dwallraff/create_cert.sh

## create_cert.sh
##### Commands to generate SSL certs/artifcts

# Download the temp.cnf file using the wget command below
# Edit temp.cnf and add your information
# Run the uncommented out commands to generate a self-signed cert (cert.pem) and private key (keyfile.pem)
wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/e06feacbb85ac63659e6c1c40c70d5481522b390/temp.cnf

# Generate a new keyfile. A 2048 bit key size is TOTALLY fine. Jack it up to 4096 and wait if you must...
openssl genrsa -out keyfile.key 2048

## Or use elliptic curve instead of RSA. We're just using this to sign certs, so P-256 is just fine.
# openssl ecparam -genkey -out keyfile.key -name prime256v1

## Generate a cert. Expires in 30 days. Get a real cert. Or change the number of days.
openssl req -x509 -new -key keyfile.key -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30


#########################
##### Verify stuffs

## Verify a CSR
# openssl req -text -noout -verify -in csr.csr

## Verify a cert
# openssl x509 -text -noout -in cert.pem

## Verify a key
# openssl rsa -check -in server.key -noout

## Verify a live cert
# openssl s_client -connect <domain>:443

## Verify your keyfile matches your cert. MD5 sums should match.
# openssl x509 -noout -modulus -in server.crt | openssl md5
# openssl rsa -noout -modulus -in server.key | openssl md5

## 'Proper' key/cert verification
# diff  <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout)
#
# Or use the 'pkey' sub-module in newer versions of OpenSSL that supports all key types for non-RSA keys
# diff <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -pubout -in private-key.pem -outform PEM 2>/dev/null | tail -n +1))


#########################
##### Commands involving a CSR

## Generate a new key (2048 rsa) and a CSR - REQUIRES USER INPUT
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key

## Generate a new key and a CSR using temp.cnf to allow for SANs in the CSR.
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key -config temp.cnf

## Generate a cert from a CSR. Expires in 30 days. Get a real cert. Or change the number of days.
# openssl req -x509 -new -key keyfile.key -in csr.csr -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30
	##### Commands to generate SSL certs/artifcts

	# Download the temp.cnf file using the wget command below
	# Edit temp.cnf and add your information
	# Run the uncommented out commands to generate a self-signed cert (cert.pem) and private key (keyfile.pem)
	wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/e06feacbb85ac63659e6c1c40c70d5481522b390/temp.cnf

	# Generate a new keyfile. A 2048 bit key size is TOTALLY fine. Jack it up to 4096 and wait if you must...
	openssl genrsa -out keyfile.key 2048

	## Or use elliptic curve instead of RSA. We're just using this to sign certs, so P-256 is just fine.
	# openssl ecparam -genkey -out keyfile.key -name prime256v1

	## Generate a cert. Expires in 30 days. Get a real cert. Or change the number of days.
	openssl req -x509 -new -key keyfile.key -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30



	#########################
	##### Verify stuffs

	## Verify a CSR
	# openssl req -text -noout -verify -in csr.csr

	## Verify a cert
	# openssl x509 -text -noout -in cert.pem

	## Verify a key
	# openssl rsa -check -in server.key -noout

	## Verify a live cert
	# openssl s_client -connect <domain>:443

	## Verify your keyfile matches your cert. MD5 sums should match.
	# openssl x509 -noout -modulus -in server.crt \| openssl md5
	# openssl rsa -noout -modulus -in server.key \| openssl md5

	## 'Proper' key/cert verification
	# diff <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout)
	#
	# Or use the 'pkey' sub-module in newer versions of OpenSSL that supports all key types for non-RSA keys
	# diff <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -pubout -in private-key.pem -outform PEM 2>/dev/null \| tail -n +1))



	#########################
	##### Commands involving a CSR

	## Generate a new key (2048 rsa) and a CSR - REQUIRES USER INPUT
	# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key

	## Generate a new key and a CSR using temp.cnf to allow for SANs in the CSR.
	# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key -config temp.cnf

	## Generate a cert from a CSR. Expires in 30 days. Get a real cert. Or change the number of days.
	# openssl req -x509 -new -key keyfile.key -in csr.csr -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30