Last active
April 10, 2019 19:17
-
-
Save silverkorn/fd24c8cbf4da024917d498f2fc88091c to your computer and use it in GitHub Desktop.
Create a SAN SSL Certificate from a config file under the name of `openssl.conf`. The name of the directory will be used as the default `commonName`.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| ########## | |
| # Config # | |
| ########## | |
| TMP_SSL_CERTIFICATE_NAME=$(basename "($(dirname "$(realpath "$0")")") | |
| TMP_SSL_CERTIFICAT_RSA_BITS=3072 | |
| TMP_SSL_CERTIFICAT_GENERATE_SELFSIGNED=1 | |
| TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS=1095 | |
| ######### | |
| if [ -n "$1" ]; then TMP_SSL_CERTIFICATE_NAME=$1; fi | |
| TMP_SSL_CERTIFICATE_ROOTPATH=$(dirname "$0") | |
| TMP_SSL_CERTIFICATE_FULLNAME=${TMP_SSL_CERTIFICATE_NAME} | |
| TMP_SSL_CERTIFICATE_PREFIX_COMMAND= | |
| # Windows / MinGW workaround | |
| [[ "$(uname)" =~ "MINGW" ]] && TMP_SSL_CERTIFICATE_PREFIX_COMMAND="winpty " | |
| # Change the default commonName from openssl.conf to the one from $TMP_SSL_CERTIFICATE_NAME | |
| sed -i -e "s/^\(commonName_default\s*=\).*$/\1 ${TMP_SSL_CERTIFICATE_NAME}/gmi" "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf" | |
| ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl genrsa -des3 -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" ${TMP_SSL_CERTIFICAT_RSA_BITS} | |
| ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl req -new -key "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -config "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf" | |
| cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key.org" | |
| ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl rsa -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key.org" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" | |
| # Self-signing | |
| if [ "${TMP_SSL_CERTIFICAT_GENERATE_SELFSIGNED}" -eq "1" ]; | |
| then | |
| ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl x509 -req -extensions v3_req -days ${TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS} -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -signkey "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" -extfile "${TMP_SSL_CERTIFICATE_ROOTPATH}/openssl.conf" | |
| # CA Cert | |
| ${TMP_SSL_CERTIFICATE_PREFIX_COMMAND}openssl x509 -req -days ${TMP_SSL_CERTIFICAT_SELFSIGNED_VALID_DAYS} -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" -CA "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" -CAkey "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" -set_serial 01 -out "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" | |
| # (Optional) Install CA cert | |
| if [ -f "/etc/redhat-release" ]; | |
| then | |
| update-ca-trust force-enable | |
| cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" "/etc/pki/ca-trust/source/anchors/" | |
| update-ca-trust extract | |
| elif [ -f "/etc/debian-release" ]; | |
| then | |
| cp "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.ca.crt" "/usr/local/share/ca-certificates/" | |
| update-ca-certificates | |
| fi | |
| # View CSR | |
| openssl req -text -noout -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" | |
| # Validate with .key and .csr | |
| echo | |
| echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt\" Hash:" | |
| openssl x509 -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.crt" | openssl md5 | |
| echo | |
| fi | |
| # Detect if the key and csr are compatible | |
| echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key\" Hash:" | |
| openssl rsa -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.key" | openssl md5 | |
| echo | |
| echo "\"${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr\" Hash:" | |
| openssl req -noout -modulus -in "${TMP_SSL_CERTIFICATE_ROOTPATH}/${TMP_SSL_CERTIFICATE_FULLNAME}.csr" | openssl md5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_req # The extensions to add to a certificate request | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_default = CA | |
| stateOrProvinceName = State or Province Name (full name) | |
| stateOrProvinceName_default = Quebec | |
| localityName = Locality Name (eg, city) | |
| localityName_default = Montreal | |
| organizationName = Organization Name (eg, company) | |
| organizationName_default = Your company name | |
| organizationalUnitName = Organizational Unit Name (eg, section) | |
| organizationalUnitName_default = Web Technologies | |
| commonName = Common Name (eg, your name or your server's hostname) | |
| commonName_max = 64 | |
| commonName_default = www.yourdomain.org | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| emailAddress_default = support@yourdomain.com | |
| [ v3_req ] | |
| # Extensions to add to a certificate request | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| subjectAltName = @alt_names | |
| [ alt_names ] | |
| DNS.1 = alt.yourdomain.org | |
| DNS.2 = alt.otherdomain.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment