Kaapiii · August 27, 2024 07:06
diff --git a/certs-create.sh b/certs-create.sh
 #!/bin/sh

 # Script for Creating Self-Signed SSL Certificates
 #
 # Adjustments: Addes some additional steps that are optional, so existing self signed root certificates can be used.
 #
 # Original Author:
 # =============================================================================
 # ssl-certs.sh - Self signing SSL certificates
 #
 # Author: Steve Shreeve <[email protected]>
 #   Date: Dec 17, 2022
 # =============================================================================
 # Original Source can be found at: https://gist.github.com/shreeve/3358901a26a21d4ddee0e1342be7749d
 #
 # More sources
 # See https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309


 # variables
 name="Kaapiii Minimal Dev."
 base="minimal.localhost"
 root="rootCA"
 opensslConf="openssl.cnf"

 # Create the openssl.cnf file based on the openssl.conf.dist file, if it does not exists.
 if [ ! -f "${opensslConf}" ]; then
  echo "No ${opensslConf} file provided or found. A new ${opensslConf} is created.";
  cp "${opensslConf}.dist" "${opensslConf}"
  chmod ug+x ${opensslConf}
 fi

 # Create the root key and root certificate
 if [ ! -f "${root}.key" ]; then
  openssl genrsa -out "${root}.key" 3072
  echo "No ${root}.key file is not provided. A new local ${root}.key is created.";
 fi
 if [ ! -f "${root}.crt" ]; then
  openssl req -x509 -nodes -sha256 -new -key "${root}.key" -out "${root}.crt" -days 731 \
    -subj "/CN=Custom Root" \
    -addext "keyUsage = critical, keyCertSign" \
    -addext "basicConstraints = critical, CA:TRUE, pathlen:0" \
    -addext "subjectKeyIdentifier = hash"
  echo "No ${root}.crt is not provided or does not exist. A new local ${root}.crt is created.";
 fi


 # Create our key and certificate signing request
 if [ ! -f "${base}.key" ]; then
  echo "No ${base}.key for a certificate signing request is not provided or does not exist. A new local ${base}.key is created.";
  openssl genrsa -out "${base}.key" 2048
 fi
 if [ ! -f "${base}.csr" ]; then
  echo "No ${base}.csr for a certificate signing request is not provided or does not exist. A new local ${base}.csr is created.";
  openssl req -sha256 -new \
    -key "${base}.key" \
    -subj "/CN=*.${base}/O=${name}/OU=minimal@localhost" \
    -reqexts SAN \
    -config <(echo "[SAN]\nsubjectAltName=DNS:${base},DNS:*.${base}") \
    -out "${base}.csr"
 fi

 # Create our final certificate and sign it
 openssl x509 -req -sha256 \
  -in "${base}.csr" \
  -out "${base}.crt" \
  -days 3650 \
  -CAkey "${root}.key" \
  -CA "${root}.crt" \
  -CAcreateserial -extfile "${opensslConf}"
 echo "Update the certificates";
 # Ouput created files to the console
 echo "--"; openssl x509 -in "${root}.crt" -noout -text
 echo "--"; openssl req  -in "${base}.csr" -noout -text
 echo "--"; openssl x509 -in "${base}.crt" -noout -text
 echo "--";
diff --git a/openssl.cnf.dist b/openssl.cnf.dist
 # Extensions to add to a certificate request
 # For more information about the cert singing configuration consult:
 # https://superuser.com/questions/738612/openssl-ca-keyusage-extension
 basicConstraints       = critical, CA:FALSE
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
 keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
 subjectAltName         = @alt_names
 [ alt_names ]
 DNS.1 = minimal.localhost
 DNS.2 = *.minimal.localhost
 DNS.3 = minimal.loc
 DNS.4 = *.minimal.loc
	#!/bin/sh

	# Script for Creating Self-Signed SSL Certificates
	#
	# Adjustments: Addes some additional steps that are optional, so existing self signed root certificates can be used.
	#
	# Original Author:
	# =============================================================================
	# ssl-certs.sh - Self signing SSL certificates
	#
	# Author: Steve Shreeve <[email protected]>
	# Date: Dec 17, 2022
	# =============================================================================
	# Original Source can be found at: https://gist.github.com/shreeve/3358901a26a21d4ddee0e1342be7749d
	#
	# More sources
	# See https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309


	# variables
	name="Kaapiii Minimal Dev."
	base="minimal.localhost"
	root="rootCA"
	opensslConf="openssl.cnf"

	# Create the openssl.cnf file based on the openssl.conf.dist file, if it does not exists.
	if [ ! -f "${opensslConf}" ]; then
	echo "No ${opensslConf} file provided or found. A new ${opensslConf} is created.";
	cp "${opensslConf}.dist" "${opensslConf}"
	chmod ug+x ${opensslConf}
	fi

	# Create the root key and root certificate
	if [ ! -f "${root}.key" ]; then
	openssl genrsa -out "${root}.key" 3072
	echo "No ${root}.key file is not provided. A new local ${root}.key is created.";
	fi
	if [ ! -f "${root}.crt" ]; then
	openssl req -x509 -nodes -sha256 -new -key "${root}.key" -out "${root}.crt" -days 731 \
	-subj "/CN=Custom Root" \
	-addext "keyUsage = critical, keyCertSign" \
	-addext "basicConstraints = critical, CA:TRUE, pathlen:0" \
	-addext "subjectKeyIdentifier = hash"
	echo "No ${root}.crt is not provided or does not exist. A new local ${root}.crt is created.";
	fi


	# Create our key and certificate signing request
	if [ ! -f "${base}.key" ]; then
	echo "No ${base}.key for a certificate signing request is not provided or does not exist. A new local ${base}.key is created.";
	openssl genrsa -out "${base}.key" 2048
	fi
	if [ ! -f "${base}.csr" ]; then
	echo "No ${base}.csr for a certificate signing request is not provided or does not exist. A new local ${base}.csr is created.";
	openssl req -sha256 -new \
	-key "${base}.key" \
	-subj "/CN=*.${base}/O=${name}/OU=minimal@localhost" \
	-reqexts SAN \
	-config <(echo "[SAN]\nsubjectAltName=DNS:${base},DNS:*.${base}") \
	-out "${base}.csr"
	fi

	# Create our final certificate and sign it
	openssl x509 -req -sha256 \
	-in "${base}.csr" \
	-out "${base}.crt" \
	-days 3650 \
	-CAkey "${root}.key" \
	-CA "${root}.crt" \
	-CAcreateserial -extfile "${opensslConf}"
	echo "Update the certificates";
	# Ouput created files to the console
	echo "--"; openssl x509 -in "${root}.crt" -noout -text
	echo "--"; openssl req -in "${base}.csr" -noout -text
	echo "--"; openssl x509 -in "${base}.crt" -noout -text
	echo "--";
	# Extensions to add to a certificate request
	# For more information about the cert singing configuration consult:
	# https://superuser.com/questions/738612/openssl-ca-keyusage-extension
	basicConstraints = critical, CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[ alt_names ]
	DNS.1 = minimal.localhost
	DNS.2 = *.minimal.localhost
	DNS.3 = minimal.loc
	DNS.4 = *.minimal.loc