:::: MENU ::::

Generate self-generated SSL certificate (cert/key pair)

  • Jul 05 / 2017
  • 0
Linux

Generate self-generated SSL certificate (cert/key pair)

Here is a simple script with configuration file to generate a self-generated SSL certificate (cert/key pair).

First define a config file openssl.cnf containing the certificate informations:

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=FR

# State or Province Name (full name)
ST=IdF

# Locality Name (eg. city)
L=Paris

# Organization (eg. company)
O=MyOrg

# Organizational Unit Name (eg. section)
OU=My SSL server

# Common Name (*.example.com is also possible)
CN=my.domain.com

# E-mail contact
[email protected]

[ cert_type ]
nsCertType = server

Then, create the bash script makessl.sh and configure your own parameters (directories, cert filename and validity duration):

#!/bin/sh

# Generates a self-signed certificate.
# Edit openssl.cnf before running this.

umask 077
OPENSSL=${OPENSSL-openssl}

# Define SSL directory
SSLDIR=${SSLDIR-/opt}
# Define SSL config file
OPENSSLCONFIG=${OPENSSLCONFIG-/opt/openssl.cnf}
# Define crt/key directories
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
# Define crt/key file
CERTFILE=$CERTDIR/mynewssl.pem
KEYFILE=$KEYDIR/mynewssl.key
# Define validity duratin for the cert
DAYS=365

# Check that directories exist or create themt
if [ ! -d $CERTDIR ]; then
  mkdir -p $CERTDIR
fi
if [ ! -d $KEYDIR ]; then
  mkdir -p $KEYDIR
fi

# Check that the files do not exist or move them
if [ -f $CERTFILE ]; then
  mv $CERTFILE $CERTFILE.old
fi
if [ -f $KEYFILE ]; then
  mv $KEYFILE $KEYFILE.old
fi

# Generate crt/key files
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days $DAYS || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

Now, execute the bash script:

$ bash makessl.sh
Generating a 2048 bit RSA private key
...............+++
................................................................................+++
writing new private key to '/opt/private/mynewssl.key'
-----

subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]
SHA1 Fingerprint=F0:B1:B3:DF:F9:4D:A0:97:4E:71:E0:7F:8E:DA:13:F9:D5:E8:AF:88

Let’s check your freshly created certificate and double check the information:

$ openssl x509 -in /opt/certs/mynewssl.pem -noout -dates -subject
notBefore=Jul  5 19:45:17 2017 GMT
notAfter=Jul  5 19:45:17 2018 GMT
subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]

Comments are closed.

Question ? Contact