I’m learning Puppet and Cobbler at the moment, and one problem I had recently was getting Puppet to automate OpenSSL self signed certificate generation. Scripting it just proved to be a little bit of a pain and so I’m hoping by posting my script here it might help someone faced with the same problem. First and foremost, I need to give big ups to this blog entry I found which mine is clearly based upon.

The following script has been tested on CentOS 6.2 with httpd and mod_ssl installed.

Note. The plain text password in this snippet is clearly not secure so you will want to harden it up for your purposes.

#!/bin/sh

echodo()
{
    echo "${@}"
	(${@})
}

yearmon()
{
    date '+%Y%m%d'
}

fqdn()
{
    (nslookup ${1} 2>&1 ¦¦ echo Name ${1}) \
	    ¦ tail -3 ¦ grep Name¦ sed -e 's,.*e:[ \t]*,,'
}

C=AU
ST=SA
L=Adelaide
O=codenes
OU=nes
HOST=${1:-`hostname`}
DATE=`yearmon`
CN=`fqdn $HOST`

csr="${HOST}.csr"
key="${HOST}.key"
cert="${HOST}.cert"

# Create the certificate signing request
openssl req -config /etc/pki/tls/openssl.cnf -new -passin pass:password -passout pass:password -out $csr <<EOF
${C}
${ST}
${L}
${O}
${OU}
${CN}
$USER@${CN}
.
.
EOF
echo ""

[ -f ${csr} ] && echodo openssl req -text -noout -in ${csr}
echo ""

# Create the Key
openssl rsa -in privkey.pem -passin pass:password -passout pass:password -out ${key}

# Create the Certificate
openssl x509 -in ${csr} -out ${cert} -req -signkey ${key} -days 1000

If you put this snippet in a file e.g. genSelfSignedCert.sh it’s just a matter of configuring Puppet to copy the script over to your destination machine and execute it.