Before using the script edit the `Certificate info` block to match whatever names you'd like to use (it doesn't really have to exist). The script will, on demand, create a root certificate, a signed server certificate, a signed personal certificate and a revoke list.
Code: Select all
#!/bin/bash
####################################################################
#
# Helper script for creating self signed certificates
# - author: Gordon
# - revision: 2
#
####################################################################
#-------------------------------
# Certificate info
# - change these to reflect your own organization
#-------------------------------
ROOTNAME="ACME Corp. CA"
ORGANIZATION="ACME Corp."
COUNTRY=NL
PROVINCE="Zuid Holland"
CITY=Delft
EMAILDOMAIN=acmecorp.org
#-------------------------------
# Optional variables
# - hint: don't touch these
#-------------------------------
CERTDIR=~/certs # where the certificates will be stored
CABASE=`echo $ROOTNAME | sed "s/[^A-Za-z]//g"` # the file name given to your root certificate
CERTDAYS=3650 # number of days that the certificate to create will be valid
CADAYS=7300 # number of days that the certificate authority will be valid
#-------------------------------
# Code start
#-------------------------------
function createrootcert {
echo "Creating new Root Certificate Authority"
mkdir -p $CERTDIR/CA # this folder will hold the CA and accompanying files
mkdir -p $CERTDIR/temp # files placed here can be safely deleted afterwards, e.g. cert requests
# If a root certificate already exists then print a warning and exit
if [ -f $CERTDIR/CA/$CABASE.crt ]; then
echo "Root certificate already exists!"
exit
fi
# Create Root authority
/usr/bin/openssl genrsa -out $CERTDIR/CA/$CABASE.key 2048 >/dev/null 2>&1
/usr/bin/openssl req -new -x509 -days $CADAYS -key $CERTDIR/CA/$CABASE.key \
-out $CERTDIR/CA/$CABASE.crt >/dev/null 2>&1<< EOREQ
$COUNTRY
$PROVINCE
$CITY
$ORGANIZATION
Certificate Authority
$ROOTNAME
info@$EMAILDOMAIN
EOREQ
# We need to create some additional files to be able to sign our certificates
echo "01" > $CERTDIR/CA/$CABASE.srl # a file to hold the serial number
touch $CERTDIR/CA/index.txt # the certificate store
echo "unique_subject = no" > $CERTDIR/CA/index.txt.attr # an attribute file;
# Create a private copy of the openssl conf file and add a new conf entry - we'll not use `default`
# because we don't know what that entry contains (people tend to make changes in there)
cp /etc/ssl/openssl.cnf $CERTDIR/CA/$CABASE.cnf
cat >> $CERTDIR/CA/$CABASE.cnf << EOCNF
[ CA_$CABASE ]
dir = $CERTDIR
certificate = \$dir/CA/$CABASE.crt
private_key = \$dir/CA/$CABASE.key
serial = \$dir/CA/$CABASE.srl
database = \$dir/CA/index.txt
RANDFILE = \$dir/CA/.rand
crl = \$dir/$CABASE.crl
certs = \$dir
crl_dir = \$dir
new_certs_dir = \$dir/temp
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = $CERTDAYS
default_crl_days= $CERTDAYS
default_md = sha1
preserve = no
EOCNF
}
function checkrootcert {
if [ ! -f $CERTDIR/CA/$CABASE.crt ]; then
echo "You must create a root certificate first!"
exit
fi
}
function createrequest {
/usr/bin/openssl genrsa -out $CERTDIR/$1.key 1024 >/dev/null 2>&1
/usr/bin/openssl req -new -key $CERTDIR/$1.key -out $CERTDIR/temp/$1.req >/dev/null 2>&1 << EOREQ
$COUNTRY
$PROVINCE
$CITY
$ORGANIZATION
$OUNAME
$SERVERNAME
$EMAIL
EOREQ
}
function signcert {
/usr/bin/openssl ca -config $CERTDIR/CA/$CABASE.cnf -name CA_$CABASE -policy policy_anything \
-in $CERTDIR/temp/$1.req -out $CERTDIR/$1.crt << EOSIG
y
y
EOSIG
}
function createservercert {
echo "Creating new server certificate for $SERVERNAME"
EMAIL=webmaster@$EMAILDOMAIN
OUNAME="Web Services"
createrequest $1
signcert $1
}
function createclientcert {
echo "Creating new client certificate for $CLIENTNAME"
EMAIL=$CLIENTNAME@$EMAILDOMAIN
OUNAME="Remote Workers"
createrequest $1
signcert $1
/usr/bin/openssl pkcs12 -export -in $CERTDIR/$1.crt -inkey $CERTDIR/$1.key \
-name "$1 Remote Worker Cert" -out $CERTDIR/$1.p12
}
function createrevokationlist {
echo "Creating new certificate revoke list"
/usr/bin/openssl ca -gencrl -config $CERTDIR/CA/$CABASE.cnf -name CA_$CABASE \
-out $CERTDIR/CA/$CABASE.crl
}
function revokecert {
echo "Revoking certificate for $SERVERNAME"
/usr/bin/openssl ca -config $CERTDIR/CA/$CABASE.cnf -name CA_$CABASE -revoke $CERTDIR/$1.crt
echo 1
}
#-------------------------------
# Execution start
#-------------------------------
# Init execution values
CREATEROOTCA=0
CREATESERVER=0
CREATEPERSONAL=0
REVOKECERT=0
CREATECRL=0
HELP=1
CLIENTNAME=""
SERVERNAME=""
NEXTARG=""
# Read arguments
if [ $# -gt 0 ]; then
i=0
while [ $i -ne $# ]; do
i=$(( $i + 1 ))
arg=`eval echo "\\${$i}"`
case $arg in
"-r")
if [ ! -z $NEXTARG ]; then
echo "Bad parameter"
HELP=1
break
fi
CREATEROOTCA=1
NEXTARG="nomore"
HELP=0
;;
"-s")
if [ ! -z $NEXTARG ]; then
echo "Bad parameter"
HELP=1
break
fi
NEXTARG=SERVERNAME
SERVERNAME=$arg
CREATESERVER=1
HELP=0
;;
"-p")
NEXTARG=CLIENTNAME
CLIENTNAME=$arg
CREATEPERSONAL=1
HELP=0
;;
"-d")
if [ ! -z $NEXTARG ]; then
echo "Bad parameter"
HELP=1
break
fi
NEXTARG=SERVERNAME
SERVERNAME=$arg
REVOKECERT=1
HELP=0
;;
"-l")
if [ ! -z $NEXTARG ]; then
echo "Bad parameter"
HELP=1
break
fi
CREATECRL=1
NEXTARG="nomore"
HELP=0
;;
"-h")
HELP=1
;;
*)
if [ -z $NEXTARG ]; then
echo "Bad parameter"
HELP=1
break
else
eval $NEXTARG=$arg
NEXTARG="nomore"
fi
;;
esac
done
fi
# Test for an invalid combination of parameters supplied to the script
if [ $HELP -lt 1 ]; then
HELP=`echo "$SERVERNAME$CLIENTNAME" | sed "s/-.*/-/" | sed "s/[^-][^-]*-*//" | awk -F/ '{print(length())}'`
fi
if [ $HELP -gt 0 ]; then
echo "Usage: "`echo $0|sed "s/.*\///"`" [-r] [-s <name>] [-p <name>] [-h]"
echo " -r create new root CA (pem)"
echo " -s <name> create new server certificate for <name> (pem)"
echo " -p <name> create new client certificate for <name> (pkcs-12)"
echo " -d <name> revoke certificate for <name>"
echo " -l create new Certificate Revokation List"
echo " -h this help text"
exit
fi
if [ $CREATEROOTCA -gt 0 ]; then
createrootcert
createrevokationlist
fi
if [ $CREATESERVER -gt 0 ]; then
createservercert $SERVERNAME
fi
if [ $CREATEPERSONAL -gt 0 ]; then
createclientcert $CLIENTNAME
fi
if [ $CREATECRL -gt 0 ]; then
createrevokationlist
fi
if [ $REVOKECERT -gt 0 ]; then
revokecert $SERVERNAME
createrevokationlist
fi