Skip to content

Instantly share code, notes, and snippets.

@pnck
Forked from sethvargo/create-certs.sh
Last active December 2, 2020 10:23
Show Gist options
  • Save pnck/305968f3c9f719fb479bd6ac3986c52a to your computer and use it in GitHub Desktop.
Save pnck/305968f3c9f719fb479bd6ac3986c52a to your computer and use it in GitHub Desktop.
x509 v3 self signed certificate
# Define where to store the generated certs and metadata.
DIR="$(pwd)"
# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat > "${DIR}/openssl.cnf" << EOF
[req]
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = yes
utf8 = yes
# Speify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
[req_distinguished_name]
C = Country Name (2 letter code)
ST = State or Province Name (full name)
L = Locality Name (eg, city)
O = Organization Name (eg, company)
CN = Common Name (e.g. server FQDN or YOUR name)
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
IP.1 = 192.168.1.1
IP.2 = 10.0.0.1
DNS.1 = hostname
EOF
echo -e "\n\n-----------------------------------\nCreate CA\n-----------------------------------\n"
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
#
# To put a password on the key, remove the -nodes option.
#
# Be sure to update the subject to match your organization.
openssl req \
-new \
-newkey rsa:2048 \
-days 1825 \
-nodes \
-x509 \
-keyout "${DIR}/ca.key" \
-out "${DIR}/ca.crt"
echo -e "\n\n-----------------------------------\nCreate Sub Service\n-----------------------------------\n"
# Generate the private key for the service. Again, you may want to increase
# the bits to 4096.
# openssl genrsa -out "${DIR}/private.key" 2048
# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req \
-new -newkey rsa:2048 \
-keyout "${DIR}/sub_service.key" \
-out "${DIR}/sub_service.csr" \
-config "${DIR}/openssl.cnf"
# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509 \
-req \
-days 1825 \
-in "${DIR}/sub_service.csr" \
-extensions v3_req \
-extfile "${DIR}/openssl.cnf" \
-CA "${DIR}/ca.crt" \
-CAkey "${DIR}/ca.key" \
-CAcreateserial \
-out "${DIR}/sub_service.pem"
# (Optional) Verify the certificate.
openssl x509 -in "${DIR}/sub_service.pem" -noout -text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment