Last active
August 29, 2015 14:01
-
-
Save bendechrai/0aadac3b062ee59d8a9c to your computer and use it in GitHub Desktop.
OpenSSL certificate generation helper script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ################################################################################################################ | |
| # | |
| # Place this script in /etc/ssl/private and chown it root and chmod 700 | |
| # | |
| # This script will generate basic OpenSSL files and self-sign a certificate | |
| # | |
| # Usage is `gencert domain.name` and the result is domain.name.{key,csr,crt,pem} | |
| # If the domain name provided is a wildcard, the asterisk is replaced with an underscore | |
| # | |
| # Files are stored in a directory with name including current timestamp. It's recommended to symlink the files | |
| # to the /etc/ssl/private directory and use those in other configuration files, for ease of replacing | |
| # certificates in the future. | |
| # | |
| # CSR is created using OpenSSL defaults to all questions with the exception of common name, which is domain.name | |
| # | |
| ################################################################################################################ | |
| # Ensure we're in the same directory at this script | |
| pushd `dirname $0` > /dev/null | |
| # Get the domain and filenames | |
| domain=$1 | |
| filename=`echo $1 | sed "s/\*/_/"` | |
| # If no domain, display usage information | |
| if [ $domain"" = "" ] | |
| then | |
| echo Usage: $0 domain-name | |
| popd > /dev/null | |
| exit | |
| fi | |
| # We're going to store the files in a directory with the current date appended, so we never clobber previous certificates | |
| dir=$filename.`date +%F` | |
| if [ -d $dir ] | |
| then | |
| echo Directory $dir exists already. Aborting | |
| popd > /dev/null | |
| exit | |
| fi | |
| # Create the directory | |
| mkdir $dir | |
| cd $dir | |
| # Create the key | |
| openssl genrsa -rand /var/log/messages -out $filename.key 4096 | |
| # Create the CSR, feeding answers to the interactive process via echo and pipe | |
| echo " | |
| . | |
| . | |
| . | |
| . | |
| $domain | |
| . | |
| . | |
| . | |
| " | openssl req -new -sha256 -key $filename.key -out $filename.csr | |
| # Self sign the CSR | |
| openssl x509 -req -days 365 -in $filename.csr -signkey $filename.key -out $filename.crt | |
| # Concat the key and crt to create a pem file | |
| cat $filename.key $filename.crt > $filename.pem | |
| # Secure access permissions | |
| chmod 600 $filename.* | |
| echo | |
| echo Certificate for $domain self-signed. Use this CSR if you want to create another certificate | |
| echo | |
| cat $filename.csr | |
| popd > /dev/null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just confirmed a cert generated with the options set out in this script, along with a properly configured http daemon, will score 100% in Calomel SSL: https://twitter.com/bendechrai/status/483841505577025536