When developing, we may need to use certificate. Instead of using Let’s Encrypt or even pay for one, we can use openssl command line to generate self-signed certificates.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#######################################################
# This scripts is used to generate the rootCA and the #
# user bi-keys                                        #
#                                                     #
# Usage:                                              #
#           ./generate_certificate.sh                 #
#######################################################
#!/bin/bash

rootca_home="./rootCA"
rootca_validity=3650
cert_validity=500
subject="/C=FR/ST=IDF/L=Paris/O=Foobar/OU=R&D/CN="

info () {
    echo "[INFO] $1"
}

generateRootCA() {
    info "Generating the Certification authority"
    rm -rf  ${rootca_home}/*
    mkdir -p ${rootca_home}

    # Since we do not have any certification authority, we will generate our own.
    openssl genrsa -out ${rootca_home}/rootCA.key 2048
    openssl req -new -nodes -x509 \
            -days ${rootca_validity} \
            -key ${rootca_home}/rootCA.key \
            -out ${rootca_home}/rootCA.pem \
            -subj "${subject}rootca"
}

generateRSA() {
    local certificate_name=$1

    info "${certificate_name} - Generate RSA private key"
    openssl genrsa -out ${certificate_name}/${certificate_name}.rsa.key 2048

    generateSelfSignedCertificate ${certificate_name} rsa

    info "${certificate_name} - Generate certificate signing request for our RSA certificate"
    openssl req -new \
            -key ${certificate_name}/${certificate_name}.rsa.key \
            -out ${certificate_name}/${certificate_name}.rsa.csr \
            -subj "${subject}${certificate_name}"

    info "${certificate_name} - Sign the RSA CSR using CA root key"
    openssl x509 -req \
            -in ${certificate_name}/${certificate_name}.rsa.csr \
            -CA ${rootca_home}/rootCA.pem \
            -CAkey ${rootca_home}/rootCA.key \
            -CAcreateserial \
            -out ${certificate_name}/${certificate_name}.rsa.crt \
            -days ${cert_validity} \
            -sha256
}

generateECDSA() {
    local certificate_name=$1

    info "${certificate_name} - Generate ECDSA private key"
    openssl ecparam -name prime256v1 -genkey -out ${certificate_name}/${certificate_name}.ecdsa.key

    generateSelfSignedCertificate ${certificate_name} ecdsa

    info "${certificate_name} - Generate certificate signing request for our ECDSA certificate"
    openssl req -new -nodes \
            -key ${certificate_name}/${certificate_name}.ecdsa.key \
            -out ${certificate_name}/${certificate_name}.ecdsa.csr \
            -subj "${subject}${certificate_name}"

    info "${certificate_name} - Sign the RSA CSR using CA root key"
    openssl x509 -req \
            -in ${certificate_name}/${certificate_name}.ecdsa.csr \
            -CA ${rootca_home}/rootCA.pem \
            -CAkey ${rootca_home}/rootCA.key \
            -CAcreateserial \
            -out ${certificate_name}/${certificate_name}.ecdsa.crt \
            -days ${cert_validity} \
            -sha256
}

generateSelfSignedCertificate() {
    local certificate_name=$1
    local certificate_type=$2

    info "${certificate_name}.${certificate_type} - Generate self-signed certificate"
    openssl req -new -x509 \
            -days ${cert_validity} \
            -key ${certificate_name}/${certificate_name}.${certificate_type}.key \
            -out ${certificate_name}/${certificate_name}.self-signed.${certificate_type}.crt \
            -subj "${subject}${certificate_name}"
}

generateUserCertificate () {
    local certificate_name=$1

    info "${certificate_name} - Delete existing files"
    rm -rf ${certificate_name}
    mkdir -p ${certificate_name}

    generateRSA ${certificate_name}
    generateECDSA ${certificate_name}
}

generateRootCA

generateUserCertificate "l.lin"
generateUserCertificate "localhost"

info "Generating CA and user certificates FINISHED!!!"

exit 0