Automate Linux Certificate Signing

TL;DR

This guide shows you how to automate certificate signing in Linux using OpenSSL and a simple script. This saves time and reduces errors when requesting and installing certificates.

Prerequisites

• A Linux server (e.g., Ubuntu, Debian, CentOS).
• OpenSSL installed. Check with

  openssl version

  . If not installed, use your distribution’s package manager (e.g., apt install openssl on Debian/Ubuntu or yum install openssl on CentOS/RHEL).

• Basic command-line knowledge.

Step 1: Create a Configuration File

A configuration file stores details about your certificate request. This makes the process repeatable.

1. Create a file named openssl.cnf (or similar) in a secure directory (e.g., /etc/ssl/).
2. Add the following basic configuration. Adjust values as needed:

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C  = UK
ST = England
L  = London
O  = My Organisation
OU = IT Department
CN = example.com
emailAddress = [email protected]

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
IP.1 = 192.168.1.100

Important: Replace the values with your actual details.

Step 2: Generate a Private Key and Certificate Signing Request (CSR)

1. Run the following command to generate a private key and CSR using the configuration file. This creates example.key (private key) and example.csr (certificate request):

openssl req -new -keyout example.key -out example.csr -config openssl.cnf

The private key is crucial; keep it secure! Do not share it.

Step 3: Submit the CSR to a Certificate Authority (CA)

1. Send example.csr to your chosen CA (e.g., Let’s Encrypt, DigiCert, Sectigo).
2. The CA will verify your details and issue you a certificate file (e.g., example.crt).

Step 4: Automate Certificate Installation with a Script

Create a script to automate the installation process.

1. Create a shell script named install_certificate.sh (or similar) in a suitable directory.
2. Add the following script, adjusting paths as needed:

#!/bin/bash

# Paths to your certificate files
CERTIFICATE_FILE="/path/to/example.crt"
PRIVATE_KEY_FILE="/path/to/example.key"

# Path to the Apache configuration file (adjust for Nginx if needed)
APACHE_CONFIG_FILE="/etc/apache2/sites-available/your_site.conf"

# Copy certificate and key files to appropriate locations
sudo cp "$CERTIFICATE_FILE" /etc/ssl/certs/
sudo cp "$PRIVATE_KEY_FILE" /etc/ssl/private/

# Update Apache configuration file (example)
sed -i 's/SSLCertificateFile .*/SSLCertificateFile /etc/ssl/certs/example.crt/' "$APACHE_CONFIG_FILE"
sed -i 's/SSLCertificateKeyFile .*/SSLCertificateKeyFile /etc/ssl/private/example.key/' "$APACHE_CONFIG_FILE"

# Restart Apache to apply changes
sudo systemctl restart apache2

echo "Certificate installed successfully!"

Important: Replace the paths with your actual file locations and adjust the sed commands if you’re using Nginx or another web server.

Step 5: Make the Script Executable

1. Make the script executable:

chmod +x install_certificate.sh

Step 6: Run the Script

1. Run the script as root (using sudo):

sudo ./install_certificate.sh

This will copy the certificate and key files, update your web server configuration, and restart the server.

Step 7: Schedule Automatic Renewal (Optional)

For certificates that need regular renewal (e.g., Let’s Encrypt), use a tool like Certbot or create a cron job to run the script automatically before the certificate expires. See your CA’s documentation for instructions.