Here is a simple script with configuration file to generate a self-generated SSL certificate (cert/key pair).
First define a config file openssl.cnf containing the certificate informations:
[ req ] default_bits = 2048 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=FR # State or Province Name (full name) ST=IdF # Locality Name (eg. city) L=Paris # Organization (eg. company) O=MyOrg # Organizational Unit Name (eg. section) OU=My SSL server # Common Name (*.example.com is also possible) CN=my.domain.com # E-mail contact [email protected] [ cert_type ] nsCertType = server
Then, create the bash script makessl.sh and configure your own parameters (directories, cert filename and validity duration):
#!/bin/sh
# Generates a self-signed certificate.
# Edit openssl.cnf before running this.
umask 077
OPENSSL=${OPENSSL-openssl}
# Define SSL directory
SSLDIR=${SSLDIR-/opt}
# Define SSL config file
OPENSSLCONFIG=${OPENSSLCONFIG-/opt/openssl.cnf}
# Define crt/key directories
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
# Define crt/key file
CERTFILE=$CERTDIR/mynewssl.pem
KEYFILE=$KEYDIR/mynewssl.key
# Define validity duratin for the cert
DAYS=365
# Check that directories exist or create themt
if [ ! -d $CERTDIR ]; then
mkdir -p $CERTDIR
fi
if [ ! -d $KEYDIR ]; then
mkdir -p $KEYDIR
fi
# Check that the files do not exist or move them
if [ -f $CERTFILE ]; then
mv $CERTFILE $CERTFILE.old
fi
if [ -f $KEYFILE ]; then
mv $KEYFILE $KEYFILE.old
fi
# Generate crt/key files
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days $DAYS || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
Now, execute the bash script:
$ bash makessl.sh Generating a 2048 bit RSA private key ...............+++ ................................................................................+++ writing new private key to '/opt/private/mynewssl.key' ----- subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected] SHA1 Fingerprint=F0:B1:B3:DF:F9:4D:A0:97:4E:71:E0:7F:8E:DA:13:F9:D5:E8:AF:88
Let’s check your freshly created certificate and double check the information:
$ openssl x509 -in /opt/certs/mynewssl.pem -noout -dates -subject notBefore=Jul 5 19:45:17 2017 GMT notAfter=Jul 5 19:45:17 2018 GMT subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]