moyarich/create_ssl_certificate.sh

## create_ssl_certificate.sh
#code works on macbook
#Author Moya Richards
function create_ssl_certificate(){
    local cert_dir=$1
    local domain_name=$2
    local expire=${3:-365}
    local corporation=${4:-My-Corporation}
    local group=${5:-My-Corporate-Group}
    local city=${6:-City}
    local state=${7:-State}
    local country=${8:-US}


    local subject="/CN=$domain_name/OU=$group/O=$corporation/L=$city/ST=$state/C=$country"

    mkdir -p $cert_dir  && chmod 0700 $cert_dir


    #------Root certificate ---------------------
    local cert_root_dir="$( cd $cert_dir/..; pwd)/CAroot/";
    echo $cert_root_dir;
    mkdir -p $cert_root_dir  && chmod 0700 $cert_root_dir


    local CA_KEY="$cert_root_dir/ca.key" #private key
    local CA_CRT="$cert_root_dir/ca.crt" #public key


    create_ca_certificate $cert_root_dir 3650 "ca.key" "ca.crt"
    cd $cert_dir
    #-------Site SSL Certificate ----------------
    echo "Generate key and csr: creating private key and certificate signing request (CSR) with passphrase removed"
    openssl req -new \
        -newkey rsa:4096 -nodes -sha256 -keyout ${domain_name}.key \
        -out ${domain_name}-req.csr \
        -subj ${subject}

    echo "Sign ${domain_name}-req.csr certificate signing request (CSR) with Certificate Authority key and certificate"

    echo subjectAltName = DNS.1:${domain_name} > extfile.cnf
    openssl x509 -req -days $expire -sha256 \
        -in ${domain_name}-req.csr -CA ${CA_CRT} -CAkey ${CA_KEY} -CAcreateserial \
        -extfile extfile.cnf \
        -out ${domain_name}.crt

    echo "\nGenerated Private Key:  ${domain_name}.key "
    echo "Generated Public Key: ${domain_name}.crt"
}

function create_ca_certificate(){
    local cert_dir=$1
    local expire=${2:-365}
    local CA_KEY=${3:-"ca.key"} #private key
    local CA_CRT=${4:-"ca.crt"} #public key

    local subject=${5:-"/CN=Root Certicate/"}

    mkdir -p $cert_dir  && chmod 0700 $cert_dir
    cd $cert_dir

    local days_left=$(certDaysRemaining $CA_CRT)
    echo "days_left" $days_left

    if [[ ! -f $CA_KEY && ! -f $CA_CRT]  || $days_left -lt 90 ]]; then
        #recreate if file doesn't exists or expires in 90 days - 3 months
        echo "Generate ROOT certificate to become a local Certificate Authority"

        openssl req -x509 -nodes -days $expire -newkey rsa:4096 \
            -keyout $CA_KEY -out $CA_CRT \
            -subj $subject
    else
        echo "$CA_KEY and $CA_CRT exists and has not expired, using them to generate certs"
    fi

    echo "\nAdding the Root Certificate to macOS  Keychain: \nEnter admin password if requested."
    sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" $CA_CRT
    #-------------------------------------------

}

# Checks to see if the site has a valid SSL Certificate
# Displays the number of remaining days for certificate validity (If negative, number of days since expiry)

function certDaysRemaining(){
    local cert=$1
    local days_left=0;
    local expire_date

    if [[  -f $cert ]]; then

        # read the dates on each certificate
        local ENDDATE=$(openssl x509 -noout -in "${cert}" -enddate 2>/dev/null)

        if [[ -z "$ENDDATE" ]]; then
            # this cert could not be read.
            printf "INFO - $cert could not be loaded by openssl\n"  >&2
        else
            # Remove "notAfter=" from ENDDATE variable for reporting
            expire_date=`echo $ENDDATE | awk -F notAfter= '{print $NF}'`
            local current_date_epoch=$(date +%s)

            local expire_date_epoch=$(date -j -f "%b %e %T %Y %Z" "$expire_date" "+%s")


            days_left=$(( (expire_date_epoch - current_date_epoch)/(3600*24) )) || 0
        fi
    fi


    #log messages
    echo "\n$days_left days remaining for SSL certificate: $cert"  >&2
    if [[ ! -z "$expire_date" ]]; then
        echo "Expiration date  : $expire_date " >&2
    fi

    echo $days_left #function return value
}
	#code works on macbook
	#Author Moya Richards
	function create_ssl_certificate(){
	local cert_dir=$1
	local domain_name=$2
	local expire=${3:-365}
	local corporation=${4:-My-Corporation}
	local group=${5:-My-Corporate-Group}
	local city=${6:-City}
	local state=${7:-State}
	local country=${8:-US}


	local subject="/CN=$domain_name/OU=$group/O=$corporation/L=$city/ST=$state/C=$country"

	mkdir -p $cert_dir && chmod 0700 $cert_dir



	#------Root certificate ---------------------
	local cert_root_dir="$( cd $cert_dir/..; pwd)/CAroot/";
	echo $cert_root_dir;
	mkdir -p $cert_root_dir && chmod 0700 $cert_root_dir


	local CA_KEY="$cert_root_dir/ca.key" #private key
	local CA_CRT="$cert_root_dir/ca.crt" #public key


	create_ca_certificate $cert_root_dir 3650 "ca.key" "ca.crt"
	cd $cert_dir
	#-------Site SSL Certificate ----------------
	echo "Generate key and csr: creating private key and certificate signing request (CSR) with passphrase removed"
	openssl req -new \
	-newkey rsa:4096 -nodes -sha256 -keyout ${domain_name}.key \
	-out ${domain_name}-req.csr \
	-subj ${subject}

	echo "Sign ${domain_name}-req.csr certificate signing request (CSR) with Certificate Authority key and certificate"

	echo subjectAltName = DNS.1:${domain_name} > extfile.cnf
	openssl x509 -req -days $expire -sha256 \
	-in ${domain_name}-req.csr -CA ${CA_CRT} -CAkey ${CA_KEY} -CAcreateserial \
	-extfile extfile.cnf \
	-out ${domain_name}.crt

	echo "\nGenerated Private Key: ${domain_name}.key "
	echo "Generated Public Key: ${domain_name}.crt"
	}

	function create_ca_certificate(){
	local cert_dir=$1
	local expire=${2:-365}
	local CA_KEY=${3:-"ca.key"} #private key
	local CA_CRT=${4:-"ca.crt"} #public key

	local subject=${5:-"/CN=Root Certicate/"}

	mkdir -p $cert_dir && chmod 0700 $cert_dir
	cd $cert_dir

	local days_left=$(certDaysRemaining $CA_CRT)
	echo "days_left" $days_left

	if [[ ! -f $CA_KEY && ! -f $CA_CRT] \|\| $days_left -lt 90 ]]; then
	#recreate if file doesn't exists or expires in 90 days - 3 months
	echo "Generate ROOT certificate to become a local Certificate Authority"

	openssl req -x509 -nodes -days $expire -newkey rsa:4096 \
	-keyout $CA_KEY -out $CA_CRT \
	-subj $subject
	else
	echo "$CA_KEY and $CA_CRT exists and has not expired, using them to generate certs"
	fi

	echo "\nAdding the Root Certificate to macOS Keychain: \nEnter admin password if requested."
	sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" $CA_CRT
	#-------------------------------------------

	}

	# Checks to see if the site has a valid SSL Certificate
	# Displays the number of remaining days for certificate validity (If negative, number of days since expiry)

	function certDaysRemaining(){
	local cert=$1
	local days_left=0;
	local expire_date

	if [[ -f $cert ]]; then

	# read the dates on each certificate
	local ENDDATE=$(openssl x509 -noout -in "${cert}" -enddate 2>/dev/null)

	if [[ -z "$ENDDATE" ]]; then
	# this cert could not be read.
	printf "INFO - $cert could not be loaded by openssl\n" >&2
	else
	# Remove "notAfter=" from ENDDATE variable for reporting
	expire_date=`echo $ENDDATE \| awk -F notAfter= '{print $NF}'`
	local current_date_epoch=$(date +%s)

	local expire_date_epoch=$(date -j -f "%b %e %T %Y %Z" "$expire_date" "+%s")


	days_left=$(( (expire_date_epoch - current_date_epoch)/(3600*24) )) \|\| 0
	fi
	fi


	#log messages
	echo "\n$days_left days remaining for SSL certificate: $cert" >&2
	if [[ ! -z "$expire_date" ]]; then
	echo "Expiration date : $expire_date " >&2
	fi

	echo $days_left #function return value
	}