Skip to content

bash script for openssl req utility to make certificate signing requests with subject alternative names

Notifications You must be signed in to change notification settings

jpuck/openssl.csr.bash

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 

Repository files navigation

openssl.csr.bash

bash script to use openssl req utility to make a certificate signing request with subject fields

install openssl

ubuntu

sudo apt-get install openssl

red hat

sudo yum install openssl

usage

change the variables at the top of openssl.csr.bash to match your needs: site_name, email_address, organization, etc.

execute the script

./openssl.csr.bash

inspect certificate signing request

openssl req -noout -text -in example.com.csr

inspect signed certificate

openssl x509 -noout -text -in example.com.crt

inspect complete certificate chain

openssl crl2pkcs7 -nocrl -certfile example.com.pem | openssl pkcs7 -print_certs -text -noout

credit

This starts with the client certificate and links back through intermediate certificates until a trusted certificate authority is identified.

per IETF's RFC 5246 Section 7.4.2:

The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

It's unnecessary to end with the root certificate because it's already trusted.

converting formats (.crt/.pem/.cer & .key) to .pfx

Microsoft's IIS uses the pfx format, so you will need to convert it

openssl pkcs12 -export -out example.com.pfx -inkey example.com.key -in example.com.crt

verify server installation

openssl s_client -showcerts -servername example.com -connect example.com:443

DIY

here is an end-to-end guide for creating a root certificate authority, intermediate CA, certificate signing requests, and certs

SAN (subject alternative names) certificates

  • sometimes you want one certificate to use with multiple sub-domain names, such as www.example.com, test.example.com, and another.example.com, but you don't want to be so permissive as to issue a wildcard certificate *.example.com
  • sometimes your alias domains are not sub-domains, such as example.com and example.org

this script is written to properly generate SAN certificates, but if you're interested, then here is a guide for creating the configuration file used to generate the CSR.

as an addendum to the end-to-end guide, you will need to modify your intermediate CA configuration by adding copy_extensions = copy to the [CA_default] section

caution: this will allow a vulnerability for other people to sneak in unauthorized domains in their certificate signing request. if you are signing requests for other people, then make sure that you review the request before signing it

openssl req -text -noout -verify -in example.com.csr

credits

Thanks to Jeff Walton for helping me figure out which default configuration file to use.

About

bash script for openssl req utility to make certificate signing requests with subject alternative names

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages