UCC certificate script

Just a quick note to share the script that I've written recently to generate UCC self-signed certificate.

Tl;dr

The script helps to generate self-signed UCC certificate based on openssl.modified.cnf. The file openssl.modified.cnf is mostly being used for generation of certificate requests.

Github repo: openssl-ucc

What is UCC certificate

A Unified Communications certificate or UC Certificate is a new type of certificate. The only thing that makes a UC Certificate different from a normal certificate, is the use of the Subject Alternative Name field in the certificate. In the Subject Alternative Name field, or SAN for short, any number of different domain names or common names can be entered enabling the certificate to work on any of the included domain names. This allows one certificate to secure both internal network names as well as external domain names.

For example, you could get one UC SSL Certificate to include the following:

  • DNS.1 = example.com
  • DNS.2 = www.example.com
  • DNS.3 = example2.com
  • DNS.4 = www.example2.com

Generate certificate

The main purpose of this script is to create the certificate for local testing of https access. It is very handy to generate the new certificate and test various scenarios. In order to save some of those settings, I decided to create this super-simple script in order to get rid of this routine :)
I hate routines as this is the source of many fails and simple waste of time.

Generate certificate based on your own sites

In order to generate certificate based on openssl.modified.cnf for your sites you should do the following:

  1. Open the file openssl.modified.cnf.
  2. Find section [alt_names].
  3. Add/Change/Remove DNS.1, DNS.2 in the format DNS.N = example2.com where N is number.
  4. Save file.
  5. Run script generate-crt.sh.
  6. Follow instructions.

Script's Options

The script is very simple and straightforward. Currently, the following commands are supported:
-d or --days – sets the number of days how long the certificate will be valid. -c or --config - sets the config name/path for openssl.modified.cnf.

Example

bash generate-crt.sh -d 365 - will generate server.key and server.crt.