



If you're even a small-time sysadmin, chances are that you've had to create SSL certificates more than once. Creating a certificate signing request is generally easy enough--you create the .key and the .csr files, and send the .csr file off to your Certificate Authority (CA), pay them a ton of money, and they send you back your signed public key (usually a file ending in .crt).
But what if you don't want to go through all of that trouble? What if you just want to have a self-signed SSL certificate for a small project? Or for submitting to Amazon Web Services (AWS) so that you can access their API?
I wrote a script to help automate that:
#!/bin/sh # # This is a wrapper script for making self-signed certificates # # # Make errors be fatal. # set -e if test ! "$1" then echo "Syntax: $0 basename" exit 1 fi BASENAME=$1 # # Our secret key # KEY="${BASENAME}.key" # # Our certificate signing request (we won't need this) # CSR="${BASENAME}.csr" # # Our self-signed certificate # CERTIFICATE="${BASENAME}.crt" # # Don't worry about the password here. The assumption # is that only yourself and root will have access to this key. # echo "#" echo "#" echo "# About to generate private key" echo "#" echo "#" openssl genrsa -des3 -passout pass:12345 -out ${KEY} 2048 echo "#" echo "#" echo "# About to create certificate signing request" echo "# For these questions, if the key is being used for AWS or anywhere BUT a public server, you can just mash the enter key." echo "#" echo "#" openssl req -new -passin pass:12345 -key ${KEY} -out ${CSR} # # This will remove the passphrase from the key # cp ${KEY} ${KEY}.orig openssl rsa -passin pass:12345 -in ${KEY}.orig -out ${KEY} rm -f ${KEY}.orig echo "#" echo "#" echo "# Creating the self-signed certificate." echo "#" echo "#" openssl x509 -req -days 365 -in ${CSR} -signkey ${KEY} -out ${CERTIFICATE} # # We don't need our signing request anymore. # rm -f ${CSR} echo "#" echo "#" echo "# All done! Here are your files:" echo "# Private key: ${KEY}" echo "# Certificate: ${CERTIFICATE}" echo "#" echo "#"
I posted it here to share it with others. Enjoy the script! It can also be found on GitHub under my Unix-Utils repository.
On a related note, once you're ready to have your key signed, you should check out Let's Encrypt. It's a new certificate authority that is free, automated, and open!
[August 8th, 2016 Edit: Updated to list Let's Encrypt instead. ]
[January 29th, 2014 Edit: Replaced the URL "CheapSSLs.com" with just "SSLs.com", as the former acquired the latter domain.]