Skip to content

Instantly share code, notes, and snippets.

@zeheater

zeheater/01.sslgen.sh

Last active July 20, 2022 04:12
Show Gist options
  • Save zeheater/8c9af4eae9963224fd4216274543b070 to your computer and use it in GitHub Desktop.
Save zeheater/8c9af4eae9963224fd4216274543b070 to your computer and use it in GitHub Desktop.
Download ZIP
Generate Self Signed rootCA, server private key, server certificate with multiple wildcard domain + ip address
Raw
01.sslgen.sh
#!/bin/bash
ORG="ORGZ"
SERVER="project"
read -r -d '' CONFIG << EOM
[SAN]
subjectAltName=@alt_names
[alt_names]
DNS.1=laptop.local
DNS.2=desktop.local
DNS.3=*.laptop.local
DNS.4=*.desktop.local
IP.1=127.0.0.1
EOM
# Create certificate authority(ca) private key
openssl genrsa -out rootCA.key 4096
# Create ca certificate signed with private key
openssl req \
-x509 \
-key rootCA.key \
-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=ROOT" \
-new \
-nodes \
-sha256 \
-days 3650 \
-out rootCA.crt
# Create server private key then convert it to PKSC8 format
openssl genrsa -out "$SERVER.key" 2048 && \
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \
rm "$SERVER.key"
# Create Certificate Signing Request(CSR) signed with server private key
openssl req \
-new \
-key "$SERVER.pem" \
-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
-extensions v3_req \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
-out "$SERVER.csr"
# Create server certificate from CSR
openssl x509 \
-req \
-in "$SERVER.csr" \
-CA rootCA.crt \
-CAkey rootCA.key \
-CAcreateserial \
-extensions SAN \
-extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
-days 1825 \
-sha256 \
-out "$SERVER.crt"
# Cleanup
rm -rf rootCA.srl "$SERVER.csr"
Raw
02.server_cert_gen.sh
#!/bin/bash
ORG="ORGZ"
SERVER="project"
read -r -d '' CONFIG << EOM
[SAN]
subjectAltName=@alt_names
[alt_names]
DNS.1=laptop.local
DNS.2=desktop.local
DNS.3=*.laptop.local
DNS.4=*.desktop.local
IP.1=127.0.0.1
EOM
# Create server private key then convert it to PKSC8 format
openssl genrsa -out "$SERVER.key" 2048 && \
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \
rm "$SERVER.key"
# Create Certificate Signing Request(CSR) signed with server private key
openssl req \
-new \
-key "$SERVER.pem" \
-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
-extensions v3_req \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
-out "$SERVER.csr"
# Create server certificate from CSR
openssl x509 \
-req \
-in "$SERVER.csr" \
-CA rootCA.crt \
-CAkey rootCA.key \
-CAcreateserial \
-extensions SAN \
-extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
-days 1825 \
-sha256 \
-out "$SERVER.crt"
# Cleanup
rm -rf rootCA.srl "$SERVER.csr"
Raw
cert_pinning_sha256.sh
#!/bin/bash
# Usage: cert_pinning_sha256 <rootCA.crt>
openssl x509 -in "$1" -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# openssl s_client -connect <hostname>:<port> | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment