3

How I can automate the generation of self signed certificates when I know the domain name ?

This works, but it asks me on the command line prompt certain questions.

How I should change it to ignore the questions and automatically enter the FQDN ?

#! /bin/bash

echo 01 > ca.srl
openssl genrsa -des3 -out ca-key.pem
openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem

openssl genrsa -des3 -out server-key.pem
openssl req -new -key server-key.pem -out server.csr

openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem

openssl genrsa -des3 -out client-key.pem
openssl req -new -key client-key.pem -out client.csr

echo extendedKeyUsage = clientAuth > extfile.cnf

openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf

openssl rsa -in server-key.pem -out server-key.pem
openssl rsa -in client-key.pem -out client-key.pem
astropanic
  • 307
  • 2
  • 5
  • 18
  • Aside: if you don't want the client and server keys encrypted, you can save a step by leaving out `-des3` from `genrsa`. But definitely DO specify the bitsize, like `2048` in @womble's answer (and my comment); the legacy default of 512 is MUCH too low nowadays. – dave_thompson_085 Aug 14 '15 at 02:23

3 Answers3

1

Thanks, I laughed. If you know you want to create multiplies of certificates, set up a private CA.

But, if you insist, creation of a self-signed certificate is just one line.

openssl req -newkey rsa:4096 -x509 -extensions x509_ca -keyout $HOME/ca.key -out $HOME/ca-$(date +%Y%m%d-%H%M).crt -days 3654

That, assuming you have correctly pre-set the openssl.conf.

You will need to pass subjectAltName values through environment variables, though, they can't be specified in commandline.

I.e.:

SSLSAN="email:copy,DNS:www.example.org" openssl req …

And in openssl.conf:

# Global:
SSLSAN = email:copy
…
[req]
subjectAltName = ${ENV::SSLSAN}
…
[ org1_policy ]
subjectAltName          = optional
AnrDaemon
  • 261
  • 2
  • 6
0

Wow, that's a lot more than you need. Here's what I do:

openssl genrsa -out /etc/ssl/private/${name}.pem 2048
openssl req -new -key /etc/ssl/private/${name}.pem -subj /CN=${name}/ -out /etc/ssl/${name}.csr
openssl x509 -req -days 3650 -in /etc/ssl/${name}.csr -signkey /etc/ssl/private/${name}.pem -out /etc/ssl/certs/${name}.pem
womble
  • 96,255
  • 29
  • 175
  • 230
  • That works for selfsigned (like the OP's CA), and you can combine the latter two like `openssl req -new -x509 -key keyfile -subj "/CN=name" -days 3650 -out certfile` and if you want (or don't mind) the privatekey encrypted, as OP apparently does for CA, you can fold in the first as well by `openssl -req -newkey rsa:2048 -x509 -keyout keyfile ...` But for CA-signed certs you must use `x509 -req` with `-CA certfile -CAkey keyfile` INSTEAD OF `-signkey keyfile` as OP correctly did. – dave_thompson_085 Aug 14 '15 at 02:19
0

I think the way to do it is to create a separate directory for your CA. Put your CA signing certificates in there and create configuration file with most of the attributes pre-filled (i.e. O,OU,DC,Alternative Subject, etc.). Then generate a certificate providing desired profile name and FQDN on command line.

I do not have an example but you can find more details in OpenSSL documentation.

dtoubelis
  • 4,677
  • 1
  • 29
  • 32