Last active
September 19, 2018 11:24
-
-
Save DeRain/af319c43c31a01ffa54d3289ea6cf88c to your computer and use it in GitHub Desktop.
Self-signed CA and TLS certificates generator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TMPDIR="$(pwd)/tls" | |
| # Optional: Ensure the target directory exists and is empty. | |
| rm -rf "${TMPDIR}" | |
| mkdir -p "${TMPDIR}" | |
| cat > "${TMPDIR}/openssl.cnf" << EOF | |
| [req] | |
| default_bits = 2048 | |
| encrypt_key = no | |
| default_md = sha256 | |
| prompt = no | |
| utf8 = yes | |
| # Speify the DN here so we aren't prompted (along with prompt = no above). | |
| distinguished_name = req_distinguished_name | |
| # Extensions for SAN IP and SAN DNS | |
| req_extensions = v3_req | |
| # Be sure to update the subject to match your organization. | |
| [req_distinguished_name] | |
| C = BY | |
| ST = Minsk | |
| L = K | |
| O = Beresnev | |
| CN = localhost | |
| # Allow client and server auth. You may want to only allow server auth. | |
| # Link to SAN names. | |
| [v3_req] | |
| basicConstraints = CA:FALSE | |
| subjectKeyIdentifier = hash | |
| keyUsage = digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth, serverAuth | |
| subjectAltName = @alt_names | |
| # Alternative names are specified as IP.# and DNS.# for IP addresses and | |
| # DNS accordingly. | |
| [alt_names] | |
| IP.1 = 0.0.0.0 | |
| DNS.1 = localhost | |
| EOF | |
| openssl req \ | |
| -new \ | |
| -sha256 \ | |
| -newkey rsa:2048 \ | |
| -days 120 \ | |
| -nodes \ | |
| -x509 \ | |
| -subj "/C=BY/ST=Minsk/L=K/O=Beresnev" \ | |
| -keyout "${TMPDIR}/ca.key" \ | |
| -out "${TMPDIR}/ca.crt" | |
| # Generate the private key for the service. Again, you may want to increase | |
| # the bits to 2048. | |
| openssl genrsa -out "${TMPDIR}/my-service.key" 2048 | |
| # Generate a CSR using the configuration and the key just generated. We will | |
| # give this CSR to our CA to sign. | |
| openssl req \ | |
| -new -key "${TMPDIR}/my-service.key" \ | |
| -out "${TMPDIR}/my-service.csr" \ | |
| -config "${TMPDIR}/openssl.cnf" | |
| # Sign the CSR with our CA. This will generate a new certificate that is signed | |
| # by our CA. | |
| openssl x509 \ | |
| -req \ | |
| -days 120 \ | |
| -in "${TMPDIR}/my-service.csr" \ | |
| -CA "${TMPDIR}/ca.crt" \ | |
| -CAkey "${TMPDIR}/ca.key" \ | |
| -CAcreateserial \ | |
| -sha256 \ | |
| -extensions v3_req \ | |
| -extfile "${TMPDIR}/openssl.cnf" \ | |
| -out "${TMPDIR}/my-service.crt" | |
| openssl x509 -in "${TMPDIR}/my-service.crt" -noout -text |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment