Last active
July 24, 2021 05:56
-
-
Save yifeiyin/10cdce84f192690bb1201e7796d6cc7e to your computer and use it in GitHub Desktop.
Helper functions for creating your own CA and signed certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # See: https://wiki.yyin.me/guides/cert | |
| function create-key-pair() { | |
| if [ $# -ne 1 ]; then echo 'Args: key pair name'; return; fi | |
| openssl genrsa -out $1.key 2048 | |
| } | |
| function create-self-signed-cert() { | |
| if [ $# -ne 2 ]; then echo 'Args: key pair & cert name, expired after x days'; return; fi | |
| openssl req -new -x509 -days $2 -key $1.key -out $1.crt | |
| } | |
| function create-csr-template() { | |
| if [ $# -ne 1 ]; then echo 'Args: cnf & csr name'; return; fi | |
| cat > $1.cnf <<EOF | |
| [ req ] | |
| prompt = no | |
| default_bits = 2048 | |
| distinguished_name = req_distinguished_name | |
| req_extensions = req_ext | |
| [ req_distinguished_name ] | |
| countryName = | |
| stateOrProvinceName = | |
| localityName = | |
| organizationName = | |
| organizationUnitName = | |
| commonName = $1 | |
| emailAddress = | |
| [ req_ext ] | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = localhost | |
| DNS.2 = test.example.com | |
| IP.1 = 192.168.0.1 | |
| IP.2 = 127.0.0.1 | |
| EOF | |
| echo 'Template generated.' | |
| echo | |
| echo 'Use your favorite editor to edit the file "'"$1".cnf'".' | |
| echo | |
| echo 'Note: Some fields are optional. Empty fields need to be removed.' | |
| echo | |
| echo 'When completed, run "'create-csr "$1"'" to create the csr file.' | |
| } | |
| function create-csr-with-cnf() { | |
| if [ $# -ne 1 ]; then echo 'Args: key pair & csr name'; return; fi | |
| openssl req -new -key $1.key -out $1.csr -config $1.cnf | |
| } | |
| function create-csr-interactive() { | |
| if [ $# -ne 1 ]; then echo 'Args: key pair name'; return; fi | |
| openssl req -new -key $1.key -out $1.csr | |
| } | |
| function create-initial-srl() { | |
| if [ $# -ne 2 ]; then echo 'Args: CA file name, initial serial number'; return; fi | |
| echo $2 > $1.srl | |
| } | |
| function create-signed-cert-with-ext() { | |
| if [ $# -ne 3 ]; then echo 'Args: CA key pair & cert name, csr & crt & cnf name, expired after x days'; return; fi | |
| openssl x509 -req -CA $1.crt -CAkey $1.key -days $3 -sha256 -in $2.csr -out $2.crt -extensions req_ext -extfile $2.cnf | |
| } | |
| function create-signed-cert-no-ext() { | |
| if [ $# -ne 3 ]; then echo 'Args: CA key pair & cert name, csr & crt name, expired after x days'; return; fi | |
| openssl x509 -req -CA $1.crt -CAkey $1.key -days $3 -sha256 -in $2.csr -out $2.crt | |
| } | |
| function convert-cert-key-to-pkcs12() { | |
| if [ $# -ne 1 ]; then echo 'Args: cert & key & p12 name'; return; fi | |
| openssl pkcs12 -export -clcerts -in $1.crt -inkey $1.key -out $1.p12 | |
| } | |
| function convert-cert-key-to-pem() { | |
| if [ $# -ne 1 ]; then echo 'Args: cert & key & pem name'; return; fi | |
| cat $1.crt $1.key > $1.pem | |
| } | |
| function convert-pkcs12-to-pem() { | |
| if [ $# -ne 1 ]; then echo 'Args: p12 & pem name'; return; fi | |
| openssl pkcs12 -clcerts -in $1.p12 -out $1.pem | |
| } | |
| function convert-pkcs12-to-cert-key() { | |
| if [ $# -ne 1 ]; then echo 'Args: p12 & cert & key name'; return; fi | |
| openssl pkcs12 -in $1.p12 -nocerts -nodes -out $1.key | |
| openssl pkcs12 -in $1.p12 -clcerts -nodes -out $1.crt | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment