-
-
Save mengqingzhong/d54de60e828fa89146c3ef35c0fd39b8 to your computer and use it in GitHub Desktop.
Script to generate self signed certificate on Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
###### For generate_certs.sh script ###### | |
export COUNTRY=US | |
export STATE=California | |
export CITY=Irvine | |
export ORGANIZATION=YourCompany | |
export UNIT=YourBU | |
export COMMON_NAME=server.example.com | |
export SAN_NAME_1=server.example.com | |
export SAN_NAME_2=server | |
export SERVER_IP=10.0.x.x | |
export FILE_NAME=server | |
export UPDATE_DOCKER=false | |
export CERT_DIR=/data/cert/ | |
export DOCKER_CERT_DIR=/etc/docker/certs.d/${COMMON_NAME}/ | |
export UPDATE_CERT_BUNDLE=false | |
## Script to generate a SAN Cert | |
function generate_self_signed_ca() { | |
openssl genrsa -out ${CERTS_DIR}/ca.key 4096 | |
openssl req -x509 -new -nodes -sha512 -days 825 \ | |
-subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${UNIT}/CN=${COMMON_NAME}" \ | |
-key ${CERTS_DIR}/ca.key \ | |
-out ${CERTS_DIR}/ca.crt | |
} | |
function generate_server_certificate() { | |
openssl genrsa -out ${CERTS_DIR}/${FILE_NAME}.key 4096 | |
openssl req -sha512 -new \ | |
-subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${UNIT}/CN=${COMMON_NAME}" \ | |
-key ${CERTS_DIR}/${FILE_NAME}.key \ | |
-out ${CERTS_DIR}/${FILE_NAME}.csr | |
cat > ${CERTS_DIR}/v3.ext <<-EOF | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
extendedKeyUsage = serverAuth | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1=${SAN_NAME_1} | |
DNS.2=${SAN_NAME_2} | |
IP.1=${SERVER_IP} | |
EOF | |
openssl x509 -req -sha512 -days 825 \ | |
-extfile ${CERTS_DIR}/v3.ext \ | |
-CA ${CERTS_DIR}/ca.crt -CAkey ${CERTS_DIR}/ca.key -CAcreateserial \ | |
-in ${CERTS_DIR}/${FILE_NAME}.csr \ | |
-out ${CERTS_DIR}/${FILE_NAME}.crt | |
openssl x509 -inform PEM -in ${CERTS_DIR}/${FILE_NAME}.crt -out ${CERTS_DIR}/${FILE_NAME}.cert | |
} | |
function copy_certificates_to_destination() { | |
mkdir -p ${CERT_DIR} | |
cp ${CERTS_DIR}/${FILE_NAME}.crt ${CERT_DIR} | |
cp ${CERTS_DIR}/${FILE_NAME}.key ${CERT_DIR} | |
} | |
function copy_to_docker_cert() { | |
mkdir -p ${DOCKER_CERT_DIR} | |
cp ${CERTS_DIR}/${FILE_NAME}.cert ${DOCKER_CERT_DIR} | |
cp ${CERTS_DIR}/${FILE_NAME}.key ${DOCKER_CERT_DIR} | |
cp ${CERTS_DIR}/ca.crt ${DOCKER_CERT_DIR} | |
systemctl restart docker | |
} | |
function update_linux_cert_store() { | |
cp ${CERTS_DIR}/${FILE_NAME}.crt /usr/local/share/ca-certificates | |
update-ca-certificates | |
} | |
generate_self_signed_ca | |
generate_server_certificate | |
copy_certificates_to_destination | |
if [[ ${UPDATE_CERT_BUNDLE} ]]; then | |
echo "Update trust store" | |
update_linux_cert_store | |
elif [[ ${DOCKER_CERT_DIR} ]]; then | |
echo "Update Docker certs and restart docker" | |
copy_to_docker_cert | |
else | |
echo "Nothing to do here" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment