Bash Create Signing Certificate via OpenSSL Code
Overview
Sources:
For the digital signature of your documents you need a signing certificate in .p12
format (public and private key). You can buy one (not recommended for dev) or use the steps to create a self-signed one:
-
Generate a private key using the OpenSSL command. You can run the following command to generate a 2048-bit RSA key:
openssl genrsa -out private.key 2048
-
Generate a self-signed certificate using the private key. You can run the following command to generate a self-signed certificate:
openssl req -new -x509 -key private.key -out certificate.crt -days 365
This will prompt you to enter some information, such as the Common Name (CN) for the certificate. Make sure you enter the correct information. The -days parameter sets the number of days for which the certificate is valid.
-
Combine the private key and the self-signed certificate to create the
p12
certificate. You can run the following command to do this:openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt
-
You will be prompted to enter a password for the p12 file. Choose a strong password and remember it, as you will need it to use the certificate (can be empty for dev certificates)
Code Snippet
Function Wrapper:
Details
This script is written in Bash, a popular shell scripting language. It uses OpenSSL, a robust toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, to generate a private key, a self-signed certificate, and a PKCS#12 certificate bundle.
- The first line,
#!/usr/bin/env bash
, is known as a shebang. It tells the system that this script should be executed using Bash. - The second line,
# -*- coding: utf-8 -*-
, is a coding declaration. While not necessary in Bash scripts, it’s often used in Python scripts to specify the character encoding. In this script, it doesn’t have any effect and can be considered a comment. - The command
openssl genrsa -out private.key 2048
generates a 2048-bit RSA private key. The-out
option specifies the output filename, in this case,private.key
. - The command
openssl req -new -x509 -key private.key -out certificate.crt -days 365
generates a new X.509 certificate using the previously generated private key. The-new
option indicates that a new certificate request should be created. The-x509
option tells OpenSSL to create a self-signed certificate instead of a certificate request. The-days 365
option sets the certificate to expire after one year. - The command
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt
creates a PKCS#12 file, also known as a PFX file, which bundles the private key and certificate together. This is often required when importing the key and certificate into certain systems. The-export
option is used to specify that a PKCS#12 file will be created instead of parsed. The-out
option specifies the output filename, in this case,certificate.p12
. The-inkey
and-in
options specify the input private key and certificate files, respectively.
Function Details
In this script, the generate_certificates
 function accepts five parameters:
key_size
: The size of the RSA key to generate.days
: The number of days the certificate is valid.key_file
: The filename for the generated private key.crt_file
: The filename for the generated certificate.p12_file
: The filename for the generated PKCS#12 file.
The local
 keyword is used to declare function-local variables. The "$1"
, "$2"
, etc., are positional parameters, representing the first, second, etc., arguments passed to the function.
Usage
The way you use the generated certificates in your application depends on the specific requirements of your application. Here are a few general ways you might use them:
- HTTPS Server: If you’re running a web server, you can use the certificate and private key to serve HTTPS traffic. For example, in a Node.js Express application, you can read the certificate and private key files and use them when creating your HTTPS server:
- Client-Side SSL Authentication: Some servers require clients to present a certificate to authenticate themselves. In this case, you would use the PKCS#12 file (which includes both the certificate and private key) when making requests to the server. Here’s an example using theÂ
requests
 library in Python:
- Encrypting Data: You can use the private key to encrypt data that can only be decrypted with the corresponding certificate. This is a more advanced use case and the specifics would depend on your application’s requirements.
Remember, the certificates generated by your script are self-signed, which means they won’t be trusted by clients like web browsers. For a production application, you would want to use a certificate issued by a trusted Certificate Authority (CA).
See Also
Appendix
Note created on 2024-04-25 and last modified on 2024-04-25.
Backlinks
(c) No Clocks, LLC | 2024