-
-
Save yogananda-muthaiah/e182088fe57e63cc5cb7d4c26e1c6dff to your computer and use it in GitHub Desktop.
A certficate generator for communication can be use for internal.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # create-ca.sh - Script to create a Certificate Authority and generate certificates | |
| # Create directory structure | |
| mkdir -p ca/{root-ca,intermediate-ca,certs,private,crl,csr} | |
| chmod 700 ca/private | |
| # Create root CA configuration file | |
| cat > ca/root-ca.conf << EOL | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha256 | |
| prompt = no | |
| encrypt_key = yes | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_ca | |
| [ req_distinguished_name ] | |
| countryName = US | |
| stateOrProvinceName = YourState | |
| localityName = YourCity | |
| organizationName = YourOrganization | |
| organizationalUnitName = YourUnit | |
| commonName = YourCompany Root CA | |
| emailAddress = [email protected] | |
| [ v3_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer:always | |
| basicConstraints = critical, CA:true | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| EOL | |
| # Create intermediate CA configuration | |
| cat > ca/intermediate-ca.conf << EOL | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha256 | |
| prompt = no | |
| encrypt_key = yes | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_intermediate_ca | |
| [ req_distinguished_name ] | |
| countryName = US | |
| stateOrProvinceName = YourState | |
| localityName = YourCity | |
| organizationName = YourOrganization | |
| organizationalUnitName = YourUnit | |
| commonName = YourCompany Intermediate CA | |
| emailAddress = [email protected] | |
| [ v3_intermediate_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer:always | |
| basicConstraints = critical, CA:true, pathlen:0 | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| EOL | |
| # Create server certificate configuration | |
| cat > ca/server-cert.conf << EOL | |
| [ req ] | |
| default_bits = 2048 | |
| default_md = sha256 | |
| prompt = no | |
| encrypt_key = no | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_req | |
| [ req_distinguished_name ] | |
| countryName = US | |
| stateOrProvinceName = YourState | |
| localityName = YourCity | |
| organizationName = YourOrganization | |
| organizationalUnitName = YourUnit | |
| commonName = your-domain.com | |
| emailAddress = [email protected] | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| subjectAltName = @alt_names | |
| [ alt_names ] | |
| DNS.1 = your-domain.com | |
| DNS.2 = *.your-domain.com | |
| DNS.3 = localhost | |
| IP.1 = 127.0.0.1 | |
| EOL | |
| # Function to generate Root CA | |
| generate_root_ca() { | |
| echo "Generating Root CA..." | |
| # Generate Root CA private key | |
| openssl genrsa -aes256 -out ca/private/root-ca.key 4096 | |
| chmod 400 ca/private/root-ca.key | |
| # Generate Root CA certificate | |
| openssl req -config ca/root-ca.conf \ | |
| -key ca/private/root-ca.key \ | |
| -new -x509 -days 7300 \ | |
| -sha256 -extensions v3_ca \ | |
| -out ca/root-ca/root-ca.crt | |
| } | |
| # Function to generate Intermediate CA | |
| generate_intermediate_ca() { | |
| echo "Generating Intermediate CA..." | |
| # Generate Intermediate CA private key | |
| openssl genrsa -aes256 -out ca/private/intermediate-ca.key 4096 | |
| chmod 400 ca/private/intermediate-ca.key | |
| # Generate Intermediate CA CSR | |
| openssl req -config ca/intermediate-ca.conf \ | |
| -new -sha256 \ | |
| -key ca/private/intermediate-ca.key \ | |
| -out ca/csr/intermediate-ca.csr | |
| # Sign Intermediate CA certificate with Root CA | |
| openssl x509 -req \ | |
| -in ca/csr/intermediate-ca.csr \ | |
| -CA ca/root-ca/root-ca.crt \ | |
| -CAkey ca/private/root-ca.key \ | |
| -CAcreateserial \ | |
| -out ca/intermediate-ca/intermediate-ca.crt \ | |
| -days 3650 \ | |
| -sha256 \ | |
| -extfile ca/intermediate-ca.conf \ | |
| -extensions v3_intermediate_ca | |
| } | |
| # Function to generate server certificate | |
| generate_server_cert() { | |
| local domain=$1 | |
| echo "Generating server certificate for $domain..." | |
| # Replace domain in config | |
| sed -i "s/your-domain.com/$domain/g" ca/server-cert.conf | |
| # Generate server private key | |
| openssl genrsa -out ca/private/$domain.key 2048 | |
| chmod 400 ca/private/$domain.key | |
| # Generate server CSR | |
| openssl req -config ca/server-cert.conf \ | |
| -key ca/private/$domain.key \ | |
| -new -sha256 -out ca/csr/$domain.csr | |
| # Sign server certificate with Intermediate CA | |
| openssl x509 -req \ | |
| -in ca/csr/$domain.csr \ | |
| -CA ca/intermediate-ca/intermediate-ca.crt \ | |
| -CAkey ca/private/intermediate-ca.key \ | |
| -CAcreateserial \ | |
| -out ca/certs/$domain.crt \ | |
| -days 365 \ | |
| -sha256 \ | |
| -extfile ca/server-cert.conf \ | |
| -extensions v3_req | |
| # Create certificate chain file | |
| cat ca/certs/$domain.crt \ | |
| ca/intermediate-ca/intermediate-ca.crt \ | |
| ca/root-ca/root-ca.crt > ca/certs/$domain.chain.crt | |
| } | |
| # Main execution | |
| echo "Starting CA setup..." | |
| generate_root_ca | |
| generate_intermediate_ca | |
| # Example usage for generating server certificate | |
| # Uncomment and modify domain as needed | |
| # generate_server_cert "example.com" | |
| echo "CA setup complete!" | |
| echo "Root CA certificate: ca/root-ca/root-ca.crt" | |
| echo "Intermediate CA certificate: ca/intermediate-ca/intermediate-ca.crt" | |
| echo "Generated certificates will be in ca/certs/" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment