Last active
June 30, 2021 21:53
-
-
Save armsultan/dd95d46b4b3349653e19dace57ea08d0 to your computer and use it in GitHub Desktop.
Script to create self-signed CA certificates, WILDCARD server certificates, and client certificates for Non-Production testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # How to use | |
| # 1. Make this script executable: | |
| # chmod +x ./self-signed-ssl.sh | |
| # 2. Run script and provide domain name: | |
| # ./self-signed-ssl.sh mydomain.com | |
| # print usage | |
| DOMAIN=$1 | |
| if [ -z "$1" ]; then | |
| echo "USAGE: $0 domain.lan" | |
| echo "" | |
| echo "This will generate a non-secure self-signed wildcard certificate for a given domain." | |
| echo "This should only be used in a Non-Production and Development environment." | |
| exit | |
| fi | |
| # | |
| # Generate self signed certs | |
| # | |
| # Add wildcard | |
| WILDCARD="*.$DOMAIN" | |
| # Limit the validity period, it should be as short as you can handle from the | |
| # maintenance standpoint. Best Practice is 12 months Max | |
| VALIDITY="365" | |
| # This can be used for OCSP Responder for testing purposes which requires a | |
| # Root certificate with a certificate(s) generated from it. | |
| # First we will create a self-signed Root certificate using openssl then | |
| # Create the derived Wildcard certificate | |
| # Edit your own Certificate Attributes: | |
| # C: CountryName | |
| # S: StateOrProvinceName | |
| # L (localityName): Locality | |
| # O: Organization | |
| # CN (commonName): CommonName | |
| # OU (organizationalUnitName): OrganizationalUnit | |
| # emailAddress: Email Name | |
| # Set our RootCA Certificate Attributes | |
| SUBJ_ROOTCA=" | |
| C=US | |
| ST=CO | |
| O=Local Development | |
| localityName=Local Development | |
| commonName=RootCA | |
| organizationalUnitName=Local Development | |
| [email protected] | |
| " | |
| # Set our Server Certificate Attributes | |
| SUBJ_SERVER=" | |
| C=US | |
| ST=CO | |
| O=Local Development | |
| localityName=Local Development | |
| commonName=$WILDCARD | |
| organizationalUnitName=Local Development | |
| [email protected] | |
| " | |
| # Generate self signed root CA cert | |
| openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt\ | |
| -subj "$(echo -n "$SUBJ_ROOTCA" | tr "\n" "/")" | |
| # Generate server cert to be signed | |
| openssl req -nodes -newkey rsa:2048 -subj "$(echo -n "$SUBJ_SERVER" | tr "\n" "/")" -keyout "$DOMAIN.key" -out "$DOMAIN.csr" | |
| # Create a CA-Signed Certificates for Your Non-production Apps valid for x Days | |
| openssl x509 -days $VALIDITY -req -in "$DOMAIN.csr" -CA ca.crt -CAkey ca.key -CAcreateserial -out "$DOMAIN.crt" | |
| # | |
| # Generate Client Cert | |
| # (Uncomment openssl commands below when needed) | |
| # | |
| # Set our Server Certificate Attributes | |
| # SUBJ_CLIENT=" | |
| # C=US | |
| # ST=CO | |
| # O=Local Development | |
| # localityName=Local Development | |
| # commonName=$WILDCARD | |
| # organizationalUnitName=Local Development | |
| # [email protected] | |
| # " | |
| # Generate a client cert to be signed | |
| # openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr \ | |
| # -subj "$(echo -n "$SUBJ_CLIENT" | tr "\n" "/")" | |
| # # Sign the client cert | |
| # openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt | |
| # # Create client PEM file | |
| # cat client.key client.crt > client.pem | |
| # Create clientPFX file (for Java, C#, etc) openssl pkcs12 -inkey client.key -in | |
| # client.crt -export -out client.pfx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment