Generating self-signed certificate for IMiS ARChive servers using OpenSSL

Product:	IMiS/ARChive
Release:	All
Date:	05/21/2020

Case:

When server is accessed trough TLS (Transport Layer Security), server needs its own certificate to represent itself during TLS handshake. One way to achieve this is generation of self-signed certificate using OpenSSL.

Description:

Next bash script represents one way to generate self-signed certificate using OpenSSL:

#!/bin/bash

#
# Certificate subject
#
CERTIFICATE_SUBJECT="/CN=server-name.example.com/OU=Servers/O=IMiS\/ARChive Storage Servers/C=US"

#
# Certificate key output
#
CERTIFICATE_KEYOUT="/opt/IS/imisarc/cert.key"

#
# Certificate output
#
CERTIFICATE_OUT="/opt/IS/imisarc/cert.crt"

#
# Example of openssl.cnf:
#
# [req]
# req_extensions = v3_req
# distinguished_name = req_distinguished_name
#
# [req_distinguished_name]
#
# [ v3_req ]
# # Extensions to add to a certificate request
# basicConstraints = CA:FALSE
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#
# # SAN extension
# [SAN]
# subjectAltName=DNS:server-name.example.com,DNS:server-name,DNS:example.com,IP:127.0.0.1,IP:192.168.1.10,IP:::1
#

#
# Path to openssl.cnf
#
OPENSSL_CONF="/tmp/openssl.cnf"

#
# Creates 2k RSA key with sha256 hash, SAN extension and 10 year validity
#
openssl req -subj "$CERTIFICATE_SUBJECT" -new -newkey rsa:2048 -sha256 -days 3653 -nodes -x509 -keyout "$CERTIFICATE_KEYOUT" -out "$CERTIFICATE_OUT" -reqexts SAN -extensions SAN -config "$OPENSSL_CONF"