-
Notifications
You must be signed in to change notification settings - Fork 12
/
new-server-cert.sh
executable file
·105 lines (93 loc) · 2.94 KB
/
new-server-cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash
##
## new-server-cert.sh - create the server cert
## Copyright (c) 2000 Yeak Nai Siew, All Rights Reserved.
##
KEYBITS=2048
HASHALGO="sha256"
# Create the key. This should be done once per cert.
CN=$1
if [ $# -lt 1 ]; then
echo "Usage: $0 <www.domain.com> [subjectAltName1 [san2 ...]]"
exit 1
fi
# force the CN to become a SAN even if no other SANs; Chrome compatibility
subjectAltNames="$*"
# if private key exists, ask if we want to generate a new key
if [ -f $CN.key ]; then
read -p "a key for this cn is already existing, generate a new one? " ANSWER
if [ "$ANSWER" == "Y" ] || [ "$ANSWER" == "y" ]; then
rm -f $CN.key
fi
fi
if [ ! -f $CN.key ]; then
echo "No $CN.key found. Generating one"
openssl genrsa -out $CN.key $KEYBITS
echo ""
fi
# Fill the necessary certificate data
CONFIG="server-cert.conf"
cat >$CONFIG <<EOT
[ req ]
default_bits = $KEYBITS
default_keyfile = server.key
default_md = $HASHALGO
distinguished_name = req_distinguished_name
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Texas
localityName = Locality Name (eg, city)
localityName_default = Austin
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Personal Organization
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Secure Server
commonName = Common Name (eg, www.domain.com)
commonName_default = $CN
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ v3_req ]
nsCertType = server
basicConstraints = critical,CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
EOT
# Handle optional Subject Alternate Names
if [ "$subjectAltNames" != "" ]; then
echo "subjectAltName = @alt_names" >> $CONFIG
echo "[alt_names]" >> $CONFIG
numi=1
numd=1
cn_already_added=0
# CN is added to the SAN list automatically
for san in $CN $subjectAltNames; do
# if CN has already been seen, skip it
if [ "$san" = "$CN" ]; then
if [ $cn_already_added -eq 0 ]; then
cn_already_added=1
else
continue #skip to next SAN
fi
fi
# determine if this looks like an IP or a DNS name
echo $san | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' &> /dev/null
if [ $? -eq 0 ]; then
echo "IP.$numi = $san" >> $CONFIG
let numi++
else
echo "DNS.$numd = $san" >> $CONFIG
let numd++
fi
done
fi
echo "Fill in certificate data"
openssl req -new -config $CONFIG -key $CN.key -out $CN.csr
rm -f $CONFIG
echo ""
echo "You may now run ./sign-server-cert.sh to get it signed"