SSL Certs Generator (CLI)

/, Scripts, Security, Tools/SSL Certs Generator (CLI)

SSL Certs Generator (ssl-gen.sh) is the bash script which can help you in generating and getting signed SSL certificates for a Linux machine. To use the script you have to have Microsoft Certificate Authority (MS CA) on your network. The script also copies all the generated certificates to the appropriate directories in your system. Supports Subject Alternative Names (x509 SAN) and IPv6.

Install

Name: SSL Certs Generator (CLI)
Version: 0.4 (check for the latest version)
Language: bash
Platform: Linux Logo Linux (Red Hat and Debian based systems)
Requirements: GNU awk, sed, grep, tail, head, cut, ip, openssl, whiptail, gpg
Download

Download and install:

sudo bash
mkdir -p /root/scripts
wget https://svelab.com/download/ssl-gen.zip -O /tmp/ssl-gen.zip
unzip /tmp/ssl-gen.zip -d /root/scripts/
chmod +x /root/scripts/ssl-gen.sh
rm -f /tmp/ssl-gen.zip
exit

Variables

Before you start using the script, you need to configure the variables for your environment:

Variable Default value Description
DEFAULT_DOMAIN example.local This value will be added to form the fully qualified domain name (FQDN) of your Linux machine (only if the script cannot get it automatically)
SAN_NAMEs <blank> Extra Subject Alternative Names (SAN DNS) to be put in a certificate (see examples inside the script)
SAN_local_IPs true Put the IP addresses of your Linux machine in the certificate as part of the SAN
SAN_extract_canonical_names true Extract all canonical names from the provided FDQN and add them to SAN
ssl_ca http://ca.example.local/certsrv/ The URL of your Microsoft CA. Trailing slash is important.
ssl_ca_cert_name <code> The name of a CA certificate (will be extracted automatically)
ssl_ca_template Web Server and Client A predefined certificate template in your Microsoft Certification Authority. Must be accessible for a user you use to connect to MS CA.
ssl_key_len 2048 The length of a private key to be generated
ssl_key_mail_postfix example.com This postfix will be added to a username in the certificate subject
ca_timeout 5 How long cUrl waits for a response from MS CA (seconds)
ca_retry 2 How many times cUrl attempts to get a response from MS CA
proxy http://proxy.example.local:3128/ The URL of your outgoing proxy server (if applicable). Curl uses proxy only if it cannot connect to MS CA directly.
certs_folder /root/certs Directory in which the generated certificates will be saved
cert_subj <see inside the script> Predefined subjects for a certificate. You must define at least one
CA_AUTH_METHOD 1 0 – no authentication required, 1 – decode CA_MAGIC, 2 – enter your AD credentials interactively, 3 – take from the script
ca_username <blank> Username to be used for logging in on MS CA (only if CA_AUTH_METHOD=3)
ca_password <blank> Password for ca_username
CA_MAGIC <see inside the script> GPG encrypted credentials (username:password) to be used for logging in on MS CA (only if CA_AUTH_METHOD=1)
scripts_repo http://t.example.local URL to an additional repository, can be used to retrieve extra certificates and/or files (see Section 3.3 of the script)

Configure

  1. Ensure that your Microsoft Certificate Authority Authority is up and running and also has the Web Enrollment role
    MS CA roles
    MS CA - Enabled Roles
  2. Create a new template (if you do not have it already) and make it visible for all users
    Create a template
    MS CA - Create a template

    MS CA - Create a template

    MS CA - Create a template

    MS CA - Create a template

    MS CA - Create a template

    MS CA - Create a template
  3. Open the script with a text editor (vi, nano, mcedit, etc.) and replace the default values with yours. You have to replace the values of the following variables: DEFAULT_DOMAIN, ssl_ca, ssl_ca_template, ssl_key_mail_postfix, proxy, cert_subj, and scripts_repo
  4. Choose a suitable authentication method (CA_AUTH_METHOD variable) to allow the script to connect to MS CA
    Decode CA_MAGIC
    This method is convenient for storing secret data in an encrypted form inside the script. You only need to know the password to decrypt this data.

    Default password for decrypting CA_MAGIC Secret@123
    Default credentials inside CA_MAGIC ssl_script:Tester!123

    To encrypt your credentials and replace the default CA_MAGIC value do as below (replace values with yours):

    cd /tmp
    echo 'ssl_script:MyNewPassword' > pwtmp
    gpg --armor -c pwtmp
    # enter a new password for decryption
    grep -v -E '^$|Ver' pwtmp.asc
    rm -f pwtmp*
    

    You will get something like this:

    [root@svelab tmp]# grep -v -E '^$|Ver' pwtmp.asc
    -----BEGIN PGP MESSAGE-----
    jA0EAwMCAdq6LUXv6/DmyTSz8sS6Zw3sMGhvcj50WW7eE3P6yiG2FsXgRB2sWJYN
    gW5Bgf49/IOMKLrJPal93YIS4RVb
    =HHsM
    -----END PGP MESSAGE-----
    

    Now you can replace the default value of CA_MAGIC with this new PGP message which contains your credentials.

    Take from the script
    This is not a secure and flexible way to store credentials, however, this is a more convenient approach. You need to create a service account in Active Directory with minimum privileges (also would be great to disable interactive logon for this account). Put the username and password you created in the ca_username and ca_password variables.

Usage

[root@svelab scripts]# ./ssl-gen.sh

SSL Certs Generator - Usage

Argument Description
templateNumber A user-defined value to be added to a certificate in the ‘Subject’ field (cert_subj variable).
emailName Email prefix to be added to a certificate in the ‘Subject’ field. Email postfix will be taken automatically from the ssl_key_mail_postfix variable. If not provided, ‘admin’ will be set.
-y Do not prompt for user confirmation.

Example:

SSL Certs Generator - Example

If you want to quickly add extra SAN (example):

cd /root/scripts
sed -i 's/^SAN_NAMEs.*/SAN_NAMEs="webserver01.example.local, helpdesk.example.local, 192.168.255.1"/' ssl-gen.sh

All files generated by the script will be saved in a directory defined in the certs_folder variable.

Source code

See also

SSL Certs Scanner

Contact us

Please, feel free to contact us if you have any questions or suggestions. Post a comment below if you want to report a bug.

By |2018-04-28T21:26:24+00:00March 27th, 2018|Linux, Scripts, Security, Tools|0 Comments

Leave A Comment