Created
February 23, 2020 19:28
-
-
Save nirgeier/49434844ad31bee8f10f9c442a9817e0 to your computer and use it in GitHub Desktop.
Generate SAN Certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################# | |
| ## Usage: ## | |
| ## ## | |
| ## *** Requirements - CA certificate, privateKey & password ## | |
| ## ----------------------------------------------------------------------- ## | |
| ## Open git bash ## | |
| ## ## | |
| ## - Save this file as <fileName>.sh ## | |
| ## - Set the desired domains under [ alt_names ] ## | |
| ## or set the domains in array ## | |
| ## - Update [req_distinguished_name] to your main domain name ## | |
| ## - Set the execution mode to this file `chmod 777 <fileName>.sh` ## | |
| ## - Execute the file ## | |
| ############################################################################# | |
| # Configuration – Change it to your needs | |
| CERTIFICATE_FILE_NAME=TestCert | |
| CONFIG_FILE_NAME=$CERTIFICATE_FILE_NAME.cfg | |
| # Certificate expiration period, | |
| # If variable not set or null, use 3650 days. | |
| CERTIFICATE_DAYS=${CERTIFICATE_DAYS:=3650} | |
| # List of domain names | |
| declare -a domains; | |
| domains=(localhost domain1 domain2) | |
| # Set the domain section | |
| altNames='[ alt_names ]'; | |
| # Loop over the domains list and generate the required confiruration | |
| for index in "${!domains[@]}"; do | |
| altNames="${altNames}\nDNS.${index}=${domains[$index]}"; | |
| done | |
| ### Delete existing file | |
| rm -rf $CONFIG_FILE_NAME | |
| ### Write the required configuration file for generating the certificate | |
| cat << EOT >> $CONFIG_FILE_NAME | |
| authorityKeyIdentifier=keyid, issuer | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment | |
| subjectAltName = @alt_names | |
| [ req ] | |
| prompt = no | |
| default_bits = 2048 | |
| distinguished_name = req_distinguished_name | |
| req_extensions = req_ext | |
| [ req_distinguished_name ] | |
| CN=$CERTIFICATE_FILE_NAME | |
| [ req_ext ] | |
| subjectAltName = @alt_names | |
| # This content is added dynamiclly --> !! Do not remove this token !! | |
| @@alt_names@@ | |
| EOT | |
| # Set the desired domains in the configuration | |
| sed -i "s/@@alt_names@@/$altNames/g" $CONFIG_FILE_NAME | |
| ### Create CSR - Certificate Signing Request | |
| echo -e "\e[34m *\e[33m Generating Certificate Request & Key\e[39m" | |
| openssl req \ | |
| -new \ | |
| -newkey rsa:2048 \ | |
| -nodes \ | |
| -out $CERTIFICATE_FILE_NAME.csr \ | |
| -keyout $CERTIFICATE_FILE_NAME.key \ | |
| -config $CONFIG_FILE_NAME \ | |
| > /dev/null 2>&1 | |
| # Create server certificate | |
| echo -e "\e[34m *\e[33m Generating Certificate\e[39m" | |
| openssl x509 -req \ | |
| -in $CERTIFICATE_FILE_NAME.csr \ | |
| -days $CERTIFICATE_DAYS \ | |
| -CA CA.cer \ | |
| -CAcreateserial \ | |
| -CAform DER \ | |
| -CAkey CA.pvk \ | |
| -passin file:CA_pass.txt \ | |
| -out $CERTIFICATE_FILE_NAME.crt \ | |
| -extfile $CONFIG_FILE_NAME \ | |
| > /dev/null 2>&1 | |
| # Verify that the desired domains are registered | |
| echo -e "\e[34m *\e[33m Certificate [ \e[0m$CERTIFICATE_FILE_NAME.crt\e[33m ] Registered Domains:" | |
| echo -e "\e[36m ------------------------------------------------" | |
| certutil $CERTIFICATE_FILE_NAME.csr | grep CN | |
| certutil $CERTIFICATE_FILE_NAME.csr | grep DNS | |
| echo -e "\e[36m ------------------------------------------------ \e[49m" | |
| # Remove the unneeded files | |
| rm -rf $CERTIFICATE_FILE_NAME.cfg $CERTIFICATE_FILE_NAME.csr |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment