Skip to content

Latest commit

 

History

History
251 lines (213 loc) · 7.67 KB

README-generator.md

File metadata and controls

251 lines (213 loc) · 7.67 KB

Certificate and CSR Generator

Get signed and valid SSL certificates, create CSRs and the corresponding private keys directly from the command line in usually less than a minute. Easy, secure, fast.

Sample Usage

Official certificates (signed by ZeroSSL CA):

php generator.php --apiKey=KEY --targetPath="/var/www/" --domains="example.com,www.example.com" --csrData="countryName=AT&stateOrProvinceName=Vienna&localityName=Vienna&organizationName=CLI%20Operations&[email protected]"

Self-signed certificates:

php generator.php --targetPath="/var/www/" --domains="example.com,www.example.com" --csrData="countryName=AT&stateOrProvinceName=Vienna&localityName=Vienna&organizationName=CLI%20Operations&[email protected]"

Flags

The flags should provide all configuration that you may ever need. Take a little time to fully understand what they are doing:

Flag Description Type Examples Required
-d,--domains Comma seperated list of domains for the certificate. Use wildcards like *.example.com. The first domain name will be the common name of the certificate. String example.com,www.example.com

*.example.com

*.foo.bar.com,*.abc,bar.com,*.xyz.bar.com
-c,--csrData Important:The organization information for your CSR and your certificate.

Required parts:

countryName Country code (e.g. AT,DE,...). Find your country code: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes
stateOrProvinceName Your state or province
localityName Your city
organizationName Organization to issue the certificate for.
emailAddress Contact email for certificate.
QUERY_STRING countryName=AT&stateOrProvinceName=Vienna&localityName=Vienna&organizationName=CLI%20Operations&[email protected]
-p,--privateKeyPassword The password which is used to encrypt the private key. String
-n,--noOut If this is set, no output is printed to the screen. Only needed if you embed the application somewhere. Boolean
-t,--targetPath The path in your local system where all output is saved (Certificate, CSR, private key, files for validation,...). Not mandatory, because you also could copy all output from the terminal and save it to files on your own. String /etc/ssl/
-a,--targetSubfolder Subfolder in the target path. Might be useful when requesting many certificates. Folder is created if not existing. String cert1

cert2
-s,--suffix Output file suffix. This is useful if you generate multiple certificates and you do not overwrite the existing output. Suffix is appended to any output. String -2

-ecc

project
-k,--apiKey Required if you want to sign your certificate with ZeroSSL (recommended). You need to register at https://app.zerossl.com/signup to get an API key.

If no API key is defined, you will create self-signed certificates. You might want to do this on purpose, but common webbrowsers will show a warning that the certificate is not trusted.

String 663f5da7524344266195a785279e72d1
-m,--validationMethod The validation method (only required if certificate is signed with ZeroSSL). EMAIL: For email validation
CNAME: CNAME validation
HTTP_CSR_HASH: HTTP file upload validation
HTTPS_CSR_HASH: HTTPS file upload validation

More information here: https://zerossl.com/documentation/api/verify-domains/

Enum
-d,--useEccDefaults By default RSA encrypted certificates are generated. If this is set to true, the defaults for ECC certificates are used. More information: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography. Boolean
-y,--privateKeyOptions You can configure certain options for the private key, like the encryption algorithm. This is an advanced feature.

All options are explained in the PHP documentation. https://www.php.net/manual/en/function.openssl-csr-new.php

QUERY_STRING (URL encoded string) digest_alg=sha512 curve_name=sect571r1
-o,--csrOnly You can use the application for pure CSR generation, without certificate or signing. If you specify this option the script simply generates your CSR and stops afterwards. Boolean
-r,--createOnly Create the CSR and also the certificate in the ZeroSSL CA, but do not start the validation process. This might be useful if you want to create a bunch of certificates and e.g. get the validation files, but the validation of the certificates will be done later (or e.g. from the ZeroSSL UI). Boolean
-s,--csrOptions You can configure certain options for the private key, like the encryption algorithm. This is an advanced feature.

All options are explained in the PHP documentation. https://www.php.net/manual/en/function.openssl-csr-new.php

QUERY_STRING (URL encoded string) digest_alg=sha512 curve_name=sect571r1
-v,--validityDays Default: 90. Days of certificate validity.

While for self-signed certificates you can choose any amount, for ZeroSSL signed certificates only 90 and 365 days are supported currently. For 365 days (1-Year) you need a ZeroSSL premium account.

INTEGER 90

365

-z,--validationEmail Only required for E-Mail certificate validation with ZeroSSL. Comma-seperated string of validation E-Mails which must be equivalent to your domains string. More information here: https://zerossl.com/documentation/api/verify-domains/. STRING [email protected]

[email protected],[email protected],[email protected]

-i,--includeCrossSigned Do you want to include the cross-signed certificate into your CA Bundle delivered by ZeroSSL after signing? BOOLEAN
-q,--debug ONLY USED FOR DEBUGGING THIS SCRIPT - INSECURE. You can set a test API URL here, insecure HTTP requests are allowed. STRING https://mylocal.cert.api