As a Linux system administrator with a fondness for Perl, I often find myself needing to generate self-signed certificates for various internal services and testing environments. To make this process more efficient, I created a bash script that automates the creation of self-signed certificates on Debian 12 systems. Let me walk you through the script and highlight some of its key features.
I've named this script "Debian 12 Self Signed Cert Setup." It's designed to handle the entire process of creating a self-signed certificate, from installing dependencies to validating the final product. Here's what it does:
Installs OpenSSL (if not already present)
Creates necessary directories
Generates a private key
Provides an interactive prompt for certificate details
Creates the self-signed certificate
Sets proper permissions
Validates the generated certificate
xxxxxxxxxx
#
# _nnnn_
# dGGGGMMb
# @p~qp~~qMb
# M|@||@) M|
# @,----.JM|
# JS^\__/ qKL
# dZP qKRb
# dZP qKKb
# fZP SMMb
# HZM MMMM
# FqM MMMM
# __| ". |\dS"qML
# | `. | `' \Zq
# _) \.___.,| .'
# \____ )MMMMMP| .'
# `-' `--'
#
# Debian 12 Self Signed Cert Setup
# By: 16BitMiker (v2024-10-28)
#
# ~~~~~~~~~~~~~~~~ BEGIN
# Enable debugging output
set -x
# Exit on error
set -e
# ~~~~~~~~~~~~~~~~ DEPENDENCIES
sudo DEBIAN_FRONTEND=noninteractive apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get install openssl -y
# ~~~~~~~~~~~~~~~~ SETUP
sudo mkdir -p /etc/ssl/certs /etc/ssl/private
sudo openssl genrsa -out /etc/ssl/private/mykey.key 2048
# ~~~~~~~~~~~~~~~~ GENERATE CERT
perl -M'Term::ANSIColor qw(:constants)' -sE'
map
{
printf qq|> %s%s: |, uc( $_ ), m~COUNTRY~i ? q| (2 Letter Code)| : q||;
chomp( $choice = <STDIN> );
$cmd =~ s~${_}~${choice}~;
} qw( COUNTRY REGION CITY COMPANY DIVSION DOMAIN EMAIL );
say q|> |, GREEN $cmd, RESET;
system $cmd;
' -- -cmd='sudo openssl req -new -x509 -sha256 -key /etc/ssl/private/mykey.key -out /etc/ssl/certs/mycert.crt -days 365 -subj "/C=COUNTRY/ST=REGION/L=CITY/O=COMPANY/OU=DIVSION/CN=DOMAIN/emailAddress=EMAIL"'
# ~~~~~~~~~~~~~~~~ PERMISSIONS
sudo chmod 600 /etc/ssl/private/mykey.key
sudo chown root:root /etc/ssl/private/mykey.key
sudo chmod 644 /etc/ssl/certs/mycert.crt
sudo chown root:root /etc/ssl/certs/mycert.crt
# ~~~~~~~~~~~~~~~~ VALIDATION
sudo openssl x509 -in /etc/ssl/certs/mycert.crt -text -noout
Let's dive into some of the more interesting aspects of the script.
The script begins by ensuring OpenSSL is installed:
sudo DEBIAN_FRONTEND=noninteractive apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get install openssl -y
I've used DEBIAN_FRONTEND=noninteractive
to prevent any prompts during the installation. This is particularly useful when running the script in automated environments or as part of a larger setup process.
As a Perl enthusiast, I couldn't resist incorporating it into the script. I used a Perl one-liner to create an interactive prompt for entering certificate details:
xxxxxxxxxx
-'Term::ANSIColor qw(:constants)' -'
map
{
printf qq|> %s%s: |, uc( $_ ), m~COUNTRY~i ? q| (2 Letter Code)| : q||;
chomp( $choice = <STDIN> );
$cmd =~ s~${_}~${choice}~;
} qw( COUNTRY REGION CITY COMPANY DIVSION DOMAIN EMAIL );
say q|> |, GREEN $cmd, RESET;
system $cmd;
'
This Perl code prompts the user for each piece of information needed for the certificate (country, region, city, etc.), then constructs and executes the OpenSSL command with the provided information. I find this approach more flexible and user-friendly than a series of bash read
commands.
After generating the certificate and key, the script sets appropriate permissions to ensure the private key remains secure:
xxxxxxxxxx
sudo chmod 600 /etc/ssl/private/mykey.key
sudo chown root:root /etc/ssl/private/mykey.key
sudo chmod 644 /etc/ssl/certs/mycert.crt
sudo chown root:root /etc/ssl/certs/mycert.crt
These commands ensure that only root can read or modify the private key, while the certificate itself is readable by all users but only modifiable by root.
The script concludes by displaying the contents of the generated certificate:
xxxxxxxxxx
sudo openssl x509 -in /etc/ssl/certs/mycert.crt -text -noout
This step is crucial for verifying that the certificate was created correctly with the information provided. It's a quick sanity check that can save time troubleshooting later.
I've found this script invaluable for quickly setting up self-signed certificates for internal services, development environments, and testing scenarios. It streamlines a process that would otherwise require multiple manual steps, reducing the potential for errors and saving time.
Remember, while self-signed certificates are great for internal use and testing, they shouldn't be used for public-facing services. For those, always use certificates from a trusted Certificate Authority.
Feel free to use and adapt this script for your own needs. It's a small tool, but one that exemplifies how a bit of scripting can significantly improve our day-to-day operations as system administrators.