nodejs-self-signed-certific.../make-root-ca-and-certificat...

#!/bin/bash
FQDN=$1

# make directories to work from
mkdir -p certs/{server,client,ca,tmp}

# Create your very own Root Certificate Authority
openssl genrsa \
  -out certs/ca/my-root-ca.key.pem \
  2048

# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req \
  -x509 \
  -new \
  -nodes \
  -key certs/ca/my-root-ca.key.pem \
  -days 1024 \
  -out certs/ca/my-root-ca.crt.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
  -out certs/server/privkey.pem \
  2048

# Create a request from your Device, which your Root CA will sign
openssl req -new \
  -key certs/server/privkey.pem \
  -out certs/tmp/csr.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509 \
  -req -in certs/tmp/csr.pem \
  -CA certs/ca/my-root-ca.crt.pem \
  -CAkey certs/ca/my-root-ca.key.pem \
  -CAcreateserial \
  -out certs/server/cert.pem \
  -days 500

# Create a public key, for funzies
# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
openssl rsa \
  -in certs/server/privkey.pem \
  -pubout -out certs/client/pubkey.pem

# Put things in their proper place
rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`#!/bin/bash`
			`FQDN=$1`

			`# make directories to work from`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`mkdir -p certs/{server,client,ca,tmp}`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00
			`# Create your very own Root Certificate Authority`
			`openssl genrsa \`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`-out certs/ca/my-root-ca.key.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`2048`

			`# Self-sign your Root Certificate Authority`
			`# Since this is private, the details can be as bogus as you like`
			`openssl req \`
			`-x509 \`
			`-new \`
			`-nodes \`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`-key certs/ca/my-root-ca.key.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`-days 1024 \`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`-out certs/ca/my-root-ca.crt.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"`

			`# Create a Device Certificate for each domain,`
			`# such as example.com, *.example.com, awesome.example.com`
			`# NOTE: You MUST match CN to the domain name or ip address you want to use`
			`openssl genrsa \`
use letsencrypt naming convention 2016-06-27 23:59:37 +00:00			`-out certs/server/privkey.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`2048`

			`# Create a request from your Device, which your Root CA will sign`
			`openssl req -new \`
use letsencrypt naming convention 2016-06-27 23:59:37 +00:00			`-key certs/server/privkey.pem \`
			`-out certs/tmp/csr.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"`

			`# Sign the request from Device with your Root CA`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`# -CAserial certs/ca/my-root-ca.srl`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`openssl x509 \`
use letsencrypt naming convention 2016-06-27 23:59:37 +00:00			`-req -in certs/tmp/csr.pem \`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`-CA certs/ca/my-root-ca.crt.pem \`
			`-CAkey certs/ca/my-root-ca.key.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`-CAcreateserial \`
use letsencrypt naming convention 2016-06-27 23:59:37 +00:00			`-out certs/server/cert.pem \`
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`-days 500`

move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`# Create a public key, for funzies`
clarify 'funzies' 2014-09-23 20:49:55 +00:00			`# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00			`openssl rsa \`
use letsencrypt naming convention 2016-06-27 23:59:37 +00:00			`-in certs/server/privkey.pem \`
			`-pubout -out certs/client/pubkey.pem`
move keys and certs to ./certs and update paths 2014-07-16 04:54:02 +00:00
working example with self-signed certificates 2014-07-15 03:20:49 +00:00			`# Put things in their proper place`
use letsencrypt naming convention 2016-06-27 23:59:37 +00:00			`rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem`
			`rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem`