Skip to content

Instantly share code, notes, and snippets.

@abdallah

abdallah/prepcert.sh

Last active December 15, 2015 05:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abdallah/5211169 to your computer and use it in GitHub Desktop.
Save abdallah/5211169 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
prepcert.sh
#!/bin/bash
httpdconfdir=/etc/httpd/conf
[ -e /etc/apache2 ] && httpdconfdir=/etc/apache2
is_wildcard="n"
domainname=""
keyfile=""
certfile=""
csrfile=""
conffile=".sslconf"
keyfile_2048=0
keyfile_exist=0
certfile_2048=0
certfile_exist=0
root_user=1
fn=$(date +%d%m%Y-%H%M)
cacertfile="$httpdconfdir/ssl.crt/RapidSSL_CA_bundle.pem"
# Create the private key and certificate signing request directories
mkdir -p $httpdconfdir/ssl.key
mkdir -p $httpdconfdir/ssl.csr
mkdir -p $httpdconfdir/ssl.crt
function verify_keyfile_matches_certfile() {
echo
echo "Using the following files for private key and certificate verification"
echo
echo "Private Key file: $keyfile"
echo "Certificate file: $certfile"
echo
echo
sleep 2
echo -n "verifying ssl private key and certificate..."
certmd5=$(openssl x509 -noout -modulus -in $certfile | openssl md5)
keymd5=$(openssl rsa -noout -modulus -in $keyfile| openssl md5)
if [ "$certmd5" == "$keymd5" ]; then
sleep 4
echo -n "done"
echo
echo
echo
echo "Congratulations!"
echo "SSL Private Key and Certificate matches!"
sleep 2
else
sleep 3
echo -n "done"
echo
echo
echo
echo " WARNING!"
echo "SSL Private Key and Certifcate DOES NOT match!!!!"
sleep 2
fi
}
function create_config_file() {
read -p 'COUNTRY 2 Letter: ' COUNTRY
read -p 'State or Province: ' STATE
read -p 'Locality (city): ' LOCALITY
read -p 'Organization: ' ORGNAME
read -p 'Email Address: ' EMAIL
cat <<EODOC > $conffile
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = $COUNTRY
ST = $STATE
L = $LOCALITY
O = $ORGNAME
CN = $domainname
emailAddress = $EMAIL
EODOC
}
function gencsr() {
create_config_file
if [ -e "$csrfile" ] && [ ! -L "$csrfile" ]; then
new_csrfile="$csrfile-$fn"
echo
echo "There's already an existing CSR file $csrfile"
echo
echo "The new CSR file will be $new_csrfile"
echo "generating CSR.."
echo
csrfile=$new_csrfile
# Create your certificate signing request. This is what you'll send out to get your certificate.
openssl req -new -key "$keyfile" -config "$conffile" -out "$new_csrfile"
# the 'common name' must match your domain name
# Leave the challenge password blank (press Enter)
else
echo
echo "generating Certificate Signing Request..$csrfile"
echo
openssl req -new -key "$keyfile" -config "$conffile" -out "$csrfile"
fi
}
function genkey() {
if [ -e "$keyfile" ] && [ ! -L "$keyfile" ]; then
echo
echo "There's already an existing private key file $keyfile"
echo "The new private key will be $keyfile-$fn"
new_keyfile="$httpdconfdir/ssl.key/$domainname.2048.key-$fn"
echo "generating 2048 private key"
#add a -des3 option to the command if you want to use a password with your key
openssl genrsa -out $new_keyfile 2048
keyfile="$new_keyfile"
keyfile_exist=1
keyfile_2048=1
echo
echo
sleep 10
fi
if [ ! -e "$keyfile" ]; then
echo
echo "will generate 2048 private key"
echo
sleep 1
keyfile="$keyfile-$fn"
# add a -des3 option to the command if you want to use a password with your key
openssl genrsa -out $keyfile 2048
keyfile_exist=1
keyfile_2048=1
chmod 0600 $keyfile
echo
echo
echo "creating a symlink $httpdconfdir/ssl.key/$domainname.2048.key from $keyfile"
echo "this is for convenience in case an old key is needed for some reasons"
echo "and just in case apache config is not yet updated to use the new key file $keyfile"
echo
ln -s $keyfile $httpdconfdir/ssl.key/$domainname.2048.key
sleep 1
ls -al $httpdconfdir/ssl.key/$domainname.2048.key
echo
fi
}
function verify_certfile_2048() {
echo "checking if ssl certificate is 2048 encryption..."
echo
#2048 bit is required
cert_bitness=$(openssl x509 -noout -text -in $certfile|grep Public-Key|grep -c 2048)
if [ $cert_bitness -eq 1 ]; then
$certfile_2048=1
echo "Existing certificate $certfile is 2048 bit"
echo
else
$certfile_2048=0
echo "Existing certificate $certfile is NOT 2048 bit"
echo "we need to generate a new 2048 ssl private key and a new 2048 self-signing certificate"
fi
}
function check_certfile_exist() {
echo
echo "checking if you have an existing ssl certificate from our standard location $httpdconfdir/ssl.crt"
echo
sleep 2
if [ -e "$httpdconfdir/ssl.crt/$domainname.2048.crt" ]; then
certfile_exist=1
certfile="$httpdconfdir/ssl.crt/$domainname.2048.crt"
echo "found an existing certificate file $keyfile"
echo
sleep 1
#add here to prompt if you want to generate a new CSR
else
certfile_exist=0
echo "no existing $httpdconfdir/ssl.crt/$domainname.2048.crt found."
echo
fi
}
function verify_keyfile_2048() {
key_bitness=$(openssl rsa -noout -text -in $keyfile|grep Private-Key|grep -c 2048)
echo "checking if private key file is 2048 bit encryption"
if [ $key_bitness -eq 1 ]; then
keyfile_2048=1
sleep 1
echo
echo "key file $keyfile is 2048 bit encryption"
echo
sleep 1
else
keyfile_2048=0
echo "Existing key file $keyfile is NOT 2048 bit encryption"
echo "we need to generate 2048 bit private key"
sleep 1
fi
}
function check_keyfile_exist() {
echo
echo "checking if you have an existing private ssl key from our standard location $httpdconfdir/ssl.key"
echo
sleep 2
if [ -e "$httpdconfdir/ssl.key/$domainname.2048.key" ]; then
keyfile_exist=1
keyfile="$httpdconfdir/ssl.key/$domainname.2048.key"
echo "found an existing private key file $keyfile"
sleep 1
#add here to prompt if you want to generate a new CSR
else
echo "no existing $httpdconfdir/ssl.key/$domainname.2048.key found."
sleep 1
echo
echo "looking for another key. file name $httpdconfdir/ssl.key/$domainname.key"
sleep 1
echo
if [ -e "$httpdconfdir/ssl.key/$domainname.key" ]; then
keyfile_exist=1
keyfile="$httpdconfdir/ssl.key/$domainname.key"
echo "found an existing private key file $keyfile"
sleep 1
echo
else
keyfile_exist=0
echo "no existing private key files found..."
sleep 1
fi
fi
}
function genselfcert() {
# create a self signed certificate for now. You will overwrite this
# certificate with the one your SSL provider issues you
if [ ! -e "$certfile" ]; then
echo
certfile="$certfile-$fn"
echo "generating a new self-signed certificate"
openssl req -x509 -days 365 -in "$csrfile" -key "$keyfile" -out "$certfile"
echo "creating a symlink $httpdconfdir/ssl.crt/$domainname.2048.crt from $certfile"
echo "just in case apache config is not updated to use the new cert file $certfile"
ln -s $certfile $httpdconfdir/ssl.crt/$domainname.2048.crt
echo
sleep 1
elif [ -e "$certfile" ]; then
echo
new_certfile="$certfile-$fn"
echo "generating a new self-signed certificate $new_certfile"
openssl req -x509 -days 365 -in "$csrfile" -key "$keyfile" -out "$new_certfile"
certfile="$new_certfile"
echo
sleep 1
fi
# Double check your input:
# openssl req -noout -text -in $httpdconfdir/ssl.csr/$domainname.2048.csr
# Download the RapidSSL CA Bundle
if [ ! -e $httpdconfdir/ssl.key/RapidSSL_CA_bundle.pem ]; then
wget -q -O - http://downloads.rimuhosting.com/RapidSSL_CA_bundle.pem > $httpdconfdir/ssl.crt/RapidSSL_CA_bundle.pem
fi
# save the conf settings for when we get the cert
echo "
export domainname=$domainname
export httpdconfdir=$httpdconfdir
" > /root/sslorderdetails
# cat $httpdconfdir/ssl.key/$domainname.2048.key
# cat $httpdconfdir/ssl.csr/$domainname.2048.csr
echo Common Name = $domainname
echo
#for new certificates
echo "You will need to add this to your SSL-enabled VirtualHost:"
echo "################### START HERE#########################"
echo "SSLEngine On
SSLCertificateFile $certfile
SSLCertificateKeyFile $keyfile
SSLCACertificateFile $cacertfile"
echo "################### END HERE #########################"
echo
echo
echo
}
function get_domain() {
echo
echo "please enter the website name or domain name that you want to generate a SSL Certificate"
echo "SSL Domain Name = ? (pls don't specify a format with asterisk e.g. *.domain.com)"
read domainname
if [ $is_wildcard == "y" ]; then
domainname="*.$domainname"
fi
echo
echo $domainname
keyfile="$httpdconfdir/ssl.key/$domainname.2048.key"
certfile="$httpdconfdir/ssl.crt/$domainname.2048.crt"
csrfile="$httpdconfdir/ssl.csr/$domainname.2048.csr"
}
function is_root_user() {
user=$(id -u)
if [ "$user" -ne 0 ]; then
root_user=1
echo
echo " ##### IMPORTANT NOTICE #####"
echo
echo "you need to run this script as root user or with root privilege"
echo
echo "you can also run it using sudo for example: "
echo
echo
echo
echo "$ sudo bash prepcert.sh"
echo
echo
echo
echo "current user id is $user "
echo
id
echo
echo -n "exiting..."
sleep 3
echo -n "done"
echo
exit
else
echo
echo
echo -n "script is running as user id $user which is good. "
sleep 2
echo -n "will proceed....."
echo
sleep 2
fi
}
function prepcert() {
is_root_user
while true; do
echo
echo -n "Is this a wildcard SSL certificate? e.g. y/(n)"
echo
read is_wildcard
if [ "$is_wildcard" == "y" ]; then
break
elif [ "$is_wildcard" == "n" ]; then
break
else
echo "pls choose y or n"
fi
done
get_domain
check_keyfile_exist
if [ $keyfile_exist -eq 1 ]; then
verify_keyfile_2048
if [ ! $keyfile_2048 -eq 1 ]; then
genkey
fi
elif [ ! $keyfile_exist -eq 1 ]; then
genkey
fi
if [ $keyfile_exist -eq 1 ] && [ $keyfile_2048 -eq 1 ]; then
gencsr
genselfcert
fi
verify_keyfile_matches_certfile
echo
echo "SSL Private Key file: $keyfile"
echo "SSL Certificate File: $certfile"
echo "SSL Certificate Request file: $csrfile"
echo
}
prepcert
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment