An Open Access Peon

21 May 2013

Generating Certificate (CSR) requests

Here's a short script to generate a server key and PKCS #10 Certificate Request for use with https:

#!/bin/sh

HOSTNAME=$1

if [ "$#" -ne 1 ]; then
echo "Usage: $0 <hostname>" >&2
exit 1
fi

if [ ! -f ${HOSTNAME}.key ]; then
openssl genrsa -out ${HOSTNAME}.key 2048
fi

cp cert.cfg ${HOSTNAME}.cfg
echo >> ${HOSTNAME}.cfg
echo "cn = ${HOSTNAME}" >> ${HOSTNAME}.cfg

certtool --generate-request \
--load-privkey ${HOSTNAME}.key \
--outfile ${HOSTNAME}.csr \
--template ${HOSTNAME}.cfg

if [ -f ${HOSTNAME}.csr ]; then
echo ${HOSTNAME}.csr
fi


This requires a cert.cfg that provides the basic information for your organisation:

# X.509 Certificate options
#
# DN options

organization = "University of Weevils"

unit = "Department of Creepy Crawlies"

locality = "Winchester"

state = "Hampshire"

country = GB

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
signing_key

# Whether this certificate will be used for a TLS client
tls_www_client

# Whether this certificate will be used for a TLS server
tls_www_server

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key


The resulting csr should be sent to your certificate authority for signing into a certificate (crt).