Doug's Home On The Web
Writings from a Philadelphia Software Engineer...
Social Media
Most Recent Poll
Recent posts
Most Popular Tags
Syndicate
Creating Self-signed X.509 SSL Certificates the Easy Way
Mon, 2012-12-10 23:31 by Douglas Muth
Find this code on GitHub
Here
Here
If you're even a small-time sysadmin, chances are that you've had to create SSL certificates more than once. Creating a certificate signing request is generally easy enough--you create the .key and the .csr files, and send the .csr file off to your Certificate Authority (CA), pay them a ton of money, and they send you back your signed public key (usually a file ending in .crt).
But what if you don't want to go through all of that trouble? What if you just want to have a self-signed SSL certificate for a small project? Or for submitting to Amazon Web Services (AWS) so that you can access their API?
I wrote a script to help automate that:
#!/bin/sh
#
# This is a wrapper script for making self-signed certificates
#
#
# Make errors be fatal.
#
set -e
if test ! "$1"
then
echo "Syntax: $0 basename"
exit 1
fi
BASENAME=$1
#
# Our secret key
#
KEY="${BASENAME}.key"
#
# Our certificate signing request (we won't need this)
#
CSR="${BASENAME}.csr"
#
# Our self-signed certificate
#
CERTIFICATE="${BASENAME}.crt"
#
# Don't worry about the password here. The assumption
# is that only yourself and root will have access to this key.
#
echo "#"
echo "#"
echo "# About to generate private key"
echo "#"
echo "#"
openssl genrsa -des3 -passout pass:12345 -out ${KEY} 2048
echo "#"
echo "#"
echo "# About to create certificate signing request"
echo "# For these questions, if the key is being used for AWS or anywhere BUT a public server, you can just mash the enter key."
echo "#"
echo "#"
openssl req -new -passin pass:12345 -key ${KEY} -out ${CSR}
#
# This will remove the passphrase from the key
#
cp ${KEY} ${KEY}.orig
openssl rsa -passin pass:12345 -in ${KEY}.orig -out ${KEY}
rm -f ${KEY}.orig
echo "#"
echo "#"
echo "# Creating the self-signed certificate."
echo "#"
echo "#"
openssl x509 -req -days 365 -in ${CSR} -signkey ${KEY} -out ${CERTIFICATE}
#
# We don't need our signing request anymore.
#
rm -f ${CSR}
echo "#"
echo "#"
echo "# All done! Here are your files:"
echo "# Private key: ${KEY}"
echo "# Certificate: ${CERTIFICATE}"
echo "#"
echo "#"
I posted it here to share it with others. Enjoy the script! It can also be found on GitHub under my Unix-Utils repository.
On a related note, once you're ready to have your key signed, you should check out Let's Encrypt. It's a new certificate authority that is free, automated, and open!
[August 8th, 2016 Edit: Updated to list Let's Encrypt instead. ]
[January 29th, 2014 Edit: Replaced the URL "CheapSSLs.com" with just "SSLs.com", as the former acquired the latter domain.]