Recettes informatiques

Generate certificates with (or without) a certificate authority

Posted by on Mar 26 2015 in Systeme


I use this script to generate certificates authorized by CACert but the script can be used for self-certificates.

Shell

#!/bin/bash
 
use_cacert_org=1
 
function title () {
    echo -'\e[1;1m'$*'\e[0m'
}
 
function valid () {
    echo -"* $1: "
    shift
    eval $@ >&/dev/null && echo -'\e[0;32mSUCCESS\e[0m' || \
        { echo -'\e[0;31mFAILED\e[0m'; exit; }
}
 
for file; do
 
    ## Certificat configuration
    [ -f $file ] || { echo "file '$file' not found"; continue; }
    [[ $file =~ \.cnf ]] || \
        { echo "file '$file' not a certificat configuration"; continue; }
    server=${file/.cnf}
    title  "Certificat configuration: $server"
 
    ## Key generation
    valid "Key generation" \
        openssl genrsa -out $server.key 2048
 
    ## Protect server key
    valid "Protect server key" \
        chmod o$server.key
 
    ## Certificate request
    valid "Certificate request" \
        openssl req -new -nodes -batch \
            -config $server.cnf -key $server.key -out $server.csr
 
    if [ $use_cacert_org -eq 0 ]; then
            
        ## Certificate generation
        valid "Certificate generation" \
            openssl req -new -x509 -days 365 -nodes -batch \
                -config $server.cnf -key $server.key -out $server.crt
    else
 
        title "Connect to cacert.org and generate $server.crt from $server.csr."
        title "Certificate request"
        cat $server.csr
        title "Copy/paste it into 'New server certificat form'"
        title "When you get back the certificat, copy/paste it here (Ctrl-D to end)"
        cat $server.crt
 
    fi
 
    # Check certificate
    valid "Check certificate" \
        openssl x509 -in $server.crt -text -out $server.txt
 
done


And a configuration template babylon.softndesign.org:

Code

[ req ]
distinguished_name      = req_distinguished_name
prompt                  = no
string_mask             = nombstr
x509_extensions         = server_cert
 
[ req_distinguished_name ]
countryName             = FR
stateOrProvinceName     = IdF
localityName            = Paris
organizationName        = Soft'n'Design Inc
organizationalUnitName  = Security
commonName              = babylon.softndesign.org
emailAddress            = webmaster@localhost
  
[ server_cert ]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
nsCertType              = server
nsComment               = Babylon Certificate
This entry was posted by and filed under Systeme.

No feedback yet