Here’s a handy shell script for creating SSL certs for use in things like Apache, Exim, Dovecot, etc – it can handle creating a local certificate authority to self-sign as well if you aren’t using an official CA. In typical usage one would run makekey, makecsr and send server.csr to a CA to get signed. After receiving server.crt back, run makedh and makepem to make a nice single PEM file that can be used with most software.
sslkeygen.sh#!/bin/sh
if [ $# -lt 2 ]; then
echo "This script takes 2 params"
echo
echo "$0 <mode> <key filename>"
echo
exit 1
fi
SERVER=$2
case "$1" in
makeca)
/usr/bin/openssl genrsa -des3 -out ca.key 4096
/usr/bin/openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
;;
makekey)
/usr/bin/openssl genrsa -des3 2048 > ${SERVER}.key.encrypted
/usr/bin/openssl rsa -in ${SERVER}.key.encrypted -out ${SERVER}.key
;;
makecsr)
if [ ! -f ${SERVER}.key ]; then
echo "${SERVER}.key missing, run \"$0 makekey\" first."
exit 1
fi
/usr/bin/openssl req -new -key ${SERVER}.key -out ${SERVER}.csr
;;
signcrt)
if [ ! -f ca.key ] || [ ! -f ca.crt ]; then
echo "ca.key missing, run \"$0 makeca\" first."
exit 1
fi
if [ ! -f ${SERVER}.csr ]; then
echo "${SERVER}.csr missing, run \"$0 makecsr\" first."
exit 1
fi
/usr/bin/openssl x509 -req -days 1825 -in ${SERVER}.csr -CA ca.crt \
-CAkey ca.key -set_serial 01 -out ${SERVER}.crt
;;
makedh)
/bin/dd if=/dev/urandom of=ssldh.rand count=1 2>/dev/null
/usr/bin/openssl gendh -rand ssldh.rand 512 > ${SERVER}.dh
;;
makepem)
if [ ! -f ${SERVER}.key ]; then
echo "${SERVER}.key missing, run \"$0 makekey\" first."
exit 1
fi
if [ ! -f ${SERVER}.crt ]; then
echo "${SERVER}.crt missing, obtain from CA or run \"$0 signcrt\" first."
exit 1
fi
cat ${SERVER}.key > ${SERVER}.pem
cat ${SERVER}.crt >> ${SERVER}.pem
;;
*)
echo
echo $"Usage: $0 {makeca|makekey|makecsr|signcrt|makedh|makepem} <key filename>"
echo
exit 2
esac
exit 0source:http://tacticalvim.wordpress.com/2010/06/20/sslkeygen-sh-complete-ssl-cert-creation-helper-script/One more even better script
gencert.sh#!/bin/bash
# Bash shell script for generating self-signed certs. Run this in a folder, as it
# generates a few files. Large portions of this script were taken from the
# following artcile:
#
# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html
#
# Additional alterations by: Brad Landers
# Date: 2012-01-27
# Script accepts a single argument, the fqdn for the cert
DOMAIN="$1"
if [ -z "$DOMAIN" ]; then
echo "Usage: $(basename $0) <domain>"
exit 11
fi
fail_if_error() {
[ $1 != 0 ] && {
unset PASSPHRASE
exit 10
}
}
# Generate a passphrase
export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)
# Certificate details; replace items in angle brackets with your own info
subj="
C=<COUNTRY>
ST=<STATE>
O=<COMPANY_NAME>
localityName=<CITY>
commonName=$DOMAIN
organizationalUnitName=<DEPARTMENT_NAME>
emailAddress=<ADMIN_EMAIL>
"
# Generate the server private key
openssl genrsa -des3 -out $DOMAIN.key -passout env:PASSPHRASE 2048
fail_if_error $?
# Generate the CSR
openssl req \
-new \
-batch \
-subj "$(echo -n "$subj" | tr "\n" "/")" \
-key $DOMAIN.key \
-out $DOMAIN.csr \
-passin env:PASSPHRASE
fail_if_error $?
cp $DOMAIN.key $DOMAIN.key.org
fail_if_error $?
# Strip the password so we don't have to type it every time we restart Apache
openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE
fail_if_error $?
# Generate the cert (good for 10 years)
openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
fail_if_error $?source:https://gist.github.com/bradland/1690807
Topic: SSL certificate generator bash script (Read 20810 times)
