software development


One of the most annoying parts of creating SSL certificates is creating SSL certificates! It can be a real PITA. Being the lazy programmer that I am I wrote a script that I stuck in /usr/local/bin that performs all the necessary steps for me. Here it is (with comments) so that you too can hate creating SSL certificates just a little less:


# the path to your ssl directory

# the path to store certificate requests in

# the path to store the pkcs12 certificate bundles in

# the path to store the certificate key files in

# the path to store the pem encoded certificates in

# the default bittage of the certificate

# get the common name from the command line's first parameter

# if the script was called with a second command line parameter
# assume that it is the bittage and set the value to such
if [ !$2 ]

# generate the certificate's private key
openssl genrsa -des3 -out $KEY_DIR/$CN.key $BITTAGE

# generate the certificate's request from the private key
openssl req -new -key $KEY_DIR/$CN.key -out $REQ_DIR/$CN.csr

# sign the certificate request with the server's CA.
# !!! IMPORTANT !!!
# this command must have the last two options in it. without it the certificate
# that is created will not have the usr_cert extensions section applied to it
openssl x509 -req -in $REQ_DIR/$CN.csr -CA $SSL_DIR/ca.crt -CAkey $KEY_DIR/ca.key -out $CRT_DIR/$CN.crt -extfile $SSL_DIR/openssl.cnf -extensions usr_cert

# generate a pkcs12 certificate bundle since many clients (Windows, OS X) prefer
# this type of certificate when importing into their certificate managers, key stores
openssl pkcs12 -export -in $CRT_DIR/$CN.crt -inkey $KEY_DIR/$CN.key -out $P12_DIR/$CN.p12

Save this script as /usr/local/bin/newcert. Once the script is in your path you can call it like this:


For example, let’s say I want to create a certificate for a server called However, instead of the default bittage of 1024, I want my web server’s SSL certificate to be stronger. I could call:

newcert 2048

That would create a new SSL certificate that is 2048 bits with a common name of “”.

Well, I hope you find this script useful, I sure have!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s