This script simplifies the creation of certificate authorities, signing requests and self-signed TLS certificates using OpenSSL.
Homebrew (MacOS)
brew tap lstellway/formulae
brew install lstellway/formulae/self-signed-ssl
cURL
curl --output self-signed-ssl https://raw.githubusercontent.com/lstellway/self-signed-ssl/master/self-signed-ssl && chmod +x self-signed-ssl
self-signed-ssl [OPTIONS]
# Run with no arguments to be prompted for required values
self-signed-ssl
# Only create a certificate authority and trust the generated certificate
self-signed-ssl --ca-only --trust
# Only create a certificate signing request
self-signed-ssl --csr-only
# Generate a signed certificate using existing files
self-signed-ssl --ca='/path/to/CA.pem' --ca-key='/path/to/CA.key' --csr='/path/to/EXAMPLE.csr'
# Automate certificate generation
self-signed-ssl --no-interaction -c 'US' -s 'California' -l 'Los Angeles' -o 'Example Org' -u 'Example Unit' -n 'example.com' -a 'www.example.com'General
| Option | Description |
|---|---|
-h --help |
Display help and exit |
-v `--version |
Display the script version and exit |
-p VALUE --path=VALUE |
Path to output generated keys |
-d VALUE --duration=VALUE |
Number of days the certificate is valid (default 365) |
-b VALUE --bits=VALUE |
Key size in bits (default 2048) |
--no-interaction |
Disables interactive prompts for unspecified variables. (OpenSSL may still prompt for values) |
Certificate Authority
| Option | Description |
|---|---|
--ca=VALUE |
Path to certificate authority cert file (Generates new CA if not set) |
--ca-key=VALUE |
Path to certificate authority key file (Generates new CA if not set) |
--ca-only |
Instructs script to solely generate a certificate authority |
-t --trust |
Flag to trust certificate authority (requires sudo privileges)(Currently supports Darwin/MacOS, Fedora/CentOS, Debian/Ubuntu) |
Certificate Signing Request
| Option | Description |
|---|---|
--csr |
Path to certificate signing request (Generates new certificate signing request if not set) |
--csr-only |
Instructs script to solely generate a certificate signing request |
Certificate / Subject
| Option | Description |
|---|---|
--extfile=VALUE |
Path to file containing OpenSSL certificate extensions (Optional - generated if not provided) |
-c VALUE --country=VALUE |
Country Name (2 letter code) |
-s VALUE --state=VALUE |
State or Province Name (full name) |
-l VALUE --locality=VALUE |
Locality Name (eg, city) |
-o VALUE --organization=VALUE |
Organization Name (eg, company) |
-u VALUE --unit=VALUE |
Organizational Unit Name (eg, section) |
-n VALUE --common-name=VALUE |
Common Name (e.g. server FQDN or YOUR name) |
-a VALUE --san=VALUE |
Comma-delimited list of subject alternative names (Subdomains, etc..) |
-e VALUE --email=VALUE |
Email Address |
