Created
September 16, 2016 05:26
-
-
Save i8degrees/5c20b592497dfc286a043519110cd8e2 to your computer and use it in GitHub Desktop.
SSL Certificates for Web Server with a Self-Signed CA root and One Site Domain Certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# IMPORTANT(jeff): This file should always be ran from the project's root | |
# source tree, i.e.: | |
# | |
# bin/gen_dev-ssl-certs.sh | |
# | |
# ...environment init... | |
SCRIPT_NAME=$(basename "${0}") | |
PWD=$(pwd) | |
KEYS_DIR="${PWD}/keys/dev" | |
ROOT_CA_KEY_PASSPHRASE="boobiesfuckdev" | |
SITE_KEY_PASSPHRASE=$ROOT_CA_KEY_PASSPHRASE | |
MKDIR_BIN="/bin/mkdir" | |
RM_BIN="/bin/rm" | |
OPENSSL_BIN="/usr/bin/openssl" | |
OPENSSL_CONFIG="${PWD}/bin/openssl.cnf" | |
RSA_BITS=4096 # 2048 or 4096 | |
ROOT_CA_VALID_DAYS=365 # 1 year | |
# This key should be kept private! | |
ROOT_CA_KEY="${KEYS_DIR}/caroot.pem" | |
ROOT_CA_CERT="${KEYS_DIR}/caroot.crt" | |
SITE_CERT_REQUEST="${KEYS_DIR}/n.csr" | |
SITE_VALID_DAYS=365 # 1 year | |
# This key should be kept private! | |
SITE_KEY="${KEYS_DIR}/n.pem" | |
SITE_CERT="${KEYS_DIR}/n.crt" | |
function log_message() { | |
local MSG | |
MSG=$* | |
echo -e "" | |
echo -e "${SCRIPT_NAME}: ${MSG}" | |
echo -e "" | |
} | |
function root_cacert_usage_info() { | |
echo -e "" | |
echo -e "Usage: ${SCRIPT_NAME}" | |
echo -e "" | |
echo -e " * Distribute ${ROOT_CA_CERT} to your development " | |
echo -e " workstations and what not. " | |
echo -e "" | |
echo -e " * Keep ${ROOT_CA_KEY} private; ideally, this private key is " | |
echo -e " kept off-site on a device that is not reachable by a " | |
echo -e " network of any kind and requires physical access." | |
echo -e "" | |
echo -e " Mac OS X: " | |
echo -e " \n\n\t\tSafari requires that ${ROOT_CA_CERT} be installed via " | |
echo -e " Apple's Keychain application." | |
echo -e " \n\n\t\tFirefox uses its own certificate store and a copy must " | |
echo -e " be installed separately under its Advanced Preferences " | |
echo -e " page." | |
echo -e "" | |
echo -e " Linux: " | |
echo -e " \n\n\t\tSTUB" | |
echo -e "" | |
echo -e " Windows: " | |
echo -e " \n\n\t\tSTUB" | |
} | |
NUM_ARGS=$# | |
if [[ ! ($NUM_ARGS -eq 0) ]]; then | |
root_cacert_usage_info | |
exit | |
fi | |
if [[ -e $KEYS_DIR ]]; then | |
# NOTE(jeff): Clean up the existing environment | |
log_message "Removing the existing key set at ${KEYS_DIR}..." | |
${RM_BIN} -rf ${KEYS_DIR} | |
log_message "Initializing new key directory at ${KEYS_DIR}..." | |
${MKDIR_BIN} -v ${KEYS_DIR} | |
else | |
# NOTE(jeff): Create new environment... | |
log_message "Initializing new key directory at ${KEYS_DIR}..." | |
${MKDIR_BIN} -v ${KEYS_DIR} | |
fi | |
log_message "Generating root Certificate Authority (CA) key at ${ROOT_CA_KEY}..." | |
# Generate our private root CA key -- no password | |
# ${OPENSSL_BIN} genrsa -out ${ROOT_CA_KEY} ${RSA_BITS} | |
# Generate our private root CA key -- password-protected | |
${OPENSSL_BIN} genrsa -des3 \ | |
-passout pass:${ROOT_CA_KEY_PASSPHRASE} \ | |
-out ${ROOT_CA_KEY} ${RSA_BITS} | |
log_message "Generating our root CA certificate at ${ROOT_CA_CERT} " | |
log_message "and signing it with ${ROOT_CA_KEY}..." | |
# Self-sign our CA root certificate | |
${OPENSSL_BIN} req -x509 -new -nodes \ | |
-key ${ROOT_CA_KEY} \ | |
-passin pass:${ROOT_CA_KEY_PASSPHRASE} \ | |
-out ${ROOT_CA_CERT} \ | |
-sha512 \ | |
-days ${ROOT_CA_VALID_DAYS} \ | |
-subj '/C=US/ST=AR/L=Fort Smith/O=syn.localnet/OU=local dev domain site/CN=syn.localnet/emailAddress=i8degrees@gmail.com' | |
# Now, distribute certificate around to your workstations and trusted friends, | |
# so that they will know when that the cert is legit and when it is not. | |
log_message "Generating our HTTPS site key at ${SITE_KEY}..." | |
${OPENSSL_BIN} genrsa \ | |
-out ${SITE_KEY} ${RSA_BITS} | |
# Create the site certificate request; .csr file | |
log_message "Creating the site certificate request at ${SITE_CERT_REQUEST}..." | |
${OPENSSL_BIN} req -new \ | |
-key ${SITE_KEY} \ | |
-passin pass:${SITE_KEY_PASSPHRASE} \ | |
-out ${SITE_CERT_REQUEST} \ | |
-subj '/C=US/ST=AR/L=Fort Smith/O=syn.localnet/OU=local dev domain site/CN=naughty.syn.localnet/emailAddress=i8degrees@gmail.com' | |
# FIXME(jeff): -extfile ${OPENSSL_CONFIG} ..? | |
log_message "Creating HTTPS site certificate with ${ROOT_CA_CERT} and ${ROOT_CA_KEY} at ${SITE_CERT} with its own key at ${SITE_KEY}" | |
${OPENSSL_BIN} x509 -req \ | |
-in ${SITE_CERT_REQUEST} \ | |
-CA ${ROOT_CA_CERT} \ | |
-CAkey ${ROOT_CA_KEY} \ | |
-passin pass:${ROOT_CA_KEY_PASSPHRASE} \ | |
-CAcreateserial \ | |
-out ${SITE_CERT} \ | |
-days ${SITE_VALID_DAYS} \ | |
-sha256 \ | |
-extfile ${OPENSSL_CONFIG} | |
# Self-signed certificate, no CA root | |
# OPENSSL_CONFIG=./bin/openssl.cnf | |
# ${OPENSSL_BIN} req -x509 -nodes -newkey rsa:${RSA_BITS} \ | |
# -days ${VALID_DAYS} \ | |
# -config ${OPENSSL_CONFIG} \ | |
# -extensions subject_alt_name \ | |
# -keyout ./keys/n.pem \ | |
# -out ./keys/n.crt \ | |
# -subj '/C=XX/ST=XXXX/L=XXXX/O=XXXX/OU=XXXX/CN=naughty.syn.localnet/emailAddress=i8degrees@gmail.com' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment