#!/bin/bash ################################################################### # CSR Decoder http://www.sslshopper.com/csr-decoder.html # Cert Decoder http://www.sslshopper.com/certificate-decoder.html # Test CSR $ openssl req -text -noout -verify -in CSR.csr # Test Pub Cert $ openssl x509 -in certificate.crt -text -noout # Test Priv Key $ openssl rsa -in privateKey.key -check # Test PKCS12 $ openssl pkcs12 -info -in keyStore.pfx ################################################################## # Edit these variables for your Organization and site location C='US' ST='State' L='Austin' O='My Organization' OU='My Organizational Unit' PFXPASSWORD='password' KEYSIZE=2048 ################################################################## # DO NOT EDIT any variables below this line ################################################################### # If the user provides no parameters then display usage hint if [ $# -lt 1 ]; then echo -e " " echo -e "Make SSL Keypair" echo -e "================" echo -e "Input: The common name plus optional unlimited SANs on the command line" echo -e "Output: CSR, self-signed public cert, private key, combined pfx file\n" echo -e "Example: $ ./make-keyfile.bash www.myweb.com [www2.myweb.com www.myweb.org 10.128.14.15]\n" exit else COMMONNAME=$1 fi if [[ -s $COMMONNAME.key || -s $COMMONNAME.csr || -s $COMMONNAME.crt || -s $COMMONNAME.pfx ]]; then echo read -p "Warning: Do you want to overwrite existing output files (Y/n)? " if [ "$REPLY" != "Y" ]; then echo -e "\nQuitting . . .\n" exit fi fi command -v openssl >/dev/null 2>&1 || { echo >&2 "Error: OpenSSL is not in the path. Exiting."; exit 1; } ############################################################################## # Make the config file that we will feed into openssl to create public key CONFIGFILETEXT=" [ req ] distinguished_name=req_distinguished_name prompt=no req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [ req_distinguished_name ] C=$C ST=$ST L=$L O=$O OU=$OU CN=$COMMONNAME [ alt_names ] " CONFIGFILE=/tmp/make-ssl-keypair.`date +%N`.config echo -e "$CONFIGFILETEXT" > $CONFIGFILE idx=1 for arg in "$@" do echo "DNS.$idx = ${arg}" >> $CONFIGFILE let "idx += 1" done echo echo Running . . . echo openssl genrsa -out $COMMONNAME.key $KEYSIZE > /dev/null 2>&1 openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr -config $CONFIGFILE > /dev/null 2>&1 openssl x509 -req -days 1825 -in $COMMONNAME.csr -signkey $COMMONNAME.key -out $COMMONNAME.crt -extensions v3_req -extfile $CONFIGFILE > /dev/null 2>&1 openssl pkcs12 -export -passout pass:$PFXPASSWORD -out $COMMONNAME.pfx -in $COMMONNAME.crt -inkey $COMMONNAME.key > /dev/null 2>&1 if [[ -s $COMMONNAME.key && -s $COMMONNAME.csr && -s $COMMONNAME.crt && -s $COMMONNAME.pfx ]]; then echo Success! echo echo Output Files echo ============ echo `pwd`/$COMMONNAME.key " <-- private key" echo `pwd`/$COMMONNAME.csr " <-- certificate signing request" echo `pwd`/$COMMONNAME.crt " <-- self-signed certificate for test only" echo `pwd`/$COMMONNAME.pfx " <-- private key + self-signed certificate" echo else echo Error: Something went wrong. Exiting. fi rm $CONFIGFILE