- 28 Mar 2023
- 2 Minutes to read
- Print
- DarkLight
- PDF
Generate self-signed certificate
- Updated on 28 Mar 2023
- 2 Minutes to read
- Print
- DarkLight
- PDF
You can use the following bash script to generate a root CA and a server certificate signed by that root CA. Copy and name the script as per your convenience, for example, generate-certificates.sh
.
#!/usr/bin/env bash
# Adapted from https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
rootCAKey=root_ca.key
rootCACrt=root_ca.crt
domainKey=domain.key
domainCrs=domain.crs
domainCrt=domain.crt
rm $rootCAKey
rm $rootCACrt
rm $domainKey
rm $domainCrs
rm $domainCrt
# {{- $altNames := list ( printf "agent.%s" .Release.Namespace ) ( printf "agent.%s.svc" .Release.Namespace ) -}}
# {{- $ca := genCA (printf "%s-ca" .Chart.Name) 3650 -}}
# {{- $cert := genSignedCert .Chart.Name nil $altNames 3650 $ca -}}
# 1. Generate the root CA key
openssl genrsa -out $rootCAKey 4096
# 2. Generate the self-signed root CA. Valid for 5years(1825 days)
# -subj "/emailAddress=tim@traceable.ai/C=US/ST=California/L=San Francisco/O=Traceable AI, Inc./OU=Engineering/CN=agent.traceableai" \
openssl req -x509 -new -nodes -sha256 -key $rootCAKey -days 1825 \
-subj "/CN=traceable-agent-ca" \
-out $rootCACrt
# 3. Generate the Certificate key
openssl genrsa -out $domainKey 4096
# 4. Generate the Certificate Request. Valid for 5years(1825 days)
#
#
# -subj "/emailAddress=tim@traceable.ai/C=US/ST=California/L=San Francisco/O=Traceable AI, Inc./OU=Engineering/CN=agent.traceableai" \
# a printf with more alternative names
# <(printf "\n[SAN]\nsubjectAltName=DNS.1:agent.traceableai,DNS.2:agent.traceableai.svc,DNS.3:localhost,DNS.4:0.0.0.0,DNS.5:host.docker.internal,DNS.6:127.0.0.1")) \
openssl req -new -sha256 -key $domainKey \
-subj "/CN=traceable-agent" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS.1:agent.traceableai,DNS.2:agent.traceableai.svc")) \
-out $domainCrs
# 4b. Quick verify
openssl req -in $domainCrs -noout -text
# There is a bug in x509 command which does not allow the subjectAltName to be copied over from the crs. So we use the
# -extfile cmd line option. See https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309#gistcomment-3034183
#
# -extfile <(printf "subjectAltName=DNS.1:agent.traceableai,DNS.2:agent.traceableai.svc,DNS.3:localhost,DNS.4:0.0.0.0,DNS.5:host.docker.internal,DNS.6:127.0.0.1")
# 5. Generate the Certificate using the root CA
openssl x509 -req -in $domainCrs -CA $rootCACrt -CAkey $rootCAKey -CAcreateserial -days 1825 -sha256 -out $domainCrt \
-extfile <(printf "subjectAltName=DNS.1:agent.traceableai,DNS.2:agent.traceableai.svc")
# 5b. Quick verify
openssl x509 -in $domainCrt -text -noout
To execute the script, you can simply run the following command in the terminal:
bash <path-to-script-file>
Replace <path-to-script-file>
with the actual path to the script file. For example, if the script file is in the current working directory, you can run the script with the following command:
bash generate-certificates.sh
Script explanation
This script is a Bash script that generates SSL/TLS certificates for a domain and a root CA. The script first removes any existing certificate and key files for the root CA and domain.
Then, it uses the openssl
command to perform the following steps:
- Generate a root CA key
- Generate a self-signed root CA certificate that is valid for 5 years (1825 days)
- Generate a domain key
- Generate a certificate request for the domain, specifying the Common Name (CN) as
traceable-agent
. The certificate request includes a Subject Alternative Name (SAN) extension that lists alternative domain names that the certificate is valid for, such asagent.traceableai
andagent.traceableai.svc
. - Generate a certificate for the domain using the root CA. This step involves signing the domain certificate request with the root CA and specifying the same SAN extension.
The script also includes some additional steps to verify the generated certificates.
Note that some options used in the openssl
commands are specific to the use case or domain name being used and may need to be modified for different situations.