References

• Google shell styleguid
• ShellCheck

+ CSR=/Users/kes/dev/wi-deploy/docker-images/base/prd.ca.csr
+ openssl genrsa -out /Users/kes/dev/wi-deploy/docker-images/base/prd.ca.key 2048
+ openssl req -new -nodes -sha256 -subj /CN=prd.ca -newkey rsa:2048 -key /Users/kes/dev/wi-deploy/docker-images/base/prd.ca.key -out /Users/kes/dev/wi-deploy/docker-images/base/prd.ca.csr
Warning: Not generating key via given -newkey option since -key is given

TODO: We can remove newkey option.

Hello,

The --san parameter is currently mandatory and makes a prompt if not defined. It should not as this is parameter is optional (it currently fails our automatic scripts).

Thank you !

its working fine when i put localhost.
but when i try the iP. it does not work

my input as per below
./gen.sh -c=ID -s=KP -l=kuta -o=onecom -u=mobotix -n=192.168.0.123 -e=[email protected]

Output directory is appended to file name, but we need a directory separator if one is not present.

Hi, this is not an issue per se, however I figured I'd let you know (plus might be useful to any Google lurkers around here). I downloaded your script to test it on a Debian Buster at work, and while running :
./self-signed-ssl --ca-only --trust
I got the following output :

Country Name (2 letter code) [AU]: XX
State or Province Name (full name) [Some-State]: XX
Locality Name (eg, city) []: XX
Organization Name (eg, company) [Internet Widgits Pty Ltd]: XX
Organizational Unit Name (eg, section) []: XX
Common Name (e.g. server FQDN or YOUR name) []: local-ca
Subject Alternative Name(s) (e.g. subdomains) []:
Email Address []:
Building certificate authority
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
........+++++
e is 65537 (0x010001)

Error occurred while trusting certificate for OSTYPE 'linux-gnu'
Please ensure you are on a supported system and have the required packages installed.

Indeed, if I echo $OSTYPE, my result is not "linux", but "linux-gnu", which is not recognized by the script. So I had to edit the script to allow linux and linux-gnu in OSTYPEs in the "Trust certificate authority" part of your script ! =)

Thanks a lots for your work though, really impressive !

Throws an error on Centos7 / standard bash:

createcert.sh: line 193: syntax error near unexpected token `('
createcert.sh: line 193: `  openssl req -new -sha256 -nodes -out "${OUTPATH}${FILENAME}.csr" -newkey rsa:2048 -keyout "${OUTPATH}${FILENAME}.key" -config <( cat "${tmp}/tmp.csr.cnf" )'

The script works great as-is, however, when creating the certs, the script only asks for (sub)domains not for an IP address. As such, when I try to access HTTPS IP address URL, I get expected 'NET::ERR_CERT_COMMON_NAME_INVALID' HTTPS error.

Although I'm not a programmer, I read that the script only has SAN="${SAN}DNS.${i} = ${u// /}"$'\n' not something like SAN="${SAN}IP.${i}...

If you wouldn't mind, would you be able to add support for IP address in Subject Alternative Names, thanks.

I we got error while creating certificate:

OS: ARMBIAN 5.36 user-built Ubuntu 16.04.3 LTS 3.4.113-sun8i
OpenSSL: OpenSSL 1.0.2g  1 Mar 2016
#uname -a
Linux orangepizero 3.4.113-sun8i #4 SMP PREEMPT Wed Nov 22 13:45:28 CET 2017 armv7l armv7l armv7l GNU/Linux

Log:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:orange.vpn
Email Address []:
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................+++
e is 65537 (0x10001)
end of string encountered while processing type of subject name element #6
problems making Certificate Request
Generating a 2048 bit RSA private key
.................................+++
.....................+++
writing new private key to './orange.vpn.key'
-----
problems making Certificate Request
3070130000:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=2
./orange.vpn.csr: No such file or directory

Create a --ca-only option to allow only generating a certificate authority.

See:
https://docs.brew.sh/Formula-Cookbook

Many other CLI utilities seem to be moving towards using a subcommand structure.
It could be nice to break things up using the following subcommands:

• ca
• csr
• cert|certificate

References

• Warden
• gfi.com

Add an argument to allow users to provide their own CSR used to sign a certificate.

I tried passing in the -c and --country options and they were both ignored.

I clone this and run bach file as ssl.bat but nothing happen.
May you help me how to use this?

Add an argument for users to provide their own extfile

Description

Currently, the repository name is self-signed-ssl
The actual script is named self-signed-tls

This may be confusing for people.

The script is a wrapper around OpenSSL.
Perhaps a name pertaining to that software would make sense.

Keeping it generic using -ssl would work for another idea I had:
To be able to use the script to generate boringssl certificates.

• I have not yet looked at the boringssl API.
  • Google says it often changes - probably a bit beyond the scope of what this script should do.

Possible solutions:

• Create an alias in the Homebrew installation.
  • This will maintain backwards compatibility for anyone using self-signed-tls

Add an option to generate a certificate signing request

I noticed while trying to use the script to generate a CA for cert-manager that the generated CA was not being recognized as an authority.

Here is a related answer to the issue which recommends appending the following to /etc/ssl/openssl.cnf:

[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

And specifying -extension v3_ca in the openssl req command.

Just an idea:
Having an option to provide the path to openssl executable may be helpful for people using an alternative OpenSSL library or version.

I would like my certs to support dev.example.com and test.example.com. Does this tool support this?