-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstartssl-certificate-generator
169 lines (122 loc) · 4.65 KB
/
startssl-certificate-generator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/bash
#
# seafile-server-installer/startssl-certificate-generator
#
# Copyright 2015, Alexander Jackson <[email protected]>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
#set -x
# -------------------------------------------
# Vars
# -------------------------------------------
CLASS_DEFAULT=1
RSA=4096
# -------------------------------------------
# About
# -------------------------------------------
cat << EOF
StartSSL certificate creator for NGINX
Go to https://www.startssl.com and sign up. Decide
if the free class1 certs are good enough or if you
need paid class2 or class3 certificates. Class1
certificates are the default after signing up. You
don't need to do anything else to issue class1 certs.
For questions or suggestions please contact me at
-----------------------------------------------------------------
Hit return to proceed or CTRL-C to abort.
EOF
read dummy
# -------------------------------------------
# Start working
# -------------------------------------------
read -p "New certs class? [$CLASS_DEFAULT]" CLASS
CLASS="${CLASS:-$CLASS_DEFAULT}"
if [[ $CLASS > 3 ]]; then
echo Wrong class type. Select 1, 2 or 3. Aborting.. ; exit 1
fi
read -p "New certs domain name? " DOMAIN
CERT_DIR=$(pwd)/certs/${DOMAIN}
# -------------------------------------------
# Abort if CERT_DIR exists
# -------------------------------------------
if [[ -d "${CERT_DIR}" ]] ;
then
echo " Aborting because directory ${CERT_DIR} already exist" ; exit 1
fi
mkdir -p ${CERT_DIR}
# -------------------------------------------
# Create certificate signing request and private key in batch mode
# -------------------------------------------
openssl req -new -nodes -keyout ${CERT_DIR}/${DOMAIN}.key -out ${CERT_DIR}/${DOMAIN}.csr -newkey rsa:${RSA} -batch
# -------------------------------------------
# Print instructions
# -------------------------------------------
cat << EOF
Follow these steps next:
1. Go to https://www.startssl.com >
2. Certificates Wizard >
3. Certificate Target: (Web Server SSL/TLS Certificate) > Continue >
4. Generate Private Key > Skip >
5. Submit Certificate Request (CSR) (Paste your csr shown below)
EOF
cat ${CERT_DIR}/${DOMAIN}.csr
# -------------------------------------------
# Print more instructions
# -------------------------------------------
cat << EOF
6. Continue >>
7. Certificate Request Received > Continue >>
8. Add Domains: (select your domain)
9. Optionally Add Domains > Add More < (repeat until happy) > Continue >>
10. Ready Processing Certificate > Continue >>
EOF
echo "Hit return when the certificate is displayed."
read dummy
echo "Replace content with certificate, save and exit." > ${CERT_DIR}/${DOMAIN}.crt
nano ${CERT_DIR}/${DOMAIN}.crt
echo "Creating class ${CLASS} chained certificate for NGINX"
# -------------------------------------------
# Create certificate change for usage with NGINX
# -------------------------------------------
cat ${CERT_DIR}/${DOMAIN}.crt > ${CERT_DIR}/${DOMAIN}_chained.crt
if [[ $CLASS -eq 1 ]]; then
wget -O - https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem >> ${CERT_DIR}/${DOMAIN}_chained.crt
fi
if [[ $CLASS -eq 2 ]]; then
wget -O - https://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem >> ${CERT_DIR}/${DOMAIN}_chained.crt
fi
if [[ $CLASS -eq 3 ]]; then
wget -O - https://www.startssl.com/certs/class3/sha2/pem/sub.class3.server.sha2.ca.pem >> ${CERT_DIR}/${DOMAIN}_chained.crt
fi
wget -O - https://www.startssl.com/certs/ca-sha2.pem >> ${CERT_DIR}/${DOMAIN}_chained.crt
# -------------------------------------------
# List new csr and key for informational value
# -------------------------------------------
echo "Our newly Created files:"
ls -ahl ${CERT_DIR}
# -------------------------------------------
# Print
# -------------------------------------------
cat << EOF
Implementation example for NGINX:
[...]
ssl on;
ssl_certificate ${CERT_DIR}/${DOMAIN}_chained.crt;
ssl_certificate_key ${CERT_DIR}/${DOMAIN}.key;
[...]
Finished!
EOF