fahadysf/create-ca-and-server-cert.sh

## create-ca-and-server-cert.sh
#!/bin/bash
# Parameters for the Root CA Certificate (Self-Signed)
# Please Modify this according to your needs
CA_KEY_SIZE="4096"
# CA Certificate Subject Parameters
# Please Modify these according to your needs
C="SA"
ST="Riyadh"
O="Acme.com"
OU="PA"
CN="PA-AD CA"

# Parameters for the Server Cert
# Please Modify this according to your needs
CERT_KEY_SIZE="2048"

# Server Certificate Subject Parameters
# Please Modify these according to your needs
C_C="SA"
C_ST="Riyadh"
C_O="Acme.com"
C_OU="PA"
# Pay special attention to the CN Field (should be the FQDN of the server)
C_CN="pa-ad.acme.com"
# Specify any SANs you want here
C_SAN1="pa-ad"
C_SAN2="192.168.45.65"

### Output File Names ###
# Please Modify these according to your needs
CA_CRT_FILE="pa-ad-ca.crt"
CA_KEY_FILE="pa-ad-ca.key"
CERT_KEY_FILE="$C_CN.key"
CERT_CSR_FILE="$C_CN.csr"
CERT_FILE="$C_CN.crt"

CA_PFX_FILE="pa-ad-ca.pfx"
CERT_PFX_FILE="$C_CN.pfx"

CA_PFX_PASS="yourpassword-changethis"
CERT_PFX_PASS="yourpassword-changethis"

# CA Cert Validitiy
DURATION="7300"
# Server Cert Validity
CERT_DURATION="3650"

# Generate a Private Key to use for the CA
openssl genrsa -out $CA_KEY_FILE $CA_KEY_SIZE
# Create the CA Certificate
openssl req -x509 -new -nodes -key $CA_KEY_FILE -subj "/C=$C/ST=$ST/O=$O/OU=$OU/CN=$CN" -sha512 -days $DURATION -out $CA_CRT_FILE

# Generate a Server Certificate signed by above CA
# Step-1 Generate a key for this certificate
openssl genrsa -out $CERT_KEY_FILE $CERT_KEY_SIZE
# Step-2 Generate a CSR to be signed by the CA created above
# Note: This requires BASH shell or equivalent.
openssl req -new -sha256 -nodes -out $CERT_CSR_FILE -key $CERT_KEY_FILE -config \
<(printf "\n[req]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\n\
req_extensions = req_ext\ndistinguished_name = dn\n[ dn ]\n\
C=$C_C\nST=$C_ST\nO=$C_O\nOU=$C_OU\nCN=$C_CN\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\
[ alt_names ]\nDNS.1 = $C_SAN1\nDNS.2 = $C_SAN2")
# Step-3 Sign the Certificate based on the CSR and save it.
openssl x509 -req -in $CERT_CSR_FILE -CA $CA_CRT_FILE -CAkey $CA_KEY_FILE -CAcreateserial -out $CERT_FILE -days $CERT_DURATION -sha512

# Package the CA and Server Certs as PKCS12 (.pfx) files
# Export the CA PFX
echo "Generating CA PFX File: $CA_PFX_FILE"
openssl pkcs12 -export -out $CA_PFX_FILE -inkey $CA_KEY_FILE -in $CA_CRT_FILE -passout pass:$CA_PFX_PASS

#Export the Server Cert PFX
echo "Generating Server Cert PFX File: $CERT_PFX_FILE"
openssl pkcs12 -export -out $CERT_PFX_FILE -inkey $CERT_KEY_FILE -in $CERT_FILE -certfile $CA_CRT_FILE -passout pass:$CERT_PFX_PASS
	#!/bin/bash
	# Parameters for the Root CA Certificate (Self-Signed)
	# Please Modify this according to your needs
	CA_KEY_SIZE="4096"
	# CA Certificate Subject Parameters
	# Please Modify these according to your needs
	C="SA"
	ST="Riyadh"
	O="Acme.com"
	OU="PA"
	CN="PA-AD CA"

	# Parameters for the Server Cert
	# Please Modify this according to your needs
	CERT_KEY_SIZE="2048"

	# Server Certificate Subject Parameters
	# Please Modify these according to your needs
	C_C="SA"
	C_ST="Riyadh"
	C_O="Acme.com"
	C_OU="PA"
	# Pay special attention to the CN Field (should be the FQDN of the server)
	C_CN="pa-ad.acme.com"
	# Specify any SANs you want here
	C_SAN1="pa-ad"
	C_SAN2="192.168.45.65"

	### Output File Names ###
	# Please Modify these according to your needs
	CA_CRT_FILE="pa-ad-ca.crt"
	CA_KEY_FILE="pa-ad-ca.key"
	CERT_KEY_FILE="$C_CN.key"
	CERT_CSR_FILE="$C_CN.csr"
	CERT_FILE="$C_CN.crt"

	CA_PFX_FILE="pa-ad-ca.pfx"
	CERT_PFX_FILE="$C_CN.pfx"

	CA_PFX_PASS="yourpassword-changethis"
	CERT_PFX_PASS="yourpassword-changethis"

	# CA Cert Validitiy
	DURATION="7300"
	# Server Cert Validity
	CERT_DURATION="3650"

	# Generate a Private Key to use for the CA
	openssl genrsa -out $CA_KEY_FILE $CA_KEY_SIZE
	# Create the CA Certificate
	openssl req -x509 -new -nodes -key $CA_KEY_FILE -subj "/C=$C/ST=$ST/O=$O/OU=$OU/CN=$CN" -sha512 -days $DURATION -out $CA_CRT_FILE

	# Generate a Server Certificate signed by above CA
	# Step-1 Generate a key for this certificate
	openssl genrsa -out $CERT_KEY_FILE $CERT_KEY_SIZE
	# Step-2 Generate a CSR to be signed by the CA created above
	# Note: This requires BASH shell or equivalent.
	openssl req -new -sha256 -nodes -out $CERT_CSR_FILE -key $CERT_KEY_FILE -config \
	<(printf "\n[req]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\n\
	req_extensions = req_ext\ndistinguished_name = dn\n[ dn ]\n\
	C=$C_C\nST=$C_ST\nO=$C_O\nOU=$C_OU\nCN=$C_CN\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\
	[ alt_names ]\nDNS.1 = $C_SAN1\nDNS.2 = $C_SAN2")
	# Step-3 Sign the Certificate based on the CSR and save it.
	openssl x509 -req -in $CERT_CSR_FILE -CA $CA_CRT_FILE -CAkey $CA_KEY_FILE -CAcreateserial -out $CERT_FILE -days $CERT_DURATION -sha512

	# Package the CA and Server Certs as PKCS12 (.pfx) files
	# Export the CA PFX
	echo "Generating CA PFX File: $CA_PFX_FILE"
	openssl pkcs12 -export -out $CA_PFX_FILE -inkey $CA_KEY_FILE -in $CA_CRT_FILE -passout pass:$CA_PFX_PASS

	#Export the Server Cert PFX
	echo "Generating Server Cert PFX File: $CERT_PFX_FILE"
	openssl pkcs12 -export -out $CERT_PFX_FILE -inkey $CERT_KEY_FILE -in $CERT_FILE -certfile $CA_CRT_FILE -passout pass:$CERT_PFX_PASS