Creating Self-signed X.509 SSL Certificates the Easy Way

Find this code on GitHub
Here

If you're even a small-time sysadmin, chances are that you've had to create SSL certificates more than once. Creating a certificate signing request is generally easy enough--you create the .key and the .csr files, and send the .csr file off to your Certificate Authority (CA), pay them a ton of money, and they send you back your signed public key (usually a file ending in .crt).

But what if you don't want to go through all of that trouble? What if you just want to have a self-signed SSL certificate for a small project? Or for submitting to Amazon Web Services (AWS) so that you can access their API?

I wrote a script to help automate that:

#!/bin/sh
#
# This is a wrapper script for making self-signed certificates
#

#
# Make errors be fatal.
#
set -e

if test ! "$1"
then
	echo "Syntax: $0 basename"
	exit 1
fi

BASENAME=$1

#
# Our secret key
#
KEY="${BASENAME}.key"

#
# Our certificate signing request (we won't need this)
#
CSR="${BASENAME}.csr"

#
# Our self-signed certificate
#
CERTIFICATE="${BASENAME}.crt"


#
# Don't worry about the password here.  The assumption 
# is that only yourself and root will have access to this key.
#
echo "#"
echo "#"
echo "# About to generate private key"
echo "#"
echo "#"
openssl genrsa -des3 -passout pass:12345 -out ${KEY} 2048


echo "#"
echo "#"
echo "# About to create certificate signing request"
echo "# For these questions, if the key is being used for AWS or anywhere BUT a public server, you can just mash the enter key." 
echo "#"
echo "#"
openssl req -new -passin pass:12345 -key ${KEY} -out ${CSR}

#
# This will remove the passphrase from the key
#
cp ${KEY} ${KEY}.orig
openssl rsa -passin pass:12345 -in ${KEY}.orig -out ${KEY}
rm -f ${KEY}.orig


echo "#"
echo "#"
echo "# Creating the self-signed certificate."
echo "#"
echo "#"
openssl x509 -req -days 365 -in ${CSR} -signkey ${KEY} -out ${CERTIFICATE}

#
# We don't need our signing request anymore.
#
rm -f ${CSR}

echo "#"
echo "#"
echo "# All done!  Here are your files:"
echo "# Private key: ${KEY}"
echo "# Certificate: ${CERTIFICATE}"
echo "#"
echo "#"

I posted it here to share it with others. Enjoy the script! It can also be found on GitHub under my Unix-Utils repository.

On a related note, once you're ready to have your key signed, you should check out Let's Encrypt. It's a new certificate authority that is free, automated, and open!

[August 8th, 2016 Edit: Updated to list Let's Encrypt instead. ]
[January 29th, 2014 Edit: Replaced the URL "CheapSSLs.com" with just "SSLs.com", as the former acquired the latter domain.]

3.375
Average: 3.4 (8 votes)
Your rating: None