make-ssl-cert.sh

  1. #!/bin/sh
  2.  
  3. PROJECT_NAME=$1
  4.  
  5. if [ "x" = "x$PROJECT_NAME" ];
  6. then
  7. echo Missing project name
  8. echo Run $0 PROJECT_NAME
  9. exit 1
  10. fi
  11.  
  12. basename=$(echo $PROJECT_NAME | \
  13. iconv -f UTF-8 -t ascii//TRANSLIT | \
  14. tr [:upper:] [:lower:] | \
  15. sed 's/[^0-9a-z.]/-/g')
  16.  
  17. key_filename=$basename.key
  18. csr_filename=$basename.csr
  19. cnf_filename=$basename.cnf
  20. crt_filename=$basename.crt
  21.  
  22. #set -x
  23.  
  24. if [ ! -f $cnf_filename ];
  25. then
  26. cat > $cnf_filename <<EOT
  27. [ req ]
  28. distinguished_name = req_distinguished_name
  29. req_extensions = v3_req # The extensions to add to a certificate request
  30.  
  31. [ req_distinguished_name ]
  32. countryName = Country Name (2 letter code)
  33. countryName_default = FR
  34. countryName_min = 2
  35. countryName_max = 2
  36. stateOrProvinceName = State or Province Name (full name)
  37. stateOrProvinceName_default = Some-State
  38. localityName = Locality Name (eg, city)
  39. 0.organizationName = Organization Name (eg, company)
  40. 0.organizationName_default = Internet Widgits Pty Ltd
  41. organizationalUnitName = Organizational Unit Name (eg, section)
  42. commonName = Common Name (e.g. server FQDN or YOUR name)
  43. commonName_max = 64
  44. emailAddress = Email Address
  45. emailAddress_max = 64
  46.  
  47. [ v3_req ]
  48. subjectAltName = @alt_names
  49.  
  50. [ alt_names ]
  51. DNS.1 = $PROJECT_NAME
  52. DNS.2 = www.$PROJECT_NAME
  53. DNS.3 = api.$PROJECT_NAME
  54. DNS.4 = cdn.$PROJECT_NAME
  55. EOT
  56. fi
  57.  
  58. # http://apetec.com/support/GenerateSAN-CSR.htm
  59.  
  60. if [ ! -f $key_filename ];
  61. then
  62. # Generate a Private Key
  63. openssl genrsa -out $key_filename
  64. fi
  65.  
  66. if [ ! -f $csr_filename ];
  67. then
  68. # Generate a CSR (Certificate Signing Request)
  69. openssl req -new \
  70. -key $key_filename \
  71. -out $csr_filename \
  72. -config $cnf_filename
  73. fi
  74.  
  75. # Verify CSR
  76. openssl req -in $csr_filename -noout -text
  77.  
  78. if [ ! -f $crt_filename ];
  79. then
  80. # Generating a Self-Signed Certificate
  81. openssl x509 -req \
  82. -days 3650 \
  83. -in $csr_filename \
  84. -signkey $key_filename \
  85. -out $crt_filename \
  86. -extensions v3_req \
  87. -extfile $cnf_filename
  88. fi
  89.  
  90. if which certutil > /dev/null;
  91. then
  92. if ! certutil -d sql:$HOME/.pki/nssdb -L -n "$PROJECT_NAME" > /dev/null;
  93. then
  94. # https://code.google.com/p/chromium/wiki/LinuxCertManagement
  95. certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "$PROJECT_NAME" -i $crt_filename
  96. fi
  97. fi
  98.  
  99. cat <<EOT
  100.  
  101. httpd.conf:
  102. SSLEngine on
  103. SSLCertificateFile $PWD/$crt_filename
  104. SSLCertificateKeyFile $PWD/$key_filename
  105. EOT