Skip to content

Instantly share code, notes, and snippets.

@fahadysf
Created December 9, 2018 06:16
Show Gist options
  • Save fahadysf/68c5cf5bdf21df9171110516f996227e to your computer and use it in GitHub Desktop.
Save fahadysf/68c5cf5bdf21df9171110516f996227e to your computer and use it in GitHub Desktop.
Script to create Self-Signed CA and Server Cert (using the CA)
#!/bin/bash
# Parameters for the Root CA Certificate (Self-Signed)
# Please Modify this according to your needs
CA_KEY_SIZE="4096"
# CA Certificate Subject Parameters
# Please Modify these according to your needs
C="SA"
ST="Riyadh"
O="Acme.com"
OU="PA"
CN="PA-AD CA"
# Parameters for the Server Cert
# Please Modify this according to your needs
CERT_KEY_SIZE="2048"
# Server Certificate Subject Parameters
# Please Modify these according to your needs
C_C="SA"
C_ST="Riyadh"
C_O="Acme.com"
C_OU="PA"
# Pay special attention to the CN Field (should be the FQDN of the server)
C_CN="pa-ad.acme.com"
# Specify any SANs you want here
C_SAN1="pa-ad"
C_SAN2="192.168.45.65"
### Output File Names ###
# Please Modify these according to your needs
CA_CRT_FILE="pa-ad-ca.crt"
CA_KEY_FILE="pa-ad-ca.key"
CERT_KEY_FILE="$C_CN.key"
CERT_CSR_FILE="$C_CN.csr"
CERT_FILE="$C_CN.crt"
CA_PFX_FILE="pa-ad-ca.pfx"
CERT_PFX_FILE="$C_CN.pfx"
CA_PFX_PASS="yourpassword-changethis"
CERT_PFX_PASS="yourpassword-changethis"
# CA Cert Validitiy
DURATION="7300"
# Server Cert Validity
CERT_DURATION="3650"
# Generate a Private Key to use for the CA
openssl genrsa -out $CA_KEY_FILE $CA_KEY_SIZE
# Create the CA Certificate
openssl req -x509 -new -nodes -key $CA_KEY_FILE -subj "/C=$C/ST=$ST/O=$O/OU=$OU/CN=$CN" -sha512 -days $DURATION -out $CA_CRT_FILE
# Generate a Server Certificate signed by above CA
# Step-1 Generate a key for this certificate
openssl genrsa -out $CERT_KEY_FILE $CERT_KEY_SIZE
# Step-2 Generate a CSR to be signed by the CA created above
# Note: This requires BASH shell or equivalent.
openssl req -new -sha256 -nodes -out $CERT_CSR_FILE -key $CERT_KEY_FILE -config \
<(printf "\n[req]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\n\
req_extensions = req_ext\ndistinguished_name = dn\n[ dn ]\n\
C=$C_C\nST=$C_ST\nO=$C_O\nOU=$C_OU\nCN=$C_CN\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\
[ alt_names ]\nDNS.1 = $C_SAN1\nDNS.2 = $C_SAN2")
# Step-3 Sign the Certificate based on the CSR and save it.
openssl x509 -req -in $CERT_CSR_FILE -CA $CA_CRT_FILE -CAkey $CA_KEY_FILE -CAcreateserial -out $CERT_FILE -days $CERT_DURATION -sha512
# Package the CA and Server Certs as PKCS12 (.pfx) files
# Export the CA PFX
echo "Generating CA PFX File: $CA_PFX_FILE"
openssl pkcs12 -export -out $CA_PFX_FILE -inkey $CA_KEY_FILE -in $CA_CRT_FILE -passout pass:$CA_PFX_PASS
#Export the Server Cert PFX
echo "Generating Server Cert PFX File: $CERT_PFX_FILE"
openssl pkcs12 -export -out $CERT_PFX_FILE -inkey $CERT_KEY_FILE -in $CERT_FILE -certfile $CA_CRT_FILE -passout pass:$CERT_PFX_PASS
@fahadysf
Copy link
Author

fahadysf commented Dec 9, 2018

Useful little one-shot (modify and execute) script to create Self-Signed CA and a server cert signed by that CA via Open SSL. BASH and OpenSSL are required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment