Skip to content

Instantly share code, notes, and snippets.

@hummus
Last active June 13, 2017 21:52
Show Gist options
  • Save hummus/92070466aa09dd43dd90 to your computer and use it in GitHub Desktop.
Save hummus/92070466aa09dd43dd90 to your computer and use it in GitHub Desktop.
generate self-signed ssl cert
#!/bin/bash
# original url: http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr
set -e
set -x
domain="${1-$(cat /etc/hostname)}"
commonname="$domain"
# if the domain is a freakin IP it must also specify an IP SAN
# hopefully you have a python
IS_IP=$(python -c "import sys; ot=sys.argv[1].split('.'); len(ot)==4 and all([p.isdigit() for p in ot]) and all([0<int(p)<256 for p in ot]) and sys.stdout.write('1\n') or sys.stdout.write('0\n')" $domain)
if [ $IS_IP -eq 0 ]; then
# hostname
SAN="DNS:$domain.adept.local"
else
# ip
export SAN="IP:$domain"
fi
errcho (){
>&2 echo "$1"
}
rand_letters (){
cat /dev/urandom| tr -dc 'A-Z'|head -c $1
}
# Change to your company details
country=$(rand_letters 2)
state=$(rand_letters 2)
locality=None
organization=None
organizationalunit=None
email=None@$domain
# Optional
password=password
if [ -z "$domain" ]
then
echo "Argument not present."
echo "Useage $0 [common name]"
exit 99
fi
errcho "Generating key request for $domain"
# Generate a key
openssl genrsa -des3 -passout pass:$password -out $domain.key 2048 -noout
# Remove passphrase from the key. Comment the line out to keep the passphrase
errcho "Removing passphrase from key"
openssl rsa -in $domain.key -passin pass:$password -out $domain.key
# # Create the request
# errcho "Creating CSR"
# CONFIG="[req]
# prompt = no
# req_extensions = v3_req
# distinguished_name = req_distinguished_name
# [req_distinguished_name]
# C = $country
# ST = $state
# L = $locality
# O = $organization
# OU = $organizationalunit
# CN = $commonname
# emailAddress = $email
# [v3_req]
# basicConstraints = CA:FALSE
# keyUsage = digitalSignature, keyEncipherment
# subjectAltName = @alt_names
# [alt_names]
# DNS.1 = $domain
# IP.1 = $domain
# "
# openssl req -new \
# -key $domain.key \
# -passin pass:$password \
# -extensions v3_req \
# -config <(echo "$CONFIG") \
# -out $domain.csr
CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
subjectAltName=$SAN
"
openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \
-subj "/CN=$commonname" -x509 -extensions ext -keyout $domain.key -out $domain.crt
# errcho "Self signing"
# openssl x509 -req -days 365 -in $domain.csr -signkey $domain.key -out $domain.crt
if [[ $GEN_CERT_PKCS12 -eq 1 ]]; then
# maybe you need a single keystore file
openssl pkcs12 -export -in $domain.crt -inkey $domain.key -out $domain.pkcs12 -password pass:password
rm $domain.crt
rm $domain.key
else
# normal output, nice for catting somewhere
# cat $domain.csr
cat $domain.key
cat $domain.crt
fi
# rm $domain.csr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment