We run many services hosted on many servers and TLS would be required for the communication between themselves and their clients. We cannot be buying certificates from root CAs like VeriSign for services running within our firewall, so enter Snake-Oil authority, which can act as signing authority within your company. Given a snake oil CA, you can automate the pki essentials creation using the below script. This is something we use in a Jenkins job, where given a server domain name and the requested key & store passwords, you will get a package signed by the snake-oil CA.
#!/bin/bash #your service hosting server details domain=$1 key_password=$2 store_password=$3 commonname=$domain #your predefined snake oil authority: #with a key and certificate valid for long time say 10 yrs created using openssl with all FauxSign details #the sequence file tracks all the csrs received. #the snake-oil-client.jks contains the chain of trust root certificate, similar to the ones preset in your browser of jdk cacerts. ca_cert=snake-oil-ca.crt ca_key=snake-oil-ca.key ca_seq_file=snake-oil.seq ca_password=snake-oil-key-password ca_client=snake-oil-client.jks #your company details for your server certificate country=US state=GA locality=Atlanta organization=VectorClocks organizationalunit=Software Engineering firstname.lastname@example.org #creating the server key printf "generating key request for $domain..." openssl genrsa -des3 -passout pass:$key_password -out $domain.key 2048 -noout printf "removing passphrase from key" openssl rsa -in $domain.key -passin pass:$key_password -out $domain.key printf "-------server key--------" cat $domain.key #creating the csr to ask snake-oil-authority to give a certificate authorised by the same printf "creating csr.." openssl req -new -key $domain.key -out $domain.csr -passin pass:$key_password -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email" printf "-------server csr--------" cat $domain.csr #creating server certificate for CSR valid for 1 year openssl x509 -req -days 365 -in $domain.csr -CA $ca_cert -CAkey $ca_key -CAcreateserial -CAserial $ca_seq_file -out $domain.crt -passin pass:$ca_password printf "---server certificate----" cat $domain.crt #importing server certificate into keystore, this is needed for java based services, httpd can directly take domain crt & key files. openssl pkcs12 -export -in $domain.crt -inkey $domain.key -certfile $domain.crt -name $domain -out $domain.p12 -password pass:$key_password keytool -importkeystore -srckeystore $domain.p12 -srcstoretype pkcs12 -srcstorepass $key_password -destkeystore $domain.jks -deststoretype JKS -storepass $store_password -keypass $key_password -noprompt printf "---server jks ready----" keytool -list -v -keystore $domain.jks -alias $domain -storepass $store_password #package it #put the $domain.jks $domain.crt $domain.key on the server side #give the $ca-client.jks to your service clients tar -cf $domain.tar $domain.jks $domain.crt $domain.key $ca-client.jks printf "archived for consumer = $domain.tar"