Doug's Home On The Web
Writings from a Philadelphia Software Engineer...
Most Recent Poll
Recent posts
Most Popular Tags
Syndicate
Creating Self-signed X.509 SSL Certificates the Easy Way
Mon, 2012-12-10 23:31 by Douglas Muth
Find this code on GitHub
Here
Here
If you're even a small-time sysadmin, chances are that you've had to create SSL certificates more than once. Creating a certificate signing request is generally easy enough--you create the .key and the .csr files, and send the .csr file off to your Certificate Authority (CA), pay them a ton of money, and they send you back your signed public key (usually a file ending in .crt).
But what if you don't want to go through all of that trouble? What if you just want to have a self-signed SSL certificate for a small project? Or for submitting to Amazon Web Services (AWS) so that you can access their API?
I wrote a script to help automate that:
#!/bin/sh
#
# This is a wrapper script for making self-signed certificates
#
#
# Make errors be fatal.
#
set -e
if test ! "$1"
then
echo "Syntax: $0 basename"
exit 1
fi
BASENAME=$1
#
# Our secret key
#
KEY="${BASENAME}.key"
#
# Our certificate signing request (we won't need this)
#
CSR="${BASENAME}.csr"
#
# Our self-signed certificate
#
CERTIFICATE="${BASENAME}.crt"
#
# Don't worry about the password here. The assumption
# is that only yourself and root will have access to this key.
#
echo "#"
echo "#"
echo "# About to generate private key"
echo "#"
echo "#"
openssl genrsa -des3 -passout pass:12345 -out ${KEY} 2048
echo "#"
echo "#"
echo "# About to create certificate signing request"
echo "# For these questions, if the key is being used for AWS or anywhere BUT a public server, you can just mash the enter key."
echo "#"
echo "#"
openssl req -new -passin pass:12345 -key ${KEY} -out ${CSR}
#
# This will remove the passphrase from the key
#
cp ${KEY} ${KEY}.orig
openssl rsa -passin pass:12345 -in ${KEY}.orig -out ${KEY}
rm -f ${KEY}.orig
echo "#"
echo "#"
echo "# Creating the self-signed certificate."
echo "#"
echo "#"
openssl x509 -req -days 365 -in ${CSR} -signkey ${KEY} -out ${CERTIFICATE}
#
# We don't need our signing request anymore.
#
rm -f ${CSR}
echo "#"
echo "#"
echo "# All done! Here are your files:"
echo "# Private key: ${KEY}"
echo "# Certificate: ${CERTIFICATE}"
echo "#"
echo "#"
I posted it here to share it with others. Enjoy the script! It can also be found on GitHub under my Unix-Utils repository.
On a related note, a colleague recently pointed me to the website SSLs.com, which sells SSL certificates stupidly cheap. Anyone have any experience with them? Are they worth it? Let me know in the comments below, or reach out to me if you prefer.
[January 29th, 2014 Edit: Replaced the URL "CheapSSLs.com" with just "SSLs.com", as the former acquired the latter domain.]