Home / server / Questions / 713475
In Process
astropanic
Asked: 2015-08-12 13:35:52 +0800 CST

automate generation of SSL certificates

  • 772

How I can automate the generation of self signed certificates when I know the domain name ?

This works, but it asks me on the command line prompt certain questions.

How I should change it to ignore the questions and automatically enter the FQDN ?

#! /bin/bash

echo 01 > ca.srl
openssl genrsa -des3 -out ca-key.pem
openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem

openssl genrsa -des3 -out server-key.pem
openssl req -new -key server-key.pem -out server.csr

openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem

openssl genrsa -des3 -out client-key.pem
openssl req -new -key client-key.pem -out client.csr

echo extendedKeyUsage = clientAuth > extfile.cnf

openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf

openssl rsa -in server-key.pem -out server-key.pem
openssl rsa -in client-key.pem -out client-key.pem
ssl

3 Answers

  1. Thanks, I laughed. If you know you want to create multiplies of certificates, set up a private CA.

    But, if you insist, creation of a self-signed certificate is just one line.

    openssl req -newkey rsa:4096 -x509 -extensions x509_ca -keyout $HOME/ca.key -out $HOME/ca-$(date +%Y%m%d-%H%M).crt -days 3654

    That, assuming you have correctly pre-set the openssl.conf.

    You will need to pass subjectAltName values through environment variables, though, they can't be specified in commandline.

    I.e.:

    SSLSAN="email:copy,DNS:www.example.org" openssl req …

    And in openssl.conf:

    # Global:
SSLSAN = email:copy
…
[req]
subjectAltName = ${ENV::SSLSAN}
…
[ org1_policy ]
subjectAltName          = optional
    • 1

  2. Wow, that's a lot more than you need. Here's what I do:

    openssl genrsa -out /etc/ssl/private/${name}.pem 2048
openssl req -new -key /etc/ssl/private/${name}.pem -subj /CN=${name}/ -out /etc/ssl/${name}.csr
openssl x509 -req -days 3650 -in /etc/ssl/${name}.csr -signkey /etc/ssl/private/${name}.pem -out /etc/ssl/certs/${name}.pem
    • 0

  3. I think the way to do it is to create a separate directory for your CA. Put your CA signing certificates in there and create configuration file with most of the attributes pre-filled (i.e. O,OU,DC,Alternative Subject, etc.). Then generate a certificate providing desired profile name and FQDN on command line.

    I do not have an example but you can find more details in OpenSSL documentation.

    • 0