Script to generate PKI keys and CSRs

Openssl has always been a great tool for creating SSL/TLS PKI keys and certs, but I’ve not ever really had a one-liner for it… at least, not until today, messing with some automation for ChatOps and Let’s Encrypt. This could be easily adapted to create self-signed certs if desired…

One prerequisite is that you need to either edit the openssl.cnf and set defaults for all but the hostname, or edit below and put them in the \n\n\n string. Oh, and set the key passphrase, and any other configure section items (default for RHEL/CentOS environment).

#!/bin/bash
# 
# autogen hostname [san hostname2] [san hostname3] etc
#
# With more than one hostname, a Subject Alternate Name cert request is created
# CSR and KEY are put in /etc/pki/CA/certs/auto/ directory.
#
# Assumes openssl.cnf is set up with all defaults except CN
#
# 4/3/2016, nwg 

### CONFIGURE
cert_pwd=''
cert_dir="/etc/pki/CA/certs/auto"
openssl="/usr/bin/openssl"
openssl_cnf="/etc/pki/tls/openssl.cnf"
### END CONFIGURE

hostname=$1
if [ "$hostname" == "" ]; then 
    echo "Syntax: autogen hostname [san hostname2] [san hostname3] etc"
    exit 1
fi

keyfile=$cert_dir/${hostname}-key
csrfile=$cert_dir/${hostname}-csr

if [ -r "$keyfile" ]; then
    echo "$keyfile already exists - either (re)move it or choose another hostname\n";
    exit 1
fi

if [ "$2" == '' ]; then
    # no san
    printf "\n\n\n\n\n${hostname}\n\n\n\n" | $openssl req -newkey rsa:2048 -sha256 -keyout $keyfile -out $csrfile -passout "pass:$cert_pwd" > /dev/null 2>&1
else
    # san
    sanstring=''

    for i in $*; do 
	if [ "$sanstring" = "" ]; then
	    sanstring="subjectAltName=DNS:$i"
	else
	    sanstring="$sanstring,DNS:$i"
	fi
    done
    #echo $sanstring

    printf "\n\n\n\n\n${hostname}\n\n\n\n" | $openssl req -newkey rsa:2048 -sha256 -keyout $keyfile -out $csrfile -passout "pass:$cert_pwd" -reqexts SAN -config <(cat $openssl_cnf <(printf "[SAN]\n$sanstring\n")) > /dev/null 2>&1

fi

chmod 400 $keyfile
ls -l $csrfile $keyfile
echo " "
cat $csrfile

exit

As an example running it:

root:/etc/pki/CA #./autogen guyton.net www.guyton.net
-rw-r--r-- 1 root root 1212 Apr  3 16:55 /etc/pki/CA/certs/auto/guyton.net-csr
-r-------- 1 root root 1751 Apr  3 16:55 /etc/pki/CA/certs/auto/guyton.net-key
 
-----BEGIN CERTIFICATE REQUEST-----
MIIDRjCCAi4CAQAwgaoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4G
A1UEBxMHSG91c3RvbjEUMBIGA1UEChMLSW52ZXNjbyBMdGQxHTAbBgNVBAsTFElu
dmVzY28gV2ViIFNlcnZpY2VzMRMwEQYDVQQDEwpndXl0b24ubmV0MS8wLQYJKoZI
hvcNAQkBFiBHQkwtRXRlY2hXZWJTZXJ2aWNlc0BpbnZlc2NvLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHBPu9r3VslWsx5vzHLw1g/l69mbtHj
oS0I9yv9q174cndjfCKZ8FCS0uElqWRi8+5xS2mg7WAVekXXRMQbgQbmcMdhlekr
vTJXPoxHnEInqGWI+lGesGSJFmfPnwFF4hpCKK592Lj9NpYDT+QlXxhYwRXqT9Gk
ruAZ695ANC4QtvQ7HkLMWlhY2ou2kAhMUovC5yUpfHwc9XqrY73baVjbnOk4ZoIU
fttAxXkJ+zPTygxpzzLOudGxYugYJS6TGuZy+0qqdnoRqmg+DNAj0xTHefNOuA4H
48xFDjCDNcygTe2V55bOBo0NR7HcYCPQqINSinp0y4LorYKI0oiUy4UCAwEAAaBW
MBwGCSqGSIb3DQEJBzEPDA1lVGVjaEAxbnZlc2NvMDYGCSqGSIb3DQEJDjEpMCcw
JQYDVR0RBB4wHIIKZ3V5dG9uLm5ldIIOd3d3Lmd1eXRvbi5uZXQwDQYJKoZIhvcN
AQELBQADggEBAF//ndly8PSEhfA9vAIROLjHFYJ6qEg9ic20Y5HRR1xhwGzG1iP+
9H/uDUg1DumTLOSFxb/f6FgV0tv4M5B3gzR7Sn+Vm3zAyluQSKPrRNgzuvSWSlBw
3b+mXAoRcNJnj8ZFPr83bLccB7y2deG3pnAfr6vA5XIOahmLah5WuBBzImcnwQTJ
JbUyZ1RF5BbZnFst5/W6SxqzSKQMjuOlKReAaytDhKzksSGsNO4pOSRg2+UiZuwZ
UxumGZyCLjonM+ylHinigy0sJM2I3ovMjeioaFJqHsUd44cgOn72J6xjsfHcKX8C
qiU6zBmiQMXBb2nz/WyruO1cgbj9aSiYeFg=
-----END CERTIFICATE REQUEST-----