Skip to content

Instantly share code, notes, and snippets.

@jhamrick
Last active January 17, 2024 07:33
Show Gist options
  • Save jhamrick/ac0404839b5c7dab24b5 to your computer and use it in GitHub Desktop.
Save jhamrick/ac0404839b5c7dab24b5 to your computer and use it in GitHub Desktop.
Generate SSL certificates with IP SAN
#!/usr/bin/env bash
#
# Generate a set of TLS credentials that can be used to run development mode.
#
# Based on script by Ash Wilson (@smashwilson)
# https://github.com/cloudpipe/cloudpipe/pull/45/files#diff-15
#
# usage: sh ./genkeys.sh NAME HOSTNAME IP
set -o errexit
USAGE="usage: sh ./genkeys.sh NAME HOSTNAME IP"
ROOT="$(pwd)"
PASSFILE="${ROOT}/dev.password"
PASSOPT="file:${ROOT}/dev.password"
CAFILE="${ROOT}/ca.pem"
CAKEY="${ROOT}/ca-key.pem"
# Randomly create a password file, if you haven't supplied one already.
# For development mode, we'll just use the same (random) password for everything.
if [ ! -f "${PASSFILE}" ]; then
echo ">> creating a random password in ${PASSFILE}."
touch ${PASSFILE}
chmod 600 ${PASSFILE}
# "If the same pathname argument is supplied to -passin and -passout arguments then the first
# line will be used for the input password and the next line for the output password."
cat /dev/random | head -c 128 | base64 | sed -n '{p;p;}' >> ${PASSFILE}
echo "<< random password created"
fi
# Generate the certificate authority that we'll use as the root for all the things.
if [ ! -f "${CAFILE}" ]; then
echo ">> generating a certificate authority"
openssl genrsa -des3 \
-passout ${PASSOPT} \
-out ${CAKEY} 2048
openssl req -new -x509 -days 365 \
-batch \
-passin ${PASSOPT} \
-key ${CAKEY} \
-passout ${PASSOPT} \
-out ${CAFILE}
echo "<< certificate authority generated."
fi
# Generate a named keypair
keypair() {
local NAME=$1
local HOSTNAME=$2
local IP=$3
local SERIALOPT=""
if [ ! -f "${ROOT}/ca.srl" ]; then
echo ">> creating serial"
SERIALOPT="-CAcreateserial"
else
SERIALOPT="-CAserial ${ROOT}/ca.srl"
fi
echo ">> generating a keypair for: ${NAME}"
echo ".. key"
openssl genrsa -des3 \
-passout ${PASSOPT} \
-out ${ROOT}/${NAME}-key.pem 2048
cp ${ROOT}/openssl.cnf ${ROOT}/openssl-${NAME}.cnf
echo "\nIP.1 = ${IP}" >> ${ROOT}/openssl-${NAME}.cnf
echo ".. request"
openssl req -subj "/CN=${HOSTNAME}" -new \
-batch \
-passin ${PASSOPT} \
-key ${ROOT}/${NAME}-key.pem \
-passout ${PASSOPT} \
-out ${ROOT}/${NAME}-req.csr \
-config ${ROOT}/openssl-${NAME}.cnf
echo ".. certificate"
openssl x509 -req -days 365 \
-passin ${PASSOPT} \
-in ${ROOT}/${NAME}-req.csr \
-CA ${CAFILE} \
-CAkey ${CAKEY} \
${SERIALOPT} \
-extensions v3_req \
-extfile ${ROOT}/openssl-${NAME}.cnf \
-out ${ROOT}/${NAME}-cert.pem \
echo ".. removing key password"
openssl rsa \
-passin ${PASSOPT} \
-in ${ROOT}/${NAME}-key.pem \
-out ${ROOT}/${NAME}-key.pem
echo "<< ${NAME} keypair generated."
}
# call with arguments name, hostname, and ip address
if [ -z "$1" ]; then
echo "${USAGE}"
exit 1
fi
if [ -z "$2" ]; then
echo "${USAGE}"
exit 1
fi
if [ -z "$3" ]; then
echo "${USAGE}"
exit 1
fi
keypair "$1" "$2" "$3"
# From http://apetec.com/support/GenerateSAN-CSR.htm
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MN
localityName = Locality Name (eg, city)
localityName_default = Minneapolis
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth,serverAuth
subjectAltName = @alt_names
[alt_names]
@sydev
Copy link

sydev commented Apr 25, 2017

Throws an error with openssl 1.1.0e on macOS 10.12.4

>> creating a random password in /Users/dominik/Downloads/ac0404839b5c7dab24b5-fc33c87f660d2d803ff66aad12b72c32ee6d76fa/dev.password.
<< random password created
>> generating a certificate authority
Generating RSA private key, 2048 bit long modulus
......................................+++
.................................................................+++
e is 65537 (0x010001)
<< certificate authority generated.
>> creating serial
>> generating a keypair for: vfblog
.. key
Generating RSA private key, 2048 bit long modulus
..................................+++
.........................+++
e is 65537 (0x010001)
.. request
Error Loading request extension section v3_req
140737189626816:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported option:crypto/x509v3/v3_alt.c:505:name=\nIP.1
140737189626816:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names

@cxhercules
Copy link

So found that https://gist.github.com/jhamrick/ac0404839b5c7dab24b5#file-genkeys-sh-L68 was leaving \n in output. Remove that and worked like a charm. Thank you!

Also I just left it as IP = ${IP} instead of IP.1 = ${IP} since only had need for one entry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment