Last active
January 17, 2024 07:33
-
-
Save jhamrick/ac0404839b5c7dab24b5 to your computer and use it in GitHub Desktop.
Generate SSL certificates with IP SAN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# Generate a set of TLS credentials that can be used to run development mode. | |
# | |
# Based on script by Ash Wilson (@smashwilson) | |
# https://github.com/cloudpipe/cloudpipe/pull/45/files#diff-15 | |
# | |
# usage: sh ./genkeys.sh NAME HOSTNAME IP | |
set -o errexit | |
USAGE="usage: sh ./genkeys.sh NAME HOSTNAME IP" | |
ROOT="$(pwd)" | |
PASSFILE="${ROOT}/dev.password" | |
PASSOPT="file:${ROOT}/dev.password" | |
CAFILE="${ROOT}/ca.pem" | |
CAKEY="${ROOT}/ca-key.pem" | |
# Randomly create a password file, if you haven't supplied one already. | |
# For development mode, we'll just use the same (random) password for everything. | |
if [ ! -f "${PASSFILE}" ]; then | |
echo ">> creating a random password in ${PASSFILE}." | |
touch ${PASSFILE} | |
chmod 600 ${PASSFILE} | |
# "If the same pathname argument is supplied to -passin and -passout arguments then the first | |
# line will be used for the input password and the next line for the output password." | |
cat /dev/random | head -c 128 | base64 | sed -n '{p;p;}' >> ${PASSFILE} | |
echo "<< random password created" | |
fi | |
# Generate the certificate authority that we'll use as the root for all the things. | |
if [ ! -f "${CAFILE}" ]; then | |
echo ">> generating a certificate authority" | |
openssl genrsa -des3 \ | |
-passout ${PASSOPT} \ | |
-out ${CAKEY} 2048 | |
openssl req -new -x509 -days 365 \ | |
-batch \ | |
-passin ${PASSOPT} \ | |
-key ${CAKEY} \ | |
-passout ${PASSOPT} \ | |
-out ${CAFILE} | |
echo "<< certificate authority generated." | |
fi | |
# Generate a named keypair | |
keypair() { | |
local NAME=$1 | |
local HOSTNAME=$2 | |
local IP=$3 | |
local SERIALOPT="" | |
if [ ! -f "${ROOT}/ca.srl" ]; then | |
echo ">> creating serial" | |
SERIALOPT="-CAcreateserial" | |
else | |
SERIALOPT="-CAserial ${ROOT}/ca.srl" | |
fi | |
echo ">> generating a keypair for: ${NAME}" | |
echo ".. key" | |
openssl genrsa -des3 \ | |
-passout ${PASSOPT} \ | |
-out ${ROOT}/${NAME}-key.pem 2048 | |
cp ${ROOT}/openssl.cnf ${ROOT}/openssl-${NAME}.cnf | |
echo "\nIP.1 = ${IP}" >> ${ROOT}/openssl-${NAME}.cnf | |
echo ".. request" | |
openssl req -subj "/CN=${HOSTNAME}" -new \ | |
-batch \ | |
-passin ${PASSOPT} \ | |
-key ${ROOT}/${NAME}-key.pem \ | |
-passout ${PASSOPT} \ | |
-out ${ROOT}/${NAME}-req.csr \ | |
-config ${ROOT}/openssl-${NAME}.cnf | |
echo ".. certificate" | |
openssl x509 -req -days 365 \ | |
-passin ${PASSOPT} \ | |
-in ${ROOT}/${NAME}-req.csr \ | |
-CA ${CAFILE} \ | |
-CAkey ${CAKEY} \ | |
${SERIALOPT} \ | |
-extensions v3_req \ | |
-extfile ${ROOT}/openssl-${NAME}.cnf \ | |
-out ${ROOT}/${NAME}-cert.pem \ | |
echo ".. removing key password" | |
openssl rsa \ | |
-passin ${PASSOPT} \ | |
-in ${ROOT}/${NAME}-key.pem \ | |
-out ${ROOT}/${NAME}-key.pem | |
echo "<< ${NAME} keypair generated." | |
} | |
# call with arguments name, hostname, and ip address | |
if [ -z "$1" ]; then | |
echo "${USAGE}" | |
exit 1 | |
fi | |
if [ -z "$2" ]; then | |
echo "${USAGE}" | |
exit 1 | |
fi | |
if [ -z "$3" ]; then | |
echo "${USAGE}" | |
exit 1 | |
fi | |
keypair "$1" "$2" "$3" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# From http://apetec.com/support/GenerateSAN-CSR.htm | |
[req] | |
distinguished_name = req_distinguished_name | |
req_extensions = v3_req | |
[req_distinguished_name] | |
countryName = Country Name (2 letter code) | |
countryName_default = US | |
stateOrProvinceName = State or Province Name (full name) | |
stateOrProvinceName_default = MN | |
localityName = Locality Name (eg, city) | |
localityName_default = Minneapolis | |
organizationalUnitName = Organizational Unit Name (eg, section) | |
organizationalUnitName_default = Domain Control Validated | |
commonName = Internet Widgits Ltd | |
commonName_max = 64 | |
[ v3_req ] | |
# Extensions to add to a certificate request | |
basicConstraints = CA:FALSE | |
extendedKeyUsage = clientAuth,serverAuth | |
subjectAltName = @alt_names | |
[alt_names] |
So found that https://gist.github.com/jhamrick/ac0404839b5c7dab24b5#file-genkeys-sh-L68 was leaving \n
in output. Remove that and worked like a charm. Thank you!
Also I just left it as IP = ${IP}
instead of IP.1 = ${IP}
since only had need for one entry.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Throws an error with openssl 1.1.0e on macOS 10.12.4