Generate certificates with (or without) a certificate authority
Posted by mazet on Mar 26 2015 in Systeme
I use this script to generate certificates authorized by CACert but the script can be used for self-certificates.
Shell
#!/bin/bash | |
| |
use_cacert_org=1 | |
| |
function title () { | |
echo -e '\e[1;1m'$*'\e[0m' | |
} | |
| |
function valid () { | |
echo -n "* $1: " | |
shift | |
eval $@ >&/dev/null && echo -e '\e[0;32mSUCCESS\e[0m' || \ | |
{ echo -e '\e[0;31mFAILED\e[0m'; exit; } | |
} | |
| |
for file; do | |
| |
## Certificat configuration | |
[ -f $file ] || { echo "file '$file' not found"; continue; } | |
[[ $file =~ \.cnf ]] || \ | |
{ echo "file '$file' not a certificat configuration"; continue; } | |
server=${file/.cnf} | |
title "Certificat configuration: $server" | |
| |
## Key generation | |
valid "Key generation" \ | |
openssl genrsa -out $server.key 2048 | |
| |
## Protect server key | |
valid "Protect server key" \ | |
chmod o= $server.key | |
| |
## Certificate request | |
valid "Certificate request" \ | |
openssl req -new -nodes -batch \ | |
-config $server.cnf -key $server.key -out $server.csr | |
| |
if [ $use_cacert_org -eq 0 ]; then | |
| |
## Certificate generation | |
valid "Certificate generation" \ | |
openssl req -new -x509 -days 365 -nodes -batch \ | |
-config $server.cnf -key $server.key -out $server.crt | |
else | |
| |
title "Connect to cacert.org and generate $server.crt from $server.csr." | |
title "Certificate request" | |
cat $server.csr | |
title "Copy/paste it into 'New server certificat form'" | |
title "When you get back the certificat, copy/paste it here (Ctrl-D to end)" | |
cat > $server.crt | |
| |
fi | |
| |
# Check certificate | |
valid "Check certificate" \ | |
openssl x509 -in $server.crt -text -out $server.txt | |
| |
done |
And a configuration template babylon.softndesign.org:
Code
[ req ] | |
distinguished_name = req_distinguished_name | |
prompt = no | |
string_mask = nombstr | |
x509_extensions = server_cert | |
| |
[ req_distinguished_name ] | |
countryName = FR | |
stateOrProvinceName = IdF | |
localityName = Paris | |
organizationName = Soft'n'Design Inc | |
organizationalUnitName = Security | |
commonName = babylon.softndesign.org | |
emailAddress = webmaster@localhost | |
| |
[ server_cert ] | |
basicConstraints = critical, CA:FALSE | |
subjectKeyIdentifier = hash | |
keyUsage = digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth, clientAuth | |
nsCertType = server | |
nsComment = Babylon Certificate |
This entry was posted by mazet and filed under Systeme.