One of the most annoying parts of creating SSL certificates is creating SSL certificates! It can be a real PITA. Being the lazy programmer that I am I wrote a script that I stuck in
/usr/local/bin that performs all the necessary steps for me. Here it is (with comments) so that you too can hate creating SSL certificates just a little less:
# the path to your ssl directory
# the path to store certificate requests in
# the path to store the pkcs12 certificate bundles in
# the path to store the certificate key files in
# the path to store the pem encoded certificates in
# the default bittage of the certificate
# get the common name from the command line's first parameter
# if the script was called with a second command line parameter
# assume that it is the bittage and set the value to such
if [ !$2 ]
# generate the certificate's private key
openssl genrsa -des3 -out $KEY_DIR/$CN.key $BITTAGE
# generate the certificate's request from the private key
openssl req -new -key $KEY_DIR/$CN.key -out $REQ_DIR/$CN.csr
# sign the certificate request with the server's CA.
# !!! IMPORTANT !!!
# this command must have the last two options in it. without it the certificate
# that is created will not have the usr_cert extensions section applied to it
openssl x509 -req -in $REQ_DIR/$CN.csr -CA $SSL_DIR/ca.crt -CAkey $KEY_DIR/ca.key -out $CRT_DIR/$CN.crt -extfile $SSL_DIR/openssl.cnf -extensions usr_cert
# generate a pkcs12 certificate bundle since many clients (Windows, OS X) prefer
# this type of certificate when importing into their certificate managers, key stores
openssl pkcs12 -export -in $CRT_DIR/$CN.crt -inkey $KEY_DIR/$CN.key -out $P12_DIR/$CN.p12
Save this script as
/usr/local/bin/newcert. Once the script is in your path you can call it like this:
newcert COMMON_NAME [BITTAGE]
For example, let’s say I want to create a certificate for a server called http://www.lostcreations.com. However, instead of the default bittage of 1024, I want my web server’s SSL certificate to be stronger. I could call:
newcert http://www.lostcreations.com 2048
That would create a new SSL certificate that is 2048 bits with a common name of “www.lostcreations.com”.
Well, I hope you find this script useful, I sure have!