{"id":5612,"date":"2019-09-25T20:55:53","date_gmt":"2019-09-26T01:55:53","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=5612"},"modified":"2019-09-26T14:03:51","modified_gmt":"2019-09-26T19:03:51","slug":"certificate-generation-script","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=5612","title":{"rendered":"Certificate Generation Script"},"content":{"rendered":"

I finally put together a script that gathers some basic information (hostname & SAN’s) and creates a certificate signed against my CA. I’ve got a base myssl.cnf file that ends with<\/p>\n

[ req_ext ]\r\nsubjectAltName = @alt_names\r\n\r\n[ alt_names ]<\/pre>\n
The script appends all of the alternate names to the myssl.cnf file.<\/p>\n
#!\/bin\/bash\r\n\r\nRED_DARK='\\033[38;5;196m'\r\nGREEN_DARK='\\033[38;5;35m'\r\nBLUE_DARK='\\033[38;5;57m'\r\nNC='\\033[0m' # Reset\r\n\r\nfunction getInput {\r\n        echo -e \"${BLUE_DARK}Please input the short hostname you wish to use (e.g. server123):${NC}\"\r\n        read HOST\r\n\r\n        echo -e \"${BLUE_DARK}Please input the domain name you wish to use with this hostname (e.g. rushworth.us):${NC}\"\r\n        read DOMAIN\r\n\r\n        echo -e \"${GREEN_DARK}Please enter any SAN values for this certificate, separated by spaces (must be fully qualified):${NC}\"\r\n        read SANS\r\n\r\n        FQHOST=\"${HOST}.${DOMAIN}\"\r\n\r\n        echo -e \"Short hostname: $HOST\"\r\n        echo -e \"Fully qualified hostname: $FQHOST\"\r\n        echo -e \"SAN: $SANS\"\r\n\r\n        echo -e \"${RED_DARK}Is this correct? (Y\/N):${NC}\"\r\n        read boolCorrect\r\n\r\n        if [ $boolCorrect == 'Y' ] || [ $boolCorrect == 'y' ]\r\n        then\r\n                mkdir $HOST\r\n                echo $HOST\r\n                cp myssl.cnf \".\/$HOST\/myssl.cnf\"\r\n\r\n                cd \".\/$HOST\"\r\n\r\n                echo \"The following SANs will be used on this certificate: \"\r\n                echo \"DNS.1 = ${FQHOST}\"\r\n                echo \"DNS.1 = ${FQHOST}\" >> .\/myssl.cnf\r\n                echo \"DNS.2 = ${HOST}\"\r\n                echo \"DNS.2 = ${HOST}\" >> .\/myssl.cnf\r\n\r\n                if [ -n \"$SANS\" ]\r\n                then\r\n                        SANARRAY=( $SANS )\r\n                        iSANCounter=2\r\n                        for SANITEM in \"${SANARRAY[@]}\" ; do\r\n                                let iSANCounter=iSANCounter+1\r\n                                echo \"DNS.${iSANCounter} = ${SANITEM}\"\r\n                                echo \"DNS.${iSANCounter} = ${SANITEM}\" >> .\/myssl.cnf\r\n                        done\r\n                fi\r\n                export strCertKeyPassword=Wh1t2v2rP144w9rd\r\n                export strPFXPassword=123abc456\r\n                openssl genrsa -passout env:strCertKeyPassword -aes256 -out $FQHOST.passwd.key 2048\r\n                openssl req -new -key $FQHOST.passwd.key -passin env:strCertKeyPassword -config .\/myssl.cnf -reqexts req_ext -out $FQHOST.csr -subj \"\/C=US\/ST=Ohio\/L=Cleveland\/O=Rushworth\/OU=Home\/CN=$FQHOST\"\r\n                openssl x509 -req -in $FQHOST.csr -passin env:strCertKeyPassword -extensions req_ext -extfile .\/myssl.cnf -out $FQHOST.cer -days 365 -CA \/ca\/ca.cer -CAkey \/ca\/ca.key -sha256\r\n                openssl rsa -in $FQHOST.passwd.key -out $FQHOST.key -passin pass:$strCertKeyPassword -passin env:strCertKeyPassword\r\n                openssl pkcs12 -export -out $FQHOST.pfx -inkey $FQHOST.key -in $FQHOST.cer -passout env:strPFXPassword\r\n\r\n        else\r\n                getInput\r\n        fi\r\n}\r\n\r\ngetInput<\/pre>\n
There’s an encrypted private key and a non-encrypted private key. Because I have some Windows servers — Exchange and Active Directory — I create a PFX file too.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
I finally put together a script that gathers some basic information (hostname & SAN’s) and creates a certificate signed against my CA. I’ve got a base myssl.cnf file that ends with [ req_ext ] subjectAltName = @alt_names [ alt_names ] The script appends all of the alternate names to the myssl.cnf file. #!\/bin\/bash RED_DARK=’\\033[38;5;196m’ GREEN_DARK=’\\033[38;5;35m’ …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[823,234],"class_list":["post-5612","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-certificate","tag-openssl"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5612"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5612\/revisions"}],"predecessor-version":[{"id":5613,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5612\/revisions\/5613"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}