Skip to content

Instantly share code, notes, and snippets.

@dgulinobw
Created January 25, 2017 21:59
Show Gist options
  • Save dgulinobw/5a8916dc0cdbd495b78da69cefe00f32 to your computer and use it in GitHub Desktop.
Save dgulinobw/5a8916dc0cdbd495b78da69cefe00f32 to your computer and use it in GitHub Desktop.
Script for generating, CA, server, and client certs
#!/bin/bash
# USAGE: > gen_certs.sh <root cert name> <server cert name> <client cert name>
if [ "$#" -ne 3 ]; then
echo "Illegal arguments, USAGE: > gen_certs.sh <root cert name> <server cert name> <client cert name>"
exit 1
fi
mkdir testca
cd testca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt
echo "[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = \$dir/cacert.pem
database = \$dir/index.txt
new_certs_dir = \$dir/certs
private_key = \$dir/private/cakey.pem
serial = \$dir/serial
default_crl_days = 7
default_days = 3650
default_md = sha256
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1" > openssl.cnf
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 3650 -out cacert.pem -outform PEM -subj /CN=$1/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
cd ..
mkdir server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$2/O=server/ -nodes
cd ../testca
pwd
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ..
mkdir client
cd client
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$3/O=client/ -nodes
cd ../testca
openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment