certificate this would be used.
#nsCertType = objsign

# For normal client use this is typical
#nsCertType = client, email

# and for everything including object signing:
#nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
#subjectAltName = email:copy

# An alternative to produce certificates that aren't deprecated according to PKIX.
#subjectAltName = email:move

# Copy subject details
#issuerAltName = issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
#extendedKeyUsage = critical,timeStamping

[ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alternate_names

[ v3_ca ]
# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
#keyUsage = cRLSign, keyCertSign
keyUsage = digitalSignature, keyEncipherment

# Some might want this also
#nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
#subjectAltName = email:copy
# Copy issuer details
#issuerAltName = issuer:copy

# DER hex encoding of an extension: beware experts only!
#obj = DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
#basicConstraints = critical, DER:30:03:01:01:FF

subjectAltName = @alternate_names

[ alternate_names ]
DNS.1 = localhost
IP.1  = 127.0.0.1
IP.2  = ${ENV::HOST}

[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

#issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints = CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
#nsCertType = server

# For an object signing certificate this would be used.
#nsCertType = objsign

# For normal client use this is typical
#nsCertType = client, email

# and for everything including object signing:
#nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
#subjectAltName = email:copy
# An alternative to produce certificates that aren't deprecated according to PKIX.
#subjectAltName = email:move

# Copy subject details
#issuerAltName = issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################

[ tsa ]
default_tsa = tsa_config1 # the default TSA section

[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir           = ./demoCA                  # TSA root directory
serial        = ${dir}/tsaserial          # The current serial number (mandatory)
crypto_device = builtin                   # OpenSSL engine to use for signing
signer_cert   = ${dir}/tsacert.pem        # The TSA signing certificate (optional)
certs         = ${dir}/cacert.pem         # Certificate chain to include in reply (optional)
signer_key    = ${dir}/private/tsakey.pem # The TSA private key (optional)

default_policy         = tsa_policy1                          # Policy if request did not specify it (optional)
other_policies         = tsa_policy2, tsa_policy3             # acceptable policies (optional)
digests                = sha256, sha512                       # Acceptable message digests (mandatory)
accuracy               = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0                                    # number of digits after dot. (optional)

ordering          = yes # Is ordering defined for timestamps? (optional, default: no)
tsa_name          = yes # Must the TSA name be included in the reply? (optional, default: no)
ess_cert_id_chain = no  # Must the ESS cert id chain be included? (optional, default: no)