- Generate a "Certificate Signing Request" and a key
- Send the CSR to your Certificate Authority for signing
- Wait for the signed Certificate to come back from the CA
- Put the key and the Certificate where your web, email, or other server can find them
I always have to look up the right openssl(1) command line arguments.
This year, I decided to make a script. This script takes an optional argument, the host for which you're making the certificate. I suggest generating the Certificate on the target host, but if you feel bold you can make a CSR for any host you want.
#!/bin/sh
#
#############################
#
# Shell script to automate making
# Certificate Signing Requests (CSR)
# with openssl
#
# tested on v 0.9.8e
# Loren Heal
#
#############################
echodo() {
echo "${@}"
(${@})
}
yearmon() {
date '+%Y%m%d'
}
fqdn() {
(nslookup ${1} 2>&1 || echo Name ${1}) \
| tail -3 | grep Name| sed -e 's,.*e:[ \t]*,,'
}
C=Your_Country_Abbreviation
ST=Your_State_Spelled_Out
L=Your_City
O="Your Company or Whatever"
OU="Your Office or Department or Whatever"
HOST=${1:-`hostname`}
DATE=`yearmon`
CN=`fqdn $HOST`
csr="${HOST}-${DATE}-csr.pem"
key="${HOST}-${DATE}-key.pem"
openssl req -new -newkey rsa:1024 -keyout $key \
-nodes -out $csr <<EOF
${C}
${ST}
${L}
${O}
${OU}
${CN}
$USER@${CN}
.
.
EOF
echo ""
[ -f ${csr} ] && echodo openssl req -text -noout -in ${csr}
echo ""
No comments:
Post a Comment