software development

newcert

One of the most annoying parts of creating SSL certificates is creating SSL certificates! It can be a real PITA. Being the lazy programmer that I am I wrote a script that I stuck in /usr/local/bin that performs all the necessary steps for me. Here it is (with comments) so that you too can hate creating SSL certificates just a little less:


#!/bin/bash


# the path to your ssl directory
SSL_DIR=/etc/ssl


# the path to store certificate requests in
REQ_DIR=$SSL_DIR/requests


# the path to store the pkcs12 certificate bundles in
P12_DIR=$SSL_DIR/p12


# the path to store the certificate key files in
KEY_DIR=$SSL_DIR/private


# the path to store the pem encoded certificates in
CRT_DIR=$SSL_DIR/mycerts


# the default bittage of the certificate
BITTAGE=1024


# get the common name from the command line's first parameter
CN=$1


# if the script was called with a second command line parameter
# assume that it is the bittage and set the value to such
if [ !$2 ]
then
BITTAGE=$2
fi


# generate the certificate's private key
openssl genrsa -des3 -out $KEY_DIR/$CN.key $BITTAGE


# generate the certificate's request from the private key
openssl req -new -key $KEY_DIR/$CN.key -out $REQ_DIR/$CN.csr


# sign the certificate request with the server's CA.
#
# !!! IMPORTANT !!!
#
# this command must have the last two options in it. without it the certificate
# that is created will not have the usr_cert extensions section applied to it
openssl x509 -req -in $REQ_DIR/$CN.csr -CA $SSL_DIR/ca.crt -CAkey $KEY_DIR/ca.key -out $CRT_DIR/$CN.crt -extfile $SSL_DIR/openssl.cnf -extensions usr_cert


# generate a pkcs12 certificate bundle since many clients (Windows, OS X) prefer
# this type of certificate when importing into their certificate managers, key stores
openssl pkcs12 -export -in $CRT_DIR/$CN.crt -inkey $KEY_DIR/$CN.key -out $P12_DIR/$CN.p12

Save this script as /usr/local/bin/newcert. Once the script is in your path you can call it like this:

newcert COMMON_NAME [BITTAGE]

For example, let’s say I want to create a certificate for a server called http://www.lostcreations.com. However, instead of the default bittage of 1024, I want my web server’s SSL certificate to be stronger. I could call:

newcert http://www.lostcreations.com 2048

That would create a new SSL certificate that is 2048 bits with a common name of “www.lostcreations.com”.

Well, I hope you find this script useful, I sure have!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s