Skip to content

Instantly share code, notes, and snippets.

@oskapt

oskapt/generate-certs.sh

Forked from 0x5d/generate-certs.sh
Created August 11, 2022 22:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save oskapt/9a84150cc2edb467d4cb3f9c570e3ced to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save oskapt/9a84150cc2edb467d4cb3f9c570e3ced to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @0x5d 0x5d created this gist Apr 28, 2021.
    95 changes: 95 additions & 0 deletions generate-certs.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,95 @@
    #!/usr/bin/env bash

    mkdir certs my-safe-directory

    cat > ca.cnf <<EOF
    # OpenSSL CA configuration file
    [ ca ]
    default_ca = CA_default
    [ CA_default ]
    default_days = 365
    database = index.txt
    serial = serial.txt
    default_md = sha256
    copy_extensions = copy
    unique_subject = no
    # Used to create the CA certificate.
    [ req ]
    prompt=no
    distinguished_name = distinguished_name
    x509_extensions = extensions
    [ distinguished_name ]
    organizationName = Vectorized
    commonName = Vectorized CA
    [ extensions ]
    keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
    basicConstraints = critical,CA:true,pathlen:1
    # Common policy for nodes and users.
    [ signing_policy ]
    organizationName = supplied
    commonName = optional
    # Used to sign node certificates.
    [ signing_node_req ]
    keyUsage = critical,digitalSignature,keyEncipherment
    extendedKeyUsage = serverAuth,clientAuth
    # Used to sign client certificates.
    [ signing_client_req ]
    keyUsage = critical,digitalSignature,keyEncipherment
    extendedKeyUsage = clientAuth
    EOF

    openssl genrsa -out my-safe-directory/ca.key 2048

    chmod 400 my-safe-directory/ca.key

    openssl req -new -x509 -config ca.cnf -key my-safe-directory/ca.key -out certs/ca.key -days 365 -batch

    openssl req \
    -new \
    -x509 \
    -config ca.cnf \
    -key my-safe-directory/ca.key \
    -out certs/ca.crt \
    -days 365 \
    -batch

    rm -f index.txt serial.txt

    touch index.txt

    echo '01' > serial.txt

    cat > node.cnf <<EOF
    # OpenSSL node configuration file
    [ req ]
    prompt=no
    distinguished_name = distinguished_name
    req_extensions = extensions
    [ distinguished_name ]
    organizationName = Vectorized
    [ extensions ]
    subjectAltName = critical,DNS:localhost,IP:127.0.0.1
    EOF

    openssl genrsa -out certs/node.key 2048

    chmod 400 certs/node.key

    openssl req \
    -new \
    -config node.cnf \
    -key certs/node.key \
    -out node.csr \
    -batch
    openssl ca \
    -config ca.cnf \
    -keyfile my-safe-directory/ca.key \
    -cert certs/ca.crt \
    -policy signing_policy \
    -extensions signing_node_req \
    -out certs/node.crt \
    -outdir certs/ \
    -in node.csr \
    -batch

    openssl x509 -in certs/node.crt -text | grep "X509v3 Subject Alternative Name" -A 1