Last active
July 20, 2022 04:12
-
-
Save zeheater/8c9af4eae9963224fd4216274543b070 to your computer and use it in GitHub Desktop.
Generate Self Signed rootCA, server private key, server certificate with multiple wildcard domain + ip address
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
ORG="ORGZ" | |
SERVER="project" | |
read -r -d '' CONFIG << EOM | |
[SAN] | |
subjectAltName=@alt_names | |
[alt_names] | |
DNS.1=laptop.local | |
DNS.2=desktop.local | |
DNS.3=*.laptop.local | |
DNS.4=*.desktop.local | |
IP.1=127.0.0.1 | |
EOM | |
# Create certificate authority(ca) private key | |
openssl genrsa -out rootCA.key 4096 | |
# Create ca certificate signed with private key | |
openssl req \ | |
-x509 \ | |
-key rootCA.key \ | |
-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=ROOT" \ | |
-new \ | |
-nodes \ | |
-sha256 \ | |
-days 3650 \ | |
-out rootCA.crt | |
# Create server private key then convert it to PKSC8 format | |
openssl genrsa -out "$SERVER.key" 2048 && \ | |
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \ | |
rm "$SERVER.key" | |
# Create Certificate Signing Request(CSR) signed with server private key | |
openssl req \ | |
-new \ | |
-key "$SERVER.pem" \ | |
-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \ | |
-extensions v3_req \ | |
-reqexts SAN \ | |
-config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \ | |
-out "$SERVER.csr" | |
# Create server certificate from CSR | |
openssl x509 \ | |
-req \ | |
-in "$SERVER.csr" \ | |
-CA rootCA.crt \ | |
-CAkey rootCA.key \ | |
-CAcreateserial \ | |
-extensions SAN \ | |
-extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \ | |
-days 1825 \ | |
-sha256 \ | |
-out "$SERVER.crt" | |
# Cleanup | |
rm -rf rootCA.srl "$SERVER.csr" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
ORG="ORGZ" | |
SERVER="project" | |
read -r -d '' CONFIG << EOM | |
[SAN] | |
subjectAltName=@alt_names | |
[alt_names] | |
DNS.1=laptop.local | |
DNS.2=desktop.local | |
DNS.3=*.laptop.local | |
DNS.4=*.desktop.local | |
IP.1=127.0.0.1 | |
EOM | |
# Create server private key then convert it to PKSC8 format | |
openssl genrsa -out "$SERVER.key" 2048 && \ | |
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \ | |
rm "$SERVER.key" | |
# Create Certificate Signing Request(CSR) signed with server private key | |
openssl req \ | |
-new \ | |
-key "$SERVER.pem" \ | |
-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \ | |
-extensions v3_req \ | |
-reqexts SAN \ | |
-config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \ | |
-out "$SERVER.csr" | |
# Create server certificate from CSR | |
openssl x509 \ | |
-req \ | |
-in "$SERVER.csr" \ | |
-CA rootCA.crt \ | |
-CAkey rootCA.key \ | |
-CAcreateserial \ | |
-extensions SAN \ | |
-extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \ | |
-days 1825 \ | |
-sha256 \ | |
-out "$SERVER.crt" | |
# Cleanup | |
rm -rf rootCA.srl "$SERVER.csr" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Usage: cert_pinning_sha256 <rootCA.crt> | |
openssl x509 -in "$1" -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 | |
# openssl s_client -connect <hostname>:<port> | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment