Skip to content

Instantly share code, notes, and snippets.

@silverkorn

silverkorn/generate-ssl.sh

Last active April 10, 2019 19:17
Show Gist options
  • Save silverkorn/fd24c8cbf4da024917d498f2fc88091c to your computer and use it in GitHub Desktop.
Save silverkorn/fd24c8cbf4da024917d498f2fc88091c to your computer and use it in GitHub Desktop.
Download ZIP
Create a SAN SSL Certificate from a config file under the name of `openssl.conf`. The name of the directory will be used as the default `commonName`.
Raw
generate-ssl.sh
#! /bin/bash
##########
# Config #
##########
TMP_SSL_CERTIFICATE_NAME=$(basename "($(dirname "$(realpath "$0")")")
TMP_SSL_CERTIFICAT_RSA_BITS=3072
TMP_SSL_CERTIFICAT_GENERATE_SELFSIGNED=1
TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS=1095
#########
if [ -n "$1" ]; then TMP_SSL_CERTIFICATE_NAME=$1; fi
TMP_SSL_CERTIFICATE_ROOTPATH=$(dirname "$0")
TMP_SSL_CERTIFICATE_FULLNAME=${TMP_SSL_CERTIFICATE_NAME}
TMP_SSL_CERTIFICATE_PREFIX_COMMAND=
# Windows / MinGW workaround
[[ "$(uname)" =~ "MINGW" ]] && TMP_SSL_CERTIFICATE_PREFIX_COMMAND="winpty "
# Change the default commonName from openssl.conf to the one from $TMP_SSL_CERTIFICATE_NAME
sed -i -e "s/^\(commonName_default\s*=\).*$/\1 ${TMP_SSL_CERTIFICATE_NAME}/gmi" "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf"
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl genrsa -des3 -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" ${TMP_SSL_CERTIFICAT_RSA_BITS}
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl req -new -key "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -config "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf"
cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key.org"
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl rsa -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key.org" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key"
# Self-signing
if [ "${TMP_SSL_CERTIFICAT_GENERATE_SELFSIGNED}" -eq "1" ];
then
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl x509 -req -extensions v3_req -days ${TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS} -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -signkey "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" -extfile "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf"
# CA Cert
${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl x509 -req -days ${TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS} -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -CA "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" -CAkey "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -set_serial 01 -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt"
# (Optional) Install CA cert
if [ -f "/etc/redhat-release" ];
then
update-ca-trust force-enable
cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" "/etc/pki/ca-trust/source/anchors/"
update-ca-trust extract
elif [ -f "/etc/debian-release" ];
then
cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" "/usr/local/share/ca-certificates/"
update-ca-certificates
fi
# View CSR
openssl req -text -noout -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr"
# Validate with .key and .csr
echo
echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt\" Hash:"
openssl x509 -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" | openssl md5
echo
fi
# Detect if the key and csr are compatible
echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key\" Hash:"
openssl rsa -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" | openssl md5
echo
echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr\" Hash:"
openssl req -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" | openssl md5
Raw
openssl.conf
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Quebec
localityName = Locality Name (eg, city)
localityName_default = Montreal
organizationName = Organization Name (eg, company)
organizationName_default = Your company name
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Web Technologies
commonName = Common Name (eg, your name or your server's hostname)
commonName_max = 64
commonName_default = www.yourdomain.org
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = [email protected]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = alt.yourdomain.org
DNS.2 = alt.otherdomain.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment