Skip to content

Instantly share code, notes, and snippets.

@mengqingzhong
Forked from rahulkj/generate_certs.sh
Created March 25, 2023 19:35
Show Gist options
  • Save mengqingzhong/d54de60e828fa89146c3ef35c0fd39b8 to your computer and use it in GitHub Desktop.
Save mengqingzhong/d54de60e828fa89146c3ef35c0fd39b8 to your computer and use it in GitHub Desktop.
Script to generate self signed certificate on Ubuntu
#!/bin/bash
###### For generate_certs.sh script ######
export COUNTRY=US
export STATE=California
export CITY=Irvine
export ORGANIZATION=YourCompany
export UNIT=YourBU
export COMMON_NAME=server.example.com
export SAN_NAME_1=server.example.com
export SAN_NAME_2=server
export SERVER_IP=10.0.x.x
export FILE_NAME=server
export UPDATE_DOCKER=false
export CERT_DIR=/data/cert/
export DOCKER_CERT_DIR=/etc/docker/certs.d/${COMMON_NAME}/
export UPDATE_CERT_BUNDLE=false
## Script to generate a SAN Cert
function generate_self_signed_ca() {
openssl genrsa -out ${CERTS_DIR}/ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 825 \
-subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${UNIT}/CN=${COMMON_NAME}" \
-key ${CERTS_DIR}/ca.key \
-out ${CERTS_DIR}/ca.crt
}
function generate_server_certificate() {
openssl genrsa -out ${CERTS_DIR}/${FILE_NAME}.key 4096
openssl req -sha512 -new \
-subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${UNIT}/CN=${COMMON_NAME}" \
-key ${CERTS_DIR}/${FILE_NAME}.key \
-out ${CERTS_DIR}/${FILE_NAME}.csr
cat > ${CERTS_DIR}/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=${SAN_NAME_1}
DNS.2=${SAN_NAME_2}
IP.1=${SERVER_IP}
EOF
openssl x509 -req -sha512 -days 825 \
-extfile ${CERTS_DIR}/v3.ext \
-CA ${CERTS_DIR}/ca.crt -CAkey ${CERTS_DIR}/ca.key -CAcreateserial \
-in ${CERTS_DIR}/${FILE_NAME}.csr \
-out ${CERTS_DIR}/${FILE_NAME}.crt
openssl x509 -inform PEM -in ${CERTS_DIR}/${FILE_NAME}.crt -out ${CERTS_DIR}/${FILE_NAME}.cert
}
function copy_certificates_to_destination() {
mkdir -p ${CERT_DIR}
cp ${CERTS_DIR}/${FILE_NAME}.crt ${CERT_DIR}
cp ${CERTS_DIR}/${FILE_NAME}.key ${CERT_DIR}
}
function copy_to_docker_cert() {
mkdir -p ${DOCKER_CERT_DIR}
cp ${CERTS_DIR}/${FILE_NAME}.cert ${DOCKER_CERT_DIR}
cp ${CERTS_DIR}/${FILE_NAME}.key ${DOCKER_CERT_DIR}
cp ${CERTS_DIR}/ca.crt ${DOCKER_CERT_DIR}
systemctl restart docker
}
function update_linux_cert_store() {
cp ${CERTS_DIR}/${FILE_NAME}.crt /usr/local/share/ca-certificates
update-ca-certificates
}
generate_self_signed_ca
generate_server_certificate
copy_certificates_to_destination
if [[ ${UPDATE_CERT_BUNDLE} ]]; then
echo "Update trust store"
update_linux_cert_store
elif [[ ${DOCKER_CERT_DIR} ]]; then
echo "Update Docker certs and restart docker"
copy_to_docker_cert
else
echo "Nothing to do here"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment