Self-Signed Certs on Debian 12

As a Linux system administrator with a fondness for Perl, I often find myself needing to generate self-signed certificates for various internal services and testing environments. To make this process more efficient, I created a bash script that automates the creation of self-signed certificates on Debian 12 systems. Let me walk you through the script and highlight some of its key features.

The Script at a Glance

I've named this script "Debian 12 Self Signed Cert Setup." It's designed to handle the entire process of creating a self-signed certificate, from installing dependencies to validating the final product. Here's what it does:

1. Installs OpenSSL (if not already present)

2. Creates necessary directories

3. Generates a private key

4. Provides an interactive prompt for certificate details

5. Creates the self-signed certificate

6. Sets proper permissions

7. Validates the generated certificate

xxxxxxxxxx
#!/bin/bash
#
#          _nnnn_
#         dGGGGMMb
#        @p~qp~~qMb
#        M|@||@) M|
#        @,----.JM|
#       JS^\__/  qKL
#      dZP        qKRb
#     dZP          qKKb
#    fZP            SMMb
#    HZM            MMMM
#    FqM            MMMM
#  __| ".        |\dS"qML
#  |    `.       | `' \Zq
# _)      \.___.,|     .'
# \____   )MMMMMP|   .'
#      `-'       `--' 
#
# Debian 12 Self Signed Cert Setup
# By: 16BitMiker (v2024-10-28)
#
# ~~~~~~~~~~~~~~~~ BEGIN

# Enable debugging output
set -x

# Exit on error
set -e

# ~~~~~~~~~~~~~~~~ DEPENDENCIES

sudo DEBIAN_FRONTEND=noninteractive apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get install openssl -y

# ~~~~~~~~~~~~~~~~ SETUP

sudo mkdir -p /etc/ssl/certs /etc/ssl/private
sudo openssl genrsa -out /etc/ssl/private/mykey.key 2048

# ~~~~~~~~~~~~~~~~ GENERATE CERT

perl -M'Term::ANSIColor qw(:constants)' -sE'

  map
  {
    printf qq|> %s%s: |, uc( $_ ), m~COUNTRY~i ? q| (2 Letter Code)| : q||; 
    chomp( $choice = <STDIN> );
    $cmd =~ s~${_}~${choice}~;
    
  } qw( COUNTRY REGION CITY COMPANY DIVSION DOMAIN EMAIL );
  
  say q|> |, GREEN $cmd, RESET;
  system $cmd;
  
' -- -cmd='sudo openssl req -new -x509 -sha256 -key /etc/ssl/private/mykey.key -out /etc/ssl/certs/mycert.crt -days 365 -subj "/C=COUNTRY/ST=REGION/L=CITY/O=COMPANY/OU=DIVSION/CN=DOMAIN/emailAddress=EMAIL"'

# ~~~~~~~~~~~~~~~~ PERMISSIONS

sudo chmod 600 /etc/ssl/private/mykey.key
sudo chown root:root /etc/ssl/private/mykey.key
sudo chmod 644 /etc/ssl/certs/mycert.crt
sudo chown root:root /etc/ssl/certs/mycert.crt

# ~~~~~~~~~~~~~~~~ VALIDATION

sudo openssl x509 -in /etc/ssl/certs/mycert.crt -text -noout

Let's dive into some of the more interesting aspects of the script.

Handling Dependencies

The script begins by ensuring OpenSSL is installed:

sudo DEBIAN_FRONTEND=noninteractive apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get install openssl -y

I've used DEBIAN_FRONTEND=noninteractive to prevent any prompts during the installation. This is particularly useful when running the script in automated environments or as part of a larger setup process.

Interactive Certificate Generation with Perl

As a Perl enthusiast, I couldn't resist incorporating it into the script. I used a Perl one-liner to create an interactive prompt for entering certificate details:

xxxxxxxxxx
perl -M'Term::ANSIColor qw(:constants)' -sE'
    map
    {
        printf qq|> %s%s: |, uc( $_ ), m~COUNTRY~i ? q| (2 Letter Code)| : q||; 
        chomp( $choice = <STDIN> );
        $cmd =~ s~${_}~${choice}~;
        
    } qw( COUNTRY REGION CITY COMPANY DIVSION DOMAIN EMAIL );
    
    say q|> |, GREEN $cmd, RESET;
    system $cmd;
'

This Perl code prompts the user for each piece of information needed for the certificate (country, region, city, etc.), then constructs and executes the OpenSSL command with the provided information. I find this approach more flexible and user-friendly than a series of bash read commands.

Security Best Practices

After generating the certificate and key, the script sets appropriate permissions to ensure the private key remains secure:

xxxxxxxxxx
sudo chmod 600 /etc/ssl/private/mykey.key
sudo chown root:root /etc/ssl/private/mykey.key
sudo chmod 644 /etc/ssl/certs/mycert.crt
sudo chown root:root /etc/ssl/certs/mycert.crt

These commands ensure that only root can read or modify the private key, while the certificate itself is readable by all users but only modifiable by root.

Certificate Validation

The script concludes by displaying the contents of the generated certificate:

xxxxxxxxxx
sudo openssl x509 -in /etc/ssl/certs/mycert.crt -text -noout

This step is crucial for verifying that the certificate was created correctly with the information provided. It's a quick sanity check that can save time troubleshooting later.

Wrapping Up

I've found this script invaluable for quickly setting up self-signed certificates for internal services, development environments, and testing scenarios. It streamlines a process that would otherwise require multiple manual steps, reducing the potential for errors and saving time.

Remember, while self-signed certificates are great for internal use and testing, they shouldn't be used for public-facing services. For those, always use certificates from a trusted Certificate Authority.

Feel free to use and adapt this script for your own needs. It's a small tool, but one that exemplifies how a bit of scripting can significantly improve our day-to-day operations as system administrators.