summaryrefslogtreecommitdiff
path: root/bin/generate_self_signed_cert
blob: 0aea6f8d16c133e54bfbe3443b095fa42b816971 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash
# = Parabola Social
# Generates a self-signed certificate and installs it.
# From: http://www.akadia.com/services/ssh_test_certificate.html

# This script is released in the Public Domain.

# Exit status:
# 0 - Everything OK
# 1 - Private key generation failed
# 2 - CSR generation failed
# 3 - Copying the encrypted key failed
# 4 - Private key decryption failed
# 5 - CSR signing failed
# 6 - Linking local key failed
# 7 - Linking local certificate failed

# Standard Arch's SSL directories
ssl_dir=/etc/ssl
ssl_key_dir=${ssl_dir}/private
ssl_crt_dir=${ssl_dir}/certs

log_file=/tmp/certificate_$$.log

# Hostname should be already set
hostname=`hostname` 

echo ":: Generating a private key.
    The generated file *must not be shared* with anyone. It's private."
openssl genrsa -des3 \
               -out ${ssl_dir}/${hostname}.key 1024 2>> ${log_file} || {
    echo " [FAILED]"
    exit 1
}

# TODO Can this be autofilled?
echo ":: Generating a Certificate Signing Request.
    This can be signed by you or by a Certificate Authority.
    Most important thing to complete here is the Common Name,
    that is, the full hostname of your machine as will be
    accesed from internet (ie. yoursocialmachine.sometld).
    
    In short, you have to type the hostname you already configured
    and leave the challenge password empty. Go ahead!"
openssl req -new \
            -key ${ssl_dir}/${hostname}.key \
            -out ${ssl_dir}/${hostname}.csr || {
    echo " [FAILED]"
    exit 2
}

cp ${ssl_dir}/${hostname}.key{,.encrypted} >> ${log_file} 2>&1 || {
    echo " [FAILED]"
    exit 3
}

echo ":: Decrypting the private key..."
openssl rsa -in ${ssl_dir}/${hostname}.key.encrypted \
            -out ${ssl_key_dir}/${hostname}.key >> ${log_file} 2>&1 || {
    echo " [FAILED]"
    exit 4
}

echo ":: Signing the Certificate Signing Request.
    This step will generate your self-signed certificate to use on secure connections."
openssl x509 -req \
             -days 365 \
             -in ${ssl_dir}/${hostname}.csr \
             -signkey ${ssl_key_dir}/${hostname}.key \
             -out ${ssl_crt_dir}/${hostname}.crt >> ${log_file} 2>&1 || {
    echo " [FAILED]"
    exit 5
}

echo ":: Installing private key and certificate into local directories..."
ln -s ${ssl_key_dir}/${hostname}.key ${ssl_key_dir}/local.key >> ${log_file} 2>&1 || {
    echo " [FAILED]"
    exit 6
}

ln -s ${ssl_crt_dir}/${hostname}.crt ${ssl_crt_dir}/local.crt >> ${log_file} 2>&1 || {
    echo " [FAILED]"
    exit 7
}

chmod 400 ${ssl_key_dir}/${hostname}.key
chmod 444 ${ssl_crt_dir}/${hostname}.crt

echo ":: Everything went fine!"
exit 0