I don't know about you, but I know I'd rather spend an hour writing a script to automate something than 30 minutes figuring out how to use an existing but annoying/terrible tool. I do that not because I am a glutton for punishment, but because I
know I'll have to use that terrible tool again in the future and I won't remember how to use it anyway.
So when I needed certificates for a test environment I checked out OpenSSL's built in CA tool, quickly decided against using it, and then wrote my own simpler tool.
Enjoy!
Update: There's a new version of this script available in a new post
To use:
- make a directory to contain the script and the keys and certs it will generate
- copy/paste this code into a file in that directory. I called it make-cert, but use whatever name you like
- run it
The script takes one or more parameters that specify the CN of the cert you want it to generate. So
$ ./make-cert myserver.mydomain.com
will make a cert for myserver.mydomain.com. It will also take more than one CN on the command line, so
$ ./make-cert myserver.mydomain.com login.mydomain.com
will make a certificate for myserver.mydomain.com and another one for login.mydomain.com.
NOTE: There's a new version of this script available in a new post
And here's the code
#!/bin/bash
# a very, very simple cert authority
#
# Copyright 2011 Oracle
# christopher.johnson@oracle.com
#
# License agreement:
# ------------------
# This script is intended as a simple sample and/or for my own
# purposes. If you get any benefit from it then that's GREAT but
# there are NO warranties and NO support. If this script burns down
# your house, chases your dog away and spoils your milk please don't
# come crying to me.
baseAnswers() {
echo US
echo Massachusetts
echo Boston
echo Oracle
echo A-Team
echo $1
echo root@`hostname`
}
answers() {
baseAnswers $1
echo ''
echo ''
}
# better safe than sorry
umask 077
# these next two lines figure out where the script is on disk
SCRIPTPATH=`readlink -f $0`
SCRIPTDIR=`dirname $0`
# if you're running this from somewhere else...
if [ $SCRIPTDIR != "." -a $SCRIPTDIR != $PWD ]; then
# then CD to that directory
cd $SCRIPTDIR
echo "Certificate and key files (.crt and .key) will be placed in $PWD"
fi
if [ ! -e ca.crt -o ! -e ca.key ]; then
echo "Creating cert authority key & certificate"
baseAnswers "My Cert Authority" | openssl req -newkey rsa:1024 -keyout ca.key -nodes -x509 -days 365 -out ca.crt 2> /dev/null
fi
if [ $# -eq 0 ] ; then
echo "This script creates one or more certificates."
echo "Provide one or more certificate CNs on the command line."
echo "Usage: `basename $0` [certcn [...]]"
exit -1
fi
for certCN in $@ ; do
echo Certificate for CN \"$certCN\"
echo =============================================
KEY=$certCN.key
CRT=$certCN.crt
REQ=$certCN.req
ABORT=0
if [ -e $KEY ] ; then
echo " ERROR: Key file $KEY already exists"
ABORT=1
fi
if [ -e $REQ ] ; then
echo " ERROR: Request file $REQ already exists"
ABORT=1
fi
if [ -e $CRT ] ; then
echo " ERROR: Certificate file $CRT already exists"
ABORT=1
fi
if [ $ABORT -eq 1 ] ; then
echo ''
echo "If you wish to recreate a certificate for you must delete"
echo "any preexisting files for that CN before running this script."
echo ''
echo ''
else
answers $certCN | openssl req -newkey rsa:1024 -keyout $KEY -nodes -days 365 -out $REQ 2> /dev/null
# at this point we have a key file, but the cert is not signed by the CA
openssl x509 -req -in $REQ -out $CRT -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.serial 2> /dev/null
echo "Certificate created."
ls -l $KEY $REQ $CRT
echo 'Certificate information:'
openssl x509 -in $CRT -noout -issuer -subject -serial
fi
done
Note: an earlier version of this script was missing a $1 in the answers() function. The above script contains the correction.
Posts
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.