estevesd/gencert.sh

## gencert.sh
#!/bin/bash
# to test the certificate run : openssl x509 -in certs/example.com.crt -text -noout

DOMAIN='example.com'
CERTS_COUNTRY='US'
CERTS_STATE='California'
CERTS_CITY='San Francisco'
CERTS_ORGANIZATION='Organisation'
CERTS_ORGANIZATIONAL_UNIT='Organisational unit'
CA_PASS='ca key password'
CA_COMMON_NAME='example CA'

CA_DIR='ca'
CERT_DIR='certs'
SSL_CONF='/tmp/ssl-conf'

CA_KEY="$CA_DIR/ca.key"
CA_CRT="$CA_DIR/ca.crt"
CERT_KEY="$CERT_DIR/$DOMAIN.key"
CERT_CRT="$CERT_DIR/$DOMAIN.crt"
CERT_CSR="$CERT_DIR/$DOMAIN.csr"
CERTS_SUBJ="/C=${CERTS_COUNTRY}/ST=${CERTS_STATE}/L=${CERTS_CITY}/O=${CERTS_ORGANIZATION}/OU=${CERTS_ORGANIZATIONAL_UNIT}/CN="
CA_PASS="pass:$CA_PASS"

if [ ! -e "$CA_DIR/ca.key" ] && [ ! -e "$CA_DIR/ca.crt" ];then
    mkdir -p "$CA_DIR"
    openssl genrsa -des3 -passout "$CA_PASS" -out "$CA_KEY" 2048
    openssl req -new -x509 -passin "$CA_PASS" -nodes -sha256 -days 3650 -key "$CA_KEY" -out "$CA_CRT" -subj "${CERTS_SUBJ}${CA_COMMON_NAME}"
fi

>$SSL_CONF cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage    = serverAuth,clientAuth
subjectAltName      = @alt_names

[alt_names]
DNS.1               = $DOMAIN
DNS.2               = *.$DOMAIN
EOF
mkdir -p "$CERT_DIR"
openssl genrsa -out "$CERT_KEY" 2048
openssl req -new -key "$CERT_KEY" -out "$CERT_CSR" -subj "${CERTS_SUBJ}${DOMAIN}"
openssl x509 -req -passin "$CA_PASS" -in "$CERT_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" -CAcreateserial -out "$CERT_CRT" -days 397 -sha256 -extfile "$SSL_CONF"
rm "$SSL_CONF"
chmod 0640 "$CERT_KEY"
chown www:www $CERT_KEY
	#!/bin/bash
	# to test the certificate run : openssl x509 -in certs/example.com.crt -text -noout

	DOMAIN='example.com'
	CERTS_COUNTRY='US'
	CERTS_STATE='California'
	CERTS_CITY='San Francisco'
	CERTS_ORGANIZATION='Organisation'
	CERTS_ORGANIZATIONAL_UNIT='Organisational unit'
	CA_PASS='ca key password'
	CA_COMMON_NAME='example CA'

	CA_DIR='ca'
	CERT_DIR='certs'
	SSL_CONF='/tmp/ssl-conf'

	CA_KEY="$CA_DIR/ca.key"
	CA_CRT="$CA_DIR/ca.crt"
	CERT_KEY="$CERT_DIR/$DOMAIN.key"
	CERT_CRT="$CERT_DIR/$DOMAIN.crt"
	CERT_CSR="$CERT_DIR/$DOMAIN.csr"
	CERTS_SUBJ="/C=${CERTS_COUNTRY}/ST=${CERTS_STATE}/L=${CERTS_CITY}/O=${CERTS_ORGANIZATION}/OU=${CERTS_ORGANIZATIONAL_UNIT}/CN="
	CA_PASS="pass:$CA_PASS"

	if [ ! -e "$CA_DIR/ca.key" ] && [ ! -e "$CA_DIR/ca.crt" ];then
	mkdir -p "$CA_DIR"
	openssl genrsa -des3 -passout "$CA_PASS" -out "$CA_KEY" 2048
	openssl req -new -x509 -passin "$CA_PASS" -nodes -sha256 -days 3650 -key "$CA_KEY" -out "$CA_CRT" -subj "${CERTS_SUBJ}${CA_COMMON_NAME}"
	fi

	>$SSL_CONF cat <<-EOF
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
	extendedKeyUsage = serverAuth,clientAuth
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = $DOMAIN
	DNS.2 = *.$DOMAIN
	EOF
	mkdir -p "$CERT_DIR"
	openssl genrsa -out "$CERT_KEY" 2048
	openssl req -new -key "$CERT_KEY" -out "$CERT_CSR" -subj "${CERTS_SUBJ}${DOMAIN}"
	openssl x509 -req -passin "$CA_PASS" -in "$CERT_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" -CAcreateserial -out "$CERT_CRT" -days 397 -sha256 -extfile "$SSL_CONF"
	rm "$SSL_CONF"
	chmod 0640 "$CERT_KEY"
	chown www:www $CERT_KEY