Last active
June 18, 2024 19:30
-
-
Save jmhertlein/22a6d678d01cb7ca529e to your computer and use it in GitHub Desktop.
bash script for generating new root SSL CA private key and certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ################################################## | |
| # for generating your root CA private key and cert | |
| ################################################## | |
| ca_name="jmhca" | |
| ca_key_bits="4096" | |
| ca_cert_expire_days="365" | |
| mkdir ca | |
| cd ca | |
| clear | |
| echo "### Generating root CA private key" | |
| echo "[Enter] to continue" | |
| read | |
| # generate new rsa private key for CA | |
| openssl genpkey -algorithm rsa -out "$ca_name".key -AES-256-CBC -pkeyopt rsa_keygen_bits:"$ca_key_bits" | |
| clear | |
| echo "### Signing root CA certificate" | |
| echo "[Enter] to continue" | |
| read | |
| # create the root CA certificate (this is what you will install in your browser if you are not using intermediary signing keys) | |
| openssl req -x509 -new -key "$ca_name".key -days "$ca_cert_expire_days" -out "$ca_name".pem -sha512 | |
| cd .. | |
| ################################################################ | |
| # | |
| # If you want to use intermediate/signing keys | |
| # (so your root CA's private key can stay in offline | |
| # storage except for when you re-sign your signing keys)... | |
| # | |
| # ...then generate them here. | |
| # | |
| ################################################################ | |
| mkdir signing | |
| cd signing | |
| clear | |
| echo "### Generating signing private key" | |
| echo "[Enter] to continue" | |
| read | |
| openssl genpkey -algorithm rsa -out "$ca_name".sign.key -AES-256-CBC -pkeyopt rsa_keygen_bits:"$ca_key_bits" | |
| clear | |
| echo "### Generating signing cert request" | |
| echo "[Enter] to continue" | |
| read | |
| openssl req -new -key "$ca_name".sign.key -out "$ca_name".sign.csr | |
| clear | |
| echo "### Fulfilling signing cert request" | |
| echo "[Enter] to continue" | |
| read | |
| openssl x509 -req -in "$ca_name".sign.csr -CA ../ca/"$ca_name".pem -CAkey ../ca/"$ca_name".key -out "$ca_name".sign.pem -days 365 -sha512 -CAcreateserial | |
| cat "$ca_name".sign.pem ../ca/"$ca_name".pem > "$ca_name".sign.chain.pem | |
| cd .. | |
| ####################################### | |
| # for generating and signing host certs | |
| ####################################### | |
| mkdir host | |
| cd host | |
| clear | |
| echo "### Generating host private key" | |
| echo "[Enter] to continue" | |
| read | |
| read -p "Filename for device CA key and cert: " device_name | |
| # gen new device private key | |
| openssl genrsa -out "$device_name".key 2048 | |
| clear | |
| echo "### Generating host cert request" | |
| echo "[Enter] to continue" | |
| read | |
| # gen signature request | |
| openssl req -new -key "$device_name".key -out "$device_name".csr | |
| clear | |
| echo "### Fulfilling host cert request" | |
| echo "[Enter] to continue" | |
| read | |
| # fulfill request with CA root private key | |
| openssl x509 -req -in "$device_name".csr -CA ../signing/"$ca_name".sign.pem -CAkey ../signing/"$ca_name".sign.key -out "$device_name".crt -days 365 -sha512 -CAcreateserial | |
| cat ../signing/"$ca_name".sign.pem ./"$device_name".crt > "$device_name".chain.crt | |
| cd .. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment