Openssl has always been a great tool for creating SSL/TLS PKI keys and certs, but I’ve not ever really had a one-liner for it… at least, not until today, messing with some automation for ChatOps and Let’s Encrypt. This could be easily adapted to create self-signed certs if desired…
One prerequisite is that you need to either edit the openssl.cnf and set defaults for all but the hostname, or edit below and put them in the \n\n\n string. Oh, and set the key passphrase, and any other configure section items (default for RHEL/CentOS environment).
#!/bin/bash
#
# autogen hostname [san hostname2] [san hostname3] etc
#
# With more than one hostname, a Subject Alternate Name cert request is created
# CSR and KEY are put in /etc/pki/CA/certs/auto/ directory.
#
# Assumes openssl.cnf is set up with all defaults except CN
#
# 4/3/2016, nwg
### CONFIGURE
cert_pwd=''
cert_dir="/etc/pki/CA/certs/auto"
openssl="/usr/bin/openssl"
openssl_cnf="/etc/pki/tls/openssl.cnf"
### END CONFIGURE
hostname=$1
if [ "$hostname" == "" ]; then
echo "Syntax: autogen hostname [san hostname2] [san hostname3] etc"
exit 1
fi
keyfile=$cert_dir/${hostname}-key
csrfile=$cert_dir/${hostname}-csr
if [ -r "$keyfile" ]; then
echo "$keyfile already exists - either (re)move it or choose another hostname\n";
exit 1
fi
if [ "$2" == '' ]; then
# no san
printf "\n\n\n\n\n${hostname}\n\n\n\n" | $openssl req -newkey rsa:2048 -sha256 -keyout $keyfile -out $csrfile -passout "pass:$cert_pwd" > /dev/null 2>&1
else
# san
sanstring=''
for i in $*; do
if [ "$sanstring" = "" ]; then
sanstring="subjectAltName=DNS:$i"
else
sanstring="$sanstring,DNS:$i"
fi
done
#echo $sanstring
printf "\n\n\n\n\n${hostname}\n\n\n\n" | $openssl req -newkey rsa:2048 -sha256 -keyout $keyfile -out $csrfile -passout "pass:$cert_pwd" -reqexts SAN -config <(cat $openssl_cnf <(printf "[SAN]\n$sanstring\n")) > /dev/null 2>&1
fi
chmod 400 $keyfile
ls -l $csrfile $keyfile
echo " "
cat $csrfile
exit
As an example running it:
root:/etc/pki/CA #./autogen guyton.net www.guyton.net -rw-r--r-- 1 root root 1212 Apr 3 16:55 /etc/pki/CA/certs/auto/guyton.net-csr -r-------- 1 root root 1751 Apr 3 16:55 /etc/pki/CA/certs/auto/guyton.net-key -----BEGIN CERTIFICATE REQUEST----- MIIDRjCCAi4CAQAwgaoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4G A1UEBxMHSG91c3RvbjEUMBIGA1UEChMLSW52ZXNjbyBMdGQxHTAbBgNVBAsTFElu dmVzY28gV2ViIFNlcnZpY2VzMRMwEQYDVQQDEwpndXl0b24ubmV0MS8wLQYJKoZI hvcNAQkBFiBHQkwtRXRlY2hXZWJTZXJ2aWNlc0BpbnZlc2NvLmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHBPu9r3VslWsx5vzHLw1g/l69mbtHj oS0I9yv9q174cndjfCKZ8FCS0uElqWRi8+5xS2mg7WAVekXXRMQbgQbmcMdhlekr vTJXPoxHnEInqGWI+lGesGSJFmfPnwFF4hpCKK592Lj9NpYDT+QlXxhYwRXqT9Gk ruAZ695ANC4QtvQ7HkLMWlhY2ou2kAhMUovC5yUpfHwc9XqrY73baVjbnOk4ZoIU fttAxXkJ+zPTygxpzzLOudGxYugYJS6TGuZy+0qqdnoRqmg+DNAj0xTHefNOuA4H 48xFDjCDNcygTe2V55bOBo0NR7HcYCPQqINSinp0y4LorYKI0oiUy4UCAwEAAaBW MBwGCSqGSIb3DQEJBzEPDA1lVGVjaEAxbnZlc2NvMDYGCSqGSIb3DQEJDjEpMCcw JQYDVR0RBB4wHIIKZ3V5dG9uLm5ldIIOd3d3Lmd1eXRvbi5uZXQwDQYJKoZIhvcN AQELBQADggEBAF//ndly8PSEhfA9vAIROLjHFYJ6qEg9ic20Y5HRR1xhwGzG1iP+ 9H/uDUg1DumTLOSFxb/f6FgV0tv4M5B3gzR7Sn+Vm3zAyluQSKPrRNgzuvSWSlBw 3b+mXAoRcNJnj8ZFPr83bLccB7y2deG3pnAfr6vA5XIOahmLah5WuBBzImcnwQTJ JbUyZ1RF5BbZnFst5/W6SxqzSKQMjuOlKReAaytDhKzksSGsNO4pOSRg2+UiZuwZ UxumGZyCLjonM+ylHinigy0sJM2I3ovMjeioaFJqHsUd44cgOn72J6xjsfHcKX8C qiU6zBmiQMXBb2nz/WyruO1cgbj9aSiYeFg= -----END CERTIFICATE REQUEST-----