Skip to content

Instantly share code, notes, and snippets.

@draptik
Created March 18, 2020 14:57
Show Gist options
  • Save draptik/12ae5628ae7f7ded7cddd92c6d9636ee to your computer and use it in GitHub Desktop.
Save draptik/12ae5628ae7f7ded7cddd92c6d9636ee to your computer and use it in GitHub Desktop.
create self-signed server and client certificate with openssl
#!/bin/bash
## Create self signed certificate (server and client)
##
## Combination of
##
## - https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8
## - https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/
##
## Configuration file: `openssl.cnf` contains information about the site being configured.
##
## Example content of `openssl.cnf`:
##
## OpenSSL root CA configuration file
##
## ---------------------------------------------------
## [req]
## distinguished_name = req_distinguished_name
## x509_extensions = v3_req
## prompt = no
##
## [req_distinguished_name]
## C = DE
## #ST =
## #L =
## #O =
## #OU =
## CN = your-domain.com
##
## [v3_req]
## keyUsage = critical, digitalSignature, keyAgreement
## extendedKeyUsage = serverAuth
## subjectAltName = @alt_names
##
## [alt_names]
## DNS.1 = your-domain.com
## DNS.2 = www.your-domain.com
##
## ---------------------------------------------------
OUTPUT_FOLDER="output"
[ ! -d ${OUTPUT_FOLDER} ] && mkdir ${OUTPUT_FOLDER}
## Generate CA certificate.
## Output: ca.key and ca.cer
##
echo -e "\n==> Generating CA certificate..."
## NOTE: Remove the `-nodes` flag if you want to enter a passphrase
openssl req \
-newkey rsa:4096 \
-keyform PEM \
-keyout ${OUTPUT_FOLDER}/ca.key \
-x509 \
-days 3650 \
-outform PEM \
-out ${OUTPUT_FOLDER}/ca.cer \
-config openssl.cnf \
-nodes
## Generate server SSL key and certificate
##
## server private key
## Output: server.key
##
echo -e "\n==> Generating ssl key and certificate..."
openssl genrsa \
-out ${OUTPUT_FOLDER}/server.key 4096
## Use server private key (`server.key`) to generate a certificate generation request
##
## Output: server.req
##
echo -e "\n==> Generating certificate generation request..."
openssl req \
-new -key ${OUTPUT_FOLDER}/server.key \
-out ${OUTPUT_FOLDER}/server.req \
-sha256 \
-config openssl.cnf
## Use the certificate generation request and the CA cert to generate the server cert
##
## Output: server.cer
##
echo -e "\n==> Generating server certificate..."
openssl x509 \
-req \
-in ${OUTPUT_FOLDER}/server.req \
-CA ${OUTPUT_FOLDER}/ca.cer \
-CAkey ${OUTPUT_FOLDER}/ca.key \
-set_serial 100 \
-extensions server \
-days 1460 \
-outform PEM \
-out ${OUTPUT_FOLDER}/server.cer \
-sha256
## Cleanup
rm ${OUTPUT_FOLDER}/server.req
## Generate client certificate
##
## Generate a private key for the SSL client
##
## Output: client.key
##
echo -e "\n==> Generating private key for ssl client..."
openssl genrsa \
-out ${OUTPUT_FOLDER}/client.key 4096
## Use the client’s private key to generate a cert request
##
## Output: client.req
##
echo -e "\n==> Generating client certificate request..."
## NOTE: Remove the `-nodes` flag if you want to enter a passphrase
openssl req \
-new -key ${OUTPUT_FOLDER}/client.key \
-out ${OUTPUT_FOLDER}/client.req \
-config openssl.cnf \
-nodes
## Issue the client certificate using the cert request and the CA cert/key. 
##
## Output: client.cer
##
echo -e "\n==> Generating client certificate..."
openssl x509 \
-req -in ${OUTPUT_FOLDER}/client.req \
-CA ${OUTPUT_FOLDER}/ca.cer \
-CAkey ${OUTPUT_FOLDER}/ca.key \
-set_serial 101 \
-extensions client \
-days 365 \
-outform PEM \
-out ${OUTPUT_FOLDER}/client.cer
## Convert the client certificate and private key to pkcs#12 format for use by browsers.
##
## Output: client.p12
##
echo -e "\n==> Converting client certificate to pkcs#12..."
## NOTE: Remove the `-passout pass:` flag if you want to enter an export passphrase
openssl pkcs12 \
-export \
-inkey ${OUTPUT_FOLDER}/client.key \
-in ${OUTPUT_FOLDER}/client.cer \
-out ${OUTPUT_FOLDER}/client.p12 \
-passout pass:
## Cleanup
rm \
${OUTPUT_FOLDER}/client.key \
${OUTPUT_FOLDER}/client.cer \
${OUTPUT_FOLDER}/client.req
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment