Created
May 12, 2022 14:08
-
-
Save estevesd/2030bcbd6530b1de0ac35369cfcecbaa to your computer and use it in GitHub Desktop.
Generate CA and SSL self signed certificates with alternative names and wildcard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# to test the certificate run : openssl x509 -in certs/example.com.crt -text -noout | |
DOMAIN='example.com' | |
CERTS_COUNTRY='US' | |
CERTS_STATE='California' | |
CERTS_CITY='San Francisco' | |
CERTS_ORGANIZATION='Organisation' | |
CERTS_ORGANIZATIONAL_UNIT='Organisational unit' | |
CA_PASS='ca key password' | |
CA_COMMON_NAME='example CA' | |
CA_DIR='ca' | |
CERT_DIR='certs' | |
SSL_CONF='/tmp/ssl-conf' | |
CA_KEY="$CA_DIR/ca.key" | |
CA_CRT="$CA_DIR/ca.crt" | |
CERT_KEY="$CERT_DIR/$DOMAIN.key" | |
CERT_CRT="$CERT_DIR/$DOMAIN.crt" | |
CERT_CSR="$CERT_DIR/$DOMAIN.csr" | |
CERTS_SUBJ="/C=${CERTS_COUNTRY}/ST=${CERTS_STATE}/L=${CERTS_CITY}/O=${CERTS_ORGANIZATION}/OU=${CERTS_ORGANIZATIONAL_UNIT}/CN=" | |
CA_PASS="pass:$CA_PASS" | |
if [ ! -e "$CA_DIR/ca.key" ] && [ ! -e "$CA_DIR/ca.crt" ];then | |
mkdir -p "$CA_DIR" | |
openssl genrsa -des3 -passout "$CA_PASS" -out "$CA_KEY" 2048 | |
openssl req -new -x509 -passin "$CA_PASS" -nodes -sha256 -days 3650 -key "$CA_KEY" -out "$CA_CRT" -subj "${CERTS_SUBJ}${CA_COMMON_NAME}" | |
fi | |
>$SSL_CONF cat <<-EOF | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment | |
extendedKeyUsage = serverAuth,clientAuth | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = $DOMAIN | |
DNS.2 = *.$DOMAIN | |
EOF | |
mkdir -p "$CERT_DIR" | |
openssl genrsa -out "$CERT_KEY" 2048 | |
openssl req -new -key "$CERT_KEY" -out "$CERT_CSR" -subj "${CERTS_SUBJ}${DOMAIN}" | |
openssl x509 -req -passin "$CA_PASS" -in "$CERT_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" -CAcreateserial -out "$CERT_CRT" -days 397 -sha256 -extfile "$SSL_CONF" | |
rm "$SSL_CONF" | |
chmod 0640 "$CERT_KEY" | |
chown www:www $CERT_KEY |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment