-
Notifications
You must be signed in to change notification settings - Fork 65
/
aws-self-signed-acm.sh
119 lines (100 loc) · 3.28 KB
/
aws-self-signed-acm.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/bin/bash
#Define the domain name
DOMAIN='cloudgeeks.ca'
SUBDOMAIN='*'
#Organization Details
COUNTRY='PK'
PROVINCE='Punjab'
LOCATION='Lahore'
DEPARTMENT='IT'
COMMONNAME='Self Signed Certificate'
# Define where to store the generated certs and metadata.
DIR="$(pwd)/tls"
# Optional: Ensure the target directory exists and is empty.
rm -rf "${DIR}"
mkdir -p "${DIR}"
# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat > "${DIR}/openssl.cnf" << EOF
[req]
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = no
utf8 = yes
# Speify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
[req_distinguished_name]
C = "$COUNTRY"
ST = "$PROVINCE"
L = "$LOCATION"
O = "$DEPARTMENT"
CN = "$COMMONNAME"
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = "$SUBDOMAIN"."$DOMAIN"
DNS.2 = "$SUBDOMAIN"."$SUBDOMAIN"."$DOMAIN"
DNS.3 = localhost
EOF
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
#
# To put a password on the key, remove the -nodes option.
#
# Be sure to update the subject to match your organization.
openssl req \
-new \
-newkey rsa:2048 \
-days 36500 \
-nodes \
-x509 \
-subj "/C="$COUNTRY"/ST="$PROVINCE"/L="$LOCATION"/O="$DEPARTMENT"" \
-keyout "${DIR}/CA.key" \
-out "${DIR}/CA.crt"
#
# For each server/service you want to secure with your CA, repeat the
# following steps:
#
# Generate the private key for the service. Again, you may want to increase
# the bits to 4096.
openssl genrsa -out "${DIR}/"$DOMAIN".key" 2048
# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req \
-new -key "${DIR}/"$DOMAIN".key" \
-out "${DIR}/"$DOMAIN".csr" \
-config "${DIR}/openssl.cnf"
# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509 \
-req \
-days 3650 \
-in "${DIR}/"$DOMAIN".csr" \
-CA "${DIR}/CA.crt" \
-CAkey "${DIR}/CA.key" \
-CAcreateserial \
-extensions v3_req \
-extfile "${DIR}/openssl.cnf" \
-out "${DIR}/"$DOMAIN".crt"
# (Optional) Verify the certificate.
openssl x509 -in "${DIR}/"$DOMAIN".crt" -noout -text
# Generate PFX For Windows
#openssl pkcs12 -export -out "$DOMAIN".pfx -inkey "$DOMAIN".key -in "$DOMAIN".crt
#https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/
# End