Skip to content

Instantly share code, notes, and snippets.

@marc-hanheide

marc-hanheide/01_generate_certificate_authority.sh

Last active May 20, 2020 09:54
Show Gist options
  • Save marc-hanheide/672cb004894c52ac60480411b45549a0 to your computer and use it in GitHub Desktop.
Save marc-hanheide/672cb004894c52ac60480411b45549a0 to your computer and use it in GitHub Desktop.
Download ZIP
Generate certificates for mongodb
Raw
01_generate_certificate_authority.sh
# set all variables
KEY_BITS=4096
CA_PRIVATE_KEY_NAME="certificate_authority_private_key.key"
CA_CERT_NAME="certificate_authority_root_certificate.cert"
DAYS_VALID=365
# these are subject variables to be added into the certificate
CA_COUNTRY_CODE="GB"
CA_PROVINCE="Lincolnshire"
CA_LOCATION="Lincoln"
CA_ORGANISATION="University of lincoln"
CA_ORGANISATION_UNIT="LCAS"
CA_NAME="Your Name"
CA_EMAIL="yourname@your.domain.ac.uk"
# user information:
echo "Generating private key and using it will require a password, all following passwords should be the same:"
# generate a private key which is encrypted (using -aes-256-cbc flag)
openssl genpkey -algorithm RSA -aes-256-cbc -pkeyopt rsa_keygen_bits:$KEY_BITS -out $CA_PRIVATE_KEY_NAME
# generate certificate authority certificate # CN (country name) #
openssl req -key $CA_PRIVATE_KEY_NAME -x509 -new -days $DAYS_VALID -out $CA_CERT_NAME -subj \
"/C=${CA_COUNTRY_CODE}/ST=${CA_PROVINCE}/L=${CA_LOCATION}/O=${CA_ORGANISATION}/OU=${CA_ORGANISATION_UNIT}/CN=${CA_NAME}/emailAddress=${CA_EMAIL}"
# display the certificate
openssl x509 -text -noout -in $CA_CERT_NAME
# https://stackoverflow.com/questions/44055029/how-to-generate-a-certificate-using-pyopenssl-to-make-it-secure-connection
# openssl genrsa -out rootCA.key 2048
# openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt
# openssl genrsa -out server101.mycloud.key 2048
# openssl req -new -key server101.mycloud.key -out server101.mycloud.csr
# openssl x509 -req -in server101.mycloud.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server101.mycloud.crt -days 5000
Raw
02_generate_signed_entity.sh
KEY_BITS=4096
CA_PRIVATE_KEY_NAME="certificate_authority_private_key.key"
CA_CERT_NAME="certificate_authority_root_certificate.cert"
DAYS_VALID=365
ENTITY_PRIVATE_KEY_NAME="entity_private_key.key"
ENTITY_CERTIFICATE_SIGN_REQUEST_NAME="entity_certificate_sign_request.csr"
ENTITY_CERT_NAME="entity_private_certificate.cert"
# these are subject variables to be added into the certificate
ENTITY_COUNTRY_CODE="GB"
ENTITY_PROVINCE="Lincolnshire"
ENTITY_LOCATION="Lincoln"
ENTITY_ORGANISATION="University of lincoln"
ENTITY_ORGANISATION_UNIT="LCAS"
ENTITY_NAME="lcas.lincoln.ac.uk"
ENTITY_EMAIL="yourname@your.domain.ac.uk"
# user information:
echo "Generating private key and using it will require a password, all following passwords should be the same:"
# generate an entity private key which is encrypted (using -aes-256-cbc flag)
openssl genpkey -algorithm RSA -aes-256-cbc -pkeyopt rsa_keygen_bits:$KEY_BITS -out $ENTITY_PRIVATE_KEY_NAME
# generate a certificate signing request file for the certificate authority to sign next
openssl req -new -sha256 -key $ENTITY_PRIVATE_KEY_NAME -out $ENTITY_CERTIFICATE_SIGN_REQUEST_NAME -subj \
"/C=${ENTITY_COUNTRY_CODE}/ST=${ENTITY_PROVINCE}/L=${ENTITY_LOCATION}/O=${ENTITY_ORGANISATION}/OU=${ENTITY_ORGANISATION_UNIT}/CN=${ENTITY_NAME}/emailAddress=${ENTITY_EMAIL}"
# generate entity certificate
openssl x509 -req -in $ENTITY_CERTIFICATE_SIGN_REQUEST_NAME -CA $CA_CERT_NAME -CAkey $CA_PRIVATE_KEY_NAME -CAcreateserial -out $ENTITY_CERT_NAME -days $DAYS_VALID
# display the certificate
openssl x509 -text -noout -in $ENTITY_CERT_NAME
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment