Author Topic: SSL certificate generator bash script  (Read 20403 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
SSL certificate generator bash script
« on: December 01, 2013, 05:50:43 PM »
Here’s a handy shell script for creating SSL certs for use in things like Apache, Exim, Dovecot, etc – it can handle creating a local certificate authority to self-sign as well if you aren’t using an official CA. In typical usage one would run makekey, makecsr and send server.csr to a CA to get signed. After receiving server.crt back, run makedh and makepem to make a nice single PEM file that can be used with most software.

sslkeygen.sh
Code: [Select]
#!/bin/sh
 
if [ $# -lt 2 ]; then
  echo "This script takes 2 params"
  echo
  echo "$0 <mode> <key filename>"
  echo
  exit 1
fi
 
SERVER=$2
 
case "$1" in
  makeca)
    /usr/bin/openssl genrsa -des3 -out ca.key 4096
    /usr/bin/openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
    ;;
  makekey)
    /usr/bin/openssl genrsa -des3 2048 > ${SERVER}.key.encrypted
    /usr/bin/openssl rsa -in ${SERVER}.key.encrypted -out ${SERVER}.key
    ;;
  makecsr)
    if [ ! -f ${SERVER}.key ]; then
      echo "${SERVER}.key missing, run \"$0 makekey\" first."
      exit 1
    fi
    /usr/bin/openssl req -new -key ${SERVER}.key -out ${SERVER}.csr
    ;;
  signcrt)
    if [ ! -f ca.key ] || [ ! -f ca.crt ]; then
      echo "ca.key missing, run \"$0 makeca\" first."
      exit 1
    fi
    if [ ! -f ${SERVER}.csr ]; then
      echo "${SERVER}.csr missing, run \"$0 makecsr\" first."
      exit 1
    fi
    /usr/bin/openssl x509 -req -days 1825 -in ${SERVER}.csr -CA ca.crt \
      -CAkey ca.key -set_serial 01 -out ${SERVER}.crt
    ;;
  makedh)
    /bin/dd if=/dev/urandom of=ssldh.rand count=1 2>/dev/null
    /usr/bin/openssl gendh -rand ssldh.rand 512 > ${SERVER}.dh
    ;;
  makepem)
    if [ ! -f ${SERVER}.key ]; then
      echo "${SERVER}.key missing, run \"$0 makekey\" first."
      exit 1
    fi
    if [ ! -f ${SERVER}.crt ]; then
      echo "${SERVER}.crt missing, obtain from CA or run \"$0 signcrt\" first."
      exit 1
    fi
    cat ${SERVER}.key > ${SERVER}.pem
    cat ${SERVER}.crt >> ${SERVER}.pem
    ;;
  *)
    echo
    echo $"Usage: $0 {makeca|makekey|makecsr|signcrt|makedh|makepem} <key filename>"
    echo
    exit 2
esac
 
exit 0

source:
http://tacticalvim.wordpress.com/2010/06/20/sslkeygen-sh-complete-ssl-cert-creation-helper-script/


One more even better script
gencert.sh
Code: [Select]
#!/bin/bash
 
# Bash shell script for generating self-signed certs. Run this in a folder, as it
# generates a few files. Large portions of this script were taken from the
# following artcile:
#
# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html
#
# Additional alterations by: Brad Landers
# Date: 2012-01-27
 
# Script accepts a single argument, the fqdn for the cert
DOMAIN="$1"
if [ -z "$DOMAIN" ]; then
echo "Usage: $(basename $0) <domain>"
exit 11
fi
 
fail_if_error() {
[ $1 != 0 ] && {
unset PASSPHRASE
exit 10
}
}
 
# Generate a passphrase
export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)
 
# Certificate details; replace items in angle brackets with your own info
subj="
C=<COUNTRY>
ST=<STATE>
O=<COMPANY_NAME>
localityName=<CITY>
commonName=$DOMAIN
organizationalUnitName=<DEPARTMENT_NAME>
emailAddress=<ADMIN_EMAIL>
"
 
# Generate the server private key
openssl genrsa -des3 -out $DOMAIN.key -passout env:PASSPHRASE 2048
fail_if_error $?
 
# Generate the CSR
openssl req \
-new \
-batch \
-subj "$(echo -n "$subj" | tr "\n" "/")" \
-key $DOMAIN.key \
-out $DOMAIN.csr \
-passin env:PASSPHRASE
fail_if_error $?
cp $DOMAIN.key $DOMAIN.key.org
fail_if_error $?
 
# Strip the password so we don't have to type it every time we restart Apache
openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE
fail_if_error $?
 
# Generate the cert (good for 10 years)
openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
fail_if_error $?

source:
https://gist.github.com/bradland/1690807
« Last Edit: August 20, 2014, 01:56:43 PM by Administrator »
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services