Last active
September 9, 2021 11:53
-
-
Save ggrandes/c1765904e804db15b8c57d90299d006f to your computer and use it in GitHub Desktop.
Generate X.509 Certificate (Server/Client/Mail) with OpenSSL and Intermediate CA - Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Original Source: | |
| # https://gist.github.com/ggrandes/c1765904e804db15b8c57d90299d006f | |
| # | |
| CAROOT_CN="${CAROOT_CN:-CA-ROOT-TEST}" | |
| CAROOT_OU="${CAROOT_OU:-TEST}" | |
| CAROOT_TIME="${CAROOT_TIME:-10}" | |
| CAINT_CN="${CAINT_CN:-CA-INT-TEST}" | |
| CAINT_OU="${CAINT_OU:-TEST}" | |
| CAINT_TIME="${CARINT_TIME:-5}" | |
| USER_CN="${USER_CN:-USER-TEST}" | |
| USER_OU="${USER_OU:-TEST}" | |
| USER_TIME="${USER_TIME:-2}" | |
| # | |
| # Self-Signed CA-Root | |
| [ ! -s "ca-root.crt" ] && | |
| openssl req -new -x509 -batch -newkey rsa:2048 -nodes \ | |
| -keyout ca-root.key -out ca-root.crt \ | |
| -days $[365 * $CAROOT_TIME + $CAROOT_TIME ] -set_serial $(date +%s) \ | |
| -config /dev/stdin <<END | |
| [ req ] | |
| x509_extensions = v3_ca | |
| string_mask = nombstr | |
| distinguished_name = req_distinguished_name | |
| prompt = no | |
| encrypt_key = no | |
| default_md = sha256 | |
| [ req_distinguished_name ] | |
| CN = ${CAROOT_CN} | |
| OU = ${CAROOT_OU} | |
| [ v3_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always, issuer:always | |
| basicConstraints = critical, CA:TRUE | |
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyCertSign | |
| extendedKeyUsage = clientAuth, serverAuth, emailProtection | |
| END | |
| # Sign CA-Int certificate | |
| [ ! -s "ca-int.crt" ] && | |
| openssl req -new -sha256 -batch -newkey rsa:2048 -nodes \ | |
| -keyout ca-int.key -out ca-int.req -subj "/CN=${CAINT_CN}/OU=${CAINT_OU}" && | |
| openssl x509 -req -sha256 -in ca-int.req -CA ca-root.crt -CAkey ca-root.key -out ca-int.crt \ | |
| -days $[365 * $CAINT_TIME + $CAINT_TIME] -set_serial $(date +%s) \ | |
| -extfile /dev/stdin -extensions v3_ca <<"END" | |
| [ v3_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always, issuer:always | |
| basicConstraints = critical, CA:TRUE | |
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyCertSign | |
| extendedKeyUsage = clientAuth, serverAuth, emailProtection | |
| END | |
| # Sign certificate | |
| [ ! -s "user.crt" ] && | |
| openssl req -new -sha256 -batch -newkey rsa:2048 -nodes \ | |
| -keyout user.key -out user.req -subj "/CN=${USER_CN}/OU=${USER_OU}" && | |
| openssl x509 -req -sha256 -in user.req -CA ca-int.crt -CAkey ca-int.key -out user.crt \ | |
| -days $[365 * $USER_TIME + $USER_TIME] -set_serial $(date +%s) \ | |
| -extfile /dev/stdin -extensions v3_ext <<"END" | |
| [ v3_ext ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always, issuer:always | |
| basicConstraints = critical, CA:FALSE | |
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth, serverAuth, emailProtection | |
| END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment