It is possible to create SSL certificates for client, server and root ca with openssl only in a single line.

Openssl

I often had to quickly create client/server SSL certificates to setup HTTP server, Jabber, OpenVPN etc. I was looking for the way to complete it without easy-rsa or similar tools.

I spent some time to find the right params for openssl and I’d like to share my scripts. The is a trade off between simplicity and flexibility but I hope these scripts will help you make the job done.

There are three script:

  • make_ca.sh To create new CA certificate (self-signed)
  • make_server.sh To create server certificate, and sign it with CA
  • make_client.sh To create client certificate, and sign it with CA

Each script contains the debug section. It is used to print out information about just created certificates. You may definitely cat it out.

Please feel free to comment and fix me if you want! GitHub.Gists https://gist.github.com/artyomb/05b2282b566214967545d7569050a746

#!/bin/bash
cd "$(dirname "$0")"
#Generage CA (self-signed)
openssl req -x509 -nodes -days 5000 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
#Debug dump
openssl x509 -in ca.crt -noout -text >ca.txt
openssl x509 -noout -fingerprint -in ca.crt >> ca.txt
openssl verify -verbose -CAfile ca.crt ca.crt
#Calculate SKI (Subject Key Identifier)
openssl x509 -noout -in ca.crt -pubkey | openssl asn1parse -strparse 19 -out ca.pub.tmp 1>/dev/null
openssl dgst -c -sha1 ca.pub.tmp
rm *.tmp
view raw make_ca.sh hosted with ❤ by GitHub
#!/bin/bash
cd "$(dirname "$0")"
c_name="client1"
file_name="client1"
ca_crt='../ca.crt'
ca_key='../ca.key'
#Generate client certificate
openssl genrsa -out $file_name.key 2048
openssl req -new -key $file_name.key -out $file_name.csr -subj "/O=Group/OU=Org/CN=$c_name"
openssl x509 -req -extfile v3.ext -in $file_name.csr -CA $ca_crt -CAkey $ca_key -CAcreateserial -out $file_name.crt -days 365
# Genegate PKCS12 for FifeFox and Chrome
openssl pkcs12 -export -in $file_name.crt -inkey $file_name.key -name "$c_name Org" -out $file_name.p12
#Debug dump
echo "------------Check------------"
openssl pkcs12 -in $file_name.p12 -nodes -passin pass:"" | openssl x509 -noout -text >$file_name.p12.txt
#openssl pkcs12 -in $file_name.p12 -nodes | openssl x509 -noout -text >$file_name.p12.txt
openssl x509 -noout -text -in $file_name.crt >$file_name.crt.txt
openssl verify -verbose -CAfile $ca_crt $file_name.crt
view raw make_client.sh hosted with ❤ by GitHub
#!/bin/bash
cd "$(dirname "$0")"
#ALTNAME="DNS:<host1>,DNS:<host2>"
ca_crt='../ca.crt'
ca_key='../ca.key'
#Generate certificate
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/O=Group/OU=Org/CN=222.222.45.66"
# -reqexts SAN -config <( cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName='DNS.1:222.222.45.66:8080,DNS.2:222.222.45.66:9090,DNS.3:app.scispike.com'"))
openssl x509 -req -extfile v3.ext -in server.csr -CA $ca_crt -CAkey $ca_key -CAcreateserial -out server.crt -days 365\
-extfile <(cat ./v3.ext <(printf "\nsubjectAltName=IP:222.222.45.66,DNS:222.222.45.66"))
#Debug dump
openssl req -in server.csr -text -noout >server.csr.txt
openssl x509 -in server.crt -noout -text >server.crt.txt
openssl verify -verbose -CAfile $ca_crt server.crt
view raw make_server.sh hosted with ❤ by GitHub