lstellway / self-signed-ssl Goto Github PK

Add an option to generate a certificate signing request

I tried passing in the -c and --country options and they were both ignored.

I we got error while creating certificate:

OS: ARMBIAN 5.36 user-built Ubuntu 16.04.3 LTS 3.4.113-sun8i
OpenSSL: OpenSSL 1.0.2g  1 Mar 2016
#uname -a
Linux orangepizero 3.4.113-sun8i #4 SMP PREEMPT Wed Nov 22 13:45:28 CET 2017 armv7l armv7l armv7l GNU/Linux

Log:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:orange.vpn
Email Address []:
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................+++
e is 65537 (0x10001)
end of string encountered while processing type of subject name element #6
problems making Certificate Request
Generating a 2048 bit RSA private key
.................................+++
.....................+++
writing new private key to './orange.vpn.key'
-----
problems making Certificate Request
3070130000:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=2
./orange.vpn.csr: No such file or directory

I noticed while trying to use the script to generate a CA for cert-manager that the generated CA was not being recognized as an authority.

Here is a related answer to the issue which recommends appending the following to /etc/ssl/openssl.cnf:

[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

And specifying -extension v3_ca in the openssl req command.

its working fine when i put localhost.
but when i try the iP. it does not work

my input as per below
./gen.sh -c=ID -s=KP -l=kuta -o=onecom -u=mobotix -n=192.168.0.123 -e=[email protected]

The script works great as-is, however, when creating the certs, the script only asks for (sub)domains not for an IP address. As such, when I try to access HTTPS IP address URL, I get expected 'NET::ERR_CERT_COMMON_NAME_INVALID' HTTPS error.

Although I'm not a programmer, I read that the script only has SAN="${SAN}DNS.${i} = ${u// /}"$'\n' not something like SAN="${SAN}IP.${i}...

If you wouldn't mind, would you be able to add support for IP address in Subject Alternative Names, thanks.

Description

Currently, the repository name is self-signed-ssl
The actual script is named self-signed-tls

This may be confusing for people.

The script is a wrapper around OpenSSL.
Perhaps a name pertaining to that software would make sense.

Keeping it generic using -ssl would work for another idea I had:
To be able to use the script to generate boringssl certificates.

• I have not yet looked at the boringssl API.
  • Google says it often changes - probably a bit beyond the scope of what this script should do.

Possible solutions:

• Create an alias in the Homebrew installation.
  • This will maintain backwards compatibility for anyone using self-signed-tls

Create a --ca-only option to allow only generating a certificate authority.

Hi, this is not an issue per se, however I figured I'd let you know (plus might be useful to any Google lurkers around here). I downloaded your script to test it on a Debian Buster at work, and while running :
./self-signed-ssl --ca-only --trust
I got the following output :

Country Name (2 letter code) [AU]: XX
State or Province Name (full name) [Some-State]: XX
Locality Name (eg, city) []: XX
Organization Name (eg, company) [Internet Widgits Pty Ltd]: XX
Organizational Unit Name (eg, section) []: XX
Common Name (e.g. server FQDN or YOUR name) []: local-ca
Subject Alternative Name(s) (e.g. subdomains) []:
Email Address []:
Building certificate authority
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
........+++++
e is 65537 (0x010001)

Error occurred while trusting certificate for OSTYPE 'linux-gnu'
Please ensure you are on a supported system and have the required packages installed.

Indeed, if I echo $OSTYPE, my result is not "linux", but "linux-gnu", which is not recognized by the script. So I had to edit the script to allow linux and linux-gnu in OSTYPEs in the "Trust certificate authority" part of your script ! =)

Thanks a lots for your work though, really impressive !

See:
https://docs.brew.sh/Formula-Cookbook

Add an argument for users to provide their own extfile

Hello,

The --san parameter is currently mandatory and makes a prompt if not defined. It should not as this is parameter is optional (it currently fails our automatic scripts).

Thank you !

Output directory is appended to file name, but we need a directory separator if one is not present.

Throws an error on Centos7 / standard bash:

createcert.sh: line 193: syntax error near unexpected token `('
createcert.sh: line 193: `  openssl req -new -sha256 -nodes -out "${OUTPATH}${FILENAME}.csr" -newkey rsa:2048 -keyout "${OUTPATH}${FILENAME}.key" -config <( cat "${tmp}/tmp.csr.cnf" )'

Add an argument to allow users to provide their own CSR used to sign a certificate.

References

• Google shell styleguid
• ShellCheck

I clone this and run bach file as ssl.bat but nothing happen.
May you help me how to use this?

I would like my certs to support dev.example.com and test.example.com. Does this tool support this?

+ CSR=/Users/kes/dev/wi-deploy/docker-images/base/prd.ca.csr
+ openssl genrsa -out /Users/kes/dev/wi-deploy/docker-images/base/prd.ca.key 2048
+ openssl req -new -nodes -sha256 -subj /CN=prd.ca -newkey rsa:2048 -key /Users/kes/dev/wi-deploy/docker-images/base/prd.ca.key -out /Users/kes/dev/wi-deploy/docker-images/base/prd.ca.csr
Warning: Not generating key via given -newkey option since -key is given

TODO: We can remove newkey option.

Many other CLI utilities seem to be moving towards using a subcommand structure.
It could be nice to break things up using the following subcommands:

• ca
• csr
• cert|certificate

References

• Warden
• gfi.com

Just an idea:
Having an option to provide the path to openssl executable may be helpful for people using an alternative OpenSSL library or version.