Self-signed certificates: shell script to generate

nabbisen - May 22 '21 - - Dev Community

* The cover image is originally by OpenClipart-Vectors and edited with great appreciation.


I created Bash script to generate self-signed certificates. It was maybe when I tried some tests on MariaDB or PostgreSQL connection.
Running the script below after setting "global paramters" generates those of server/client/ca (certificate authority).

#!/bin/sh

# [ global parameters ]
# certificate configuration
readonly CERT_DAYS=36500
readonly RSA_STR_LEN=4096
readonly PREFIX=xxx-
readonly CERT_DIR=./ssl
readonly KEY_DIR=./ssl/private
# certificate content definition
readonly ADDRESS_COUNTRY_CODE=XX
readonly ADDRESS_PREFECTURE=XXXX
readonly ADDRESS_CITY=XXXX
readonly COMPANY_NAME=XXXXXXXX
readonly COMPANY_SECTION=XXXXXXXX
readonly CERT_PASSWORD= # no password
# - ca
readonly CA_DOMAIN=x.domain
readonly CA_EMAIL=ca@email.address
# - server
readonly SERVER_DOMAIN=y.domain
readonly SERVER_EMAIL=server@email.address
# - client
readonly CLIENT_DOMAIN=z.domain
readonly CLIENT_EMAIL=client@email.address

# [ functions ]
echo_cert_params() {
    local company_domain="$1"
    local company_email="$2"

    echo $ADDRESS_COUNTRY_CODE
    echo $ADDRESS_PREFECTURE
    echo $ADDRESS_CITY
    echo $COMPANY_NAME
    echo $COMPANY_SECTION
    echo $company_domain
    echo $company_email
    echo $CERT_PASSWORD     # password
    echo $CERT_PASSWORD     # password (again)
}
echo_ca_cert_params() {
    echo_cert_params "$CA_DOMAIN" "$CA_EMAIL"
}
echo_server_cert_params() {
    echo_cert_params "$SERVER_DOMAIN" "$SERVER_EMAIL"
}
echo_client_cert_params() {
    echo_cert_params "$CLIENT_DOMAIN" "$CLIENT_EMAIL"
}

# [ main ]
# generate certificates
# - ca
openssl genrsa $RSA_STR_LEN > $KEY_DIR/${PREFIX}ca-key.pem
echo_ca_cert_params | \
    openssl req -new -x509 -nodes -days $CERT_DAYS -key $KEY_DIR/${PREFIX}ca-key.pem -out $CERT_DIR/${PREFIX}ca-cert.pem
# - server
echo_server_cert_params | \
    openssl req -newkey rsa:$RSA_STR_LEN -days $CERT_DAYS -nodes -keyout $KEY_DIR/${PREFIX}server-key.pem -out $CERT_DIR/${PREFIX}server-req.pem
openssl rsa -in $KEY_DIR/${PREFIX}server-key.pem -out $KEY_DIR/${PREFIX}server-key.pem
openssl x509 -req -in $CERT_DIR/${PREFIX}server-req.pem -days $CERT_DAYS -CA $CERT_DIR/${PREFIX}ca-cert.pem -CAkey $KEY_DIR/${PREFIX}ca-key.pem -set_serial 01 -out $CERT_DIR/${PREFIX}server-cert.pem
# - client
echo_client_cert_params | \
    openssl req -newkey rsa:$RSA_STR_LEN -days $CERT_DAYS -nodes -keyout $KEY_DIR/${PREFIX}client-key.pem -out $CERT_DIR/${PREFIX}client-req.pem
openssl rsa -in $KEY_DIR/${PREFIX}client-key.pem -out $KEY_DIR/${PREFIX}client-key.pem
openssl x509 -req -in $CERT_DIR/${PREFIX}client-req.pem -days $CERT_DAYS -CA $CERT_DIR/${PREFIX}ca-cert.pem -CAkey $KEY_DIR/${PREFIX}ca-key.pem -set_serial 01 -out $CERT_DIR/${PREFIX}client-cert.pem

# clean up (before permission changed)
rm $KEY_DIR/${PREFIX}ca-key.pem
rm $CERT_DIR/${PREFIX}server-req.pem
rm $CERT_DIR/${PREFIX}client-req.pem

# validate permission
chmod 400 $KEY_DIR/${PREFIX}server-key.pem
chmod 400 $KEY_DIR/${PREFIX}client-key.pem

# verify relationship among certificates
openssl verify -CAfile $CERT_DIR/${PREFIX}ca-cert.pem $CERT_DIR/${PREFIX}server-cert.pem $CERT_DIR/${PREFIX}client-cert.pem
Enter fullscreen mode Exit fullscreen mode

Here is the output:

$ bash <the-script-above>.bash
Generating RSA private key, 4096 bit long modulus
................++++
........................................................++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:Generating a 4096 bit RSA private key
...................................................................................................++++
.......................................................................................++++
writing new private key to './ssl/private/xxx-server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:writing RSA key
Signature ok
subject=/C=XX/ST=XXXX/L=XXXX/O=XXXXXXXX/OU=XXXXXXXX/CN=y.domain/emailAddress=server@email.address
Getting CA Private Key
Generating a 4096 bit RSA private key
...........................................................................++++
...........................................................++++
writing new private key to './ssl/private/xxx-client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:writing RSA key
Signature ok
subject=/C=XX/ST=XXXX/L=XXXX/O=XXXXXXXX/OU=XXXXXXXX/CN=z.domain/emailAddress=client@email.address
Getting CA Private Key
./ssl/xxx-server-cert.pem: OK
./ssl/xxx-client-cert.pem: OK
Enter fullscreen mode Exit fullscreen mode

And the result:

$ ls -l ssl/*
-rw-r--r--  1 <running-user>  <running-user>  1980 May 22 15:17 ssl/xxx-ca-cert.pem
-rw-r--r--  1 <running-user>  <running-user>  1976 May 22 15:17 ssl/xxx-client-cert.pem
-rw-r--r--  1 <running-user>  <running-user>  1976 May 22 15:17 ssl/xxx-server-cert.pem

ssl/private:
total 16
-r--------  1 <running-user>  <running-user>  3243 May 22 15:17 xxx-client-key.pem
-r--------  1 <running-user>  <running-user>  3243 May 22 15:17 xxx-server-key.pem
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .