Last active
December 15, 2015 05:48
-
-
Save abdallah/5211169 to your computer and use it in GitHub Desktop.
script from http://rimuhosting.com/howto/modssl.jsp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
httpdconfdir=/etc/httpd/conf | |
[ -e /etc/apache2 ] && httpdconfdir=/etc/apache2 | |
is_wildcard="n" | |
domainname="" | |
keyfile="" | |
certfile="" | |
csrfile="" | |
conffile=".sslconf" | |
keyfile_2048=0 | |
keyfile_exist=0 | |
certfile_2048=0 | |
certfile_exist=0 | |
root_user=1 | |
fn=$(date +%d%m%Y-%H%M) | |
cacertfile="$httpdconfdir/ssl.crt/RapidSSL_CA_bundle.pem" | |
# Create the private key and certificate signing request directories | |
mkdir -p $httpdconfdir/ssl.key | |
mkdir -p $httpdconfdir/ssl.csr | |
mkdir -p $httpdconfdir/ssl.crt | |
function verify_keyfile_matches_certfile() { | |
echo | |
echo "Using the following files for private key and certificate verification" | |
echo | |
echo "Private Key file: $keyfile" | |
echo "Certificate file: $certfile" | |
echo | |
echo | |
sleep 2 | |
echo -n "verifying ssl private key and certificate..." | |
certmd5=$(openssl x509 -noout -modulus -in $certfile | openssl md5) | |
keymd5=$(openssl rsa -noout -modulus -in $keyfile| openssl md5) | |
if [ "$certmd5" == "$keymd5" ]; then | |
sleep 4 | |
echo -n "done" | |
echo | |
echo | |
echo | |
echo "Congratulations!" | |
echo "SSL Private Key and Certificate matches!" | |
sleep 2 | |
else | |
sleep 3 | |
echo -n "done" | |
echo | |
echo | |
echo | |
echo " WARNING!" | |
echo "SSL Private Key and Certifcate DOES NOT match!!!!" | |
sleep 2 | |
fi | |
} | |
function create_config_file() { | |
read -p 'COUNTRY 2 Letter: ' COUNTRY | |
read -p 'State or Province: ' STATE | |
read -p 'Locality (city): ' LOCALITY | |
read -p 'Organization: ' ORGNAME | |
read -p 'Email Address: ' EMAIL | |
cat <<EODOC > $conffile | |
[ req ] | |
default_bits = 2048 | |
prompt = no | |
encrypt_key = no | |
default_md = sha1 | |
distinguished_name = req_distinguished_name | |
[ req_distinguished_name ] | |
C = $COUNTRY | |
ST = $STATE | |
L = $LOCALITY | |
O = $ORGNAME | |
CN = $domainname | |
emailAddress = $EMAIL | |
EODOC | |
} | |
function gencsr() { | |
create_config_file | |
if [ -e "$csrfile" ] && [ ! -L "$csrfile" ]; then | |
new_csrfile="$csrfile-$fn" | |
echo | |
echo "There's already an existing CSR file $csrfile" | |
echo | |
echo "The new CSR file will be $new_csrfile" | |
echo "generating CSR.." | |
echo | |
csrfile=$new_csrfile | |
# Create your certificate signing request. This is what you'll send out to get your certificate. | |
openssl req -new -key "$keyfile" -config "$conffile" -out "$new_csrfile" | |
# the 'common name' must match your domain name | |
# Leave the challenge password blank (press Enter) | |
else | |
echo | |
echo "generating Certificate Signing Request..$csrfile" | |
echo | |
openssl req -new -key "$keyfile" -config "$conffile" -out "$csrfile" | |
fi | |
} | |
function genkey() { | |
if [ -e "$keyfile" ] && [ ! -L "$keyfile" ]; then | |
echo | |
echo "There's already an existing private key file $keyfile" | |
echo "The new private key will be $keyfile-$fn" | |
new_keyfile="$httpdconfdir/ssl.key/$domainname.2048.key-$fn" | |
echo "generating 2048 private key" | |
#add a -des3 option to the command if you want to use a password with your key | |
openssl genrsa -out $new_keyfile 2048 | |
keyfile="$new_keyfile" | |
keyfile_exist=1 | |
keyfile_2048=1 | |
echo | |
echo | |
sleep 10 | |
fi | |
if [ ! -e "$keyfile" ]; then | |
echo | |
echo "will generate 2048 private key" | |
echo | |
sleep 1 | |
keyfile="$keyfile-$fn" | |
# add a -des3 option to the command if you want to use a password with your key | |
openssl genrsa -out $keyfile 2048 | |
keyfile_exist=1 | |
keyfile_2048=1 | |
chmod 0600 $keyfile | |
echo | |
echo | |
echo "creating a symlink $httpdconfdir/ssl.key/$domainname.2048.key from $keyfile" | |
echo "this is for convenience in case an old key is needed for some reasons" | |
echo "and just in case apache config is not yet updated to use the new key file $keyfile" | |
echo | |
ln -s $keyfile $httpdconfdir/ssl.key/$domainname.2048.key | |
sleep 1 | |
ls -al $httpdconfdir/ssl.key/$domainname.2048.key | |
echo | |
fi | |
} | |
function verify_certfile_2048() { | |
echo "checking if ssl certificate is 2048 encryption..." | |
echo | |
#2048 bit is required | |
cert_bitness=$(openssl x509 -noout -text -in $certfile|grep Public-Key|grep -c 2048) | |
if [ $cert_bitness -eq 1 ]; then | |
$certfile_2048=1 | |
echo "Existing certificate $certfile is 2048 bit" | |
echo | |
else | |
$certfile_2048=0 | |
echo "Existing certificate $certfile is NOT 2048 bit" | |
echo "we need to generate a new 2048 ssl private key and a new 2048 self-signing certificate" | |
fi | |
} | |
function check_certfile_exist() { | |
echo | |
echo "checking if you have an existing ssl certificate from our standard location $httpdconfdir/ssl.crt" | |
echo | |
sleep 2 | |
if [ -e "$httpdconfdir/ssl.crt/$domainname.2048.crt" ]; then | |
certfile_exist=1 | |
certfile="$httpdconfdir/ssl.crt/$domainname.2048.crt" | |
echo "found an existing certificate file $keyfile" | |
echo | |
sleep 1 | |
#add here to prompt if you want to generate a new CSR | |
else | |
certfile_exist=0 | |
echo "no existing $httpdconfdir/ssl.crt/$domainname.2048.crt found." | |
echo | |
fi | |
} | |
function verify_keyfile_2048() { | |
key_bitness=$(openssl rsa -noout -text -in $keyfile|grep Private-Key|grep -c 2048) | |
echo "checking if private key file is 2048 bit encryption" | |
if [ $key_bitness -eq 1 ]; then | |
keyfile_2048=1 | |
sleep 1 | |
echo | |
echo "key file $keyfile is 2048 bit encryption" | |
echo | |
sleep 1 | |
else | |
keyfile_2048=0 | |
echo "Existing key file $keyfile is NOT 2048 bit encryption" | |
echo "we need to generate 2048 bit private key" | |
sleep 1 | |
fi | |
} | |
function check_keyfile_exist() { | |
echo | |
echo "checking if you have an existing private ssl key from our standard location $httpdconfdir/ssl.key" | |
echo | |
sleep 2 | |
if [ -e "$httpdconfdir/ssl.key/$domainname.2048.key" ]; then | |
keyfile_exist=1 | |
keyfile="$httpdconfdir/ssl.key/$domainname.2048.key" | |
echo "found an existing private key file $keyfile" | |
sleep 1 | |
#add here to prompt if you want to generate a new CSR | |
else | |
echo "no existing $httpdconfdir/ssl.key/$domainname.2048.key found." | |
sleep 1 | |
echo | |
echo "looking for another key. file name $httpdconfdir/ssl.key/$domainname.key" | |
sleep 1 | |
echo | |
if [ -e "$httpdconfdir/ssl.key/$domainname.key" ]; then | |
keyfile_exist=1 | |
keyfile="$httpdconfdir/ssl.key/$domainname.key" | |
echo "found an existing private key file $keyfile" | |
sleep 1 | |
echo | |
else | |
keyfile_exist=0 | |
echo "no existing private key files found..." | |
sleep 1 | |
fi | |
fi | |
} | |
function genselfcert() { | |
# create a self signed certificate for now. You will overwrite this | |
# certificate with the one your SSL provider issues you | |
if [ ! -e "$certfile" ]; then | |
echo | |
certfile="$certfile-$fn" | |
echo "generating a new self-signed certificate" | |
openssl req -x509 -days 365 -in "$csrfile" -key "$keyfile" -out "$certfile" | |
echo "creating a symlink $httpdconfdir/ssl.crt/$domainname.2048.crt from $certfile" | |
echo "just in case apache config is not updated to use the new cert file $certfile" | |
ln -s $certfile $httpdconfdir/ssl.crt/$domainname.2048.crt | |
echo | |
sleep 1 | |
elif [ -e "$certfile" ]; then | |
echo | |
new_certfile="$certfile-$fn" | |
echo "generating a new self-signed certificate $new_certfile" | |
openssl req -x509 -days 365 -in "$csrfile" -key "$keyfile" -out "$new_certfile" | |
certfile="$new_certfile" | |
echo | |
sleep 1 | |
fi | |
# Double check your input: | |
# openssl req -noout -text -in $httpdconfdir/ssl.csr/$domainname.2048.csr | |
# Download the RapidSSL CA Bundle | |
if [ ! -e $httpdconfdir/ssl.key/RapidSSL_CA_bundle.pem ]; then | |
wget -q -O - http://downloads.rimuhosting.com/RapidSSL_CA_bundle.pem > $httpdconfdir/ssl.crt/RapidSSL_CA_bundle.pem | |
fi | |
# save the conf settings for when we get the cert | |
echo " | |
export domainname=$domainname | |
export httpdconfdir=$httpdconfdir | |
" > /root/sslorderdetails | |
# cat $httpdconfdir/ssl.key/$domainname.2048.key | |
# cat $httpdconfdir/ssl.csr/$domainname.2048.csr | |
echo Common Name = $domainname | |
echo | |
#for new certificates | |
echo "You will need to add this to your SSL-enabled VirtualHost:" | |
echo "################### START HERE#########################" | |
echo "SSLEngine On | |
SSLCertificateFile $certfile | |
SSLCertificateKeyFile $keyfile | |
SSLCACertificateFile $cacertfile" | |
echo "################### END HERE #########################" | |
echo | |
echo | |
echo | |
} | |
function get_domain() { | |
echo | |
echo "please enter the website name or domain name that you want to generate a SSL Certificate" | |
echo "SSL Domain Name = ? (pls don't specify a format with asterisk e.g. *.domain.com)" | |
read domainname | |
if [ $is_wildcard == "y" ]; then | |
domainname="*.$domainname" | |
fi | |
echo | |
echo $domainname | |
keyfile="$httpdconfdir/ssl.key/$domainname.2048.key" | |
certfile="$httpdconfdir/ssl.crt/$domainname.2048.crt" | |
csrfile="$httpdconfdir/ssl.csr/$domainname.2048.csr" | |
} | |
function is_root_user() { | |
user=$(id -u) | |
if [ "$user" -ne 0 ]; then | |
root_user=1 | |
echo | |
echo " ##### IMPORTANT NOTICE #####" | |
echo | |
echo "you need to run this script as root user or with root privilege" | |
echo | |
echo "you can also run it using sudo for example: " | |
echo | |
echo | |
echo | |
echo "$ sudo bash prepcert.sh" | |
echo | |
echo | |
echo | |
echo "current user id is $user " | |
echo | |
id | |
echo | |
echo -n "exiting..." | |
sleep 3 | |
echo -n "done" | |
echo | |
exit | |
else | |
echo | |
echo | |
echo -n "script is running as user id $user which is good. " | |
sleep 2 | |
echo -n "will proceed....." | |
echo | |
sleep 2 | |
fi | |
} | |
function prepcert() { | |
is_root_user | |
while true; do | |
echo | |
echo -n "Is this a wildcard SSL certificate? e.g. y/(n)" | |
echo | |
read is_wildcard | |
if [ "$is_wildcard" == "y" ]; then | |
break | |
elif [ "$is_wildcard" == "n" ]; then | |
break | |
else | |
echo "pls choose y or n" | |
fi | |
done | |
get_domain | |
check_keyfile_exist | |
if [ $keyfile_exist -eq 1 ]; then | |
verify_keyfile_2048 | |
if [ ! $keyfile_2048 -eq 1 ]; then | |
genkey | |
fi | |
elif [ ! $keyfile_exist -eq 1 ]; then | |
genkey | |
fi | |
if [ $keyfile_exist -eq 1 ] && [ $keyfile_2048 -eq 1 ]; then | |
gencsr | |
genselfcert | |
fi | |
verify_keyfile_matches_certfile | |
echo | |
echo "SSL Private Key file: $keyfile" | |
echo "SSL Certificate File: $certfile" | |
echo "SSL Certificate Request file: $csrfile" | |
echo | |
} | |
prepcert |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment