Ideally Let’s Encrypt and Certbot will just ✨automagically⚡ generate all your SSL certificates, but if you’re working with internal services (basically anything not exposed to the public internet), or legacy systems that are very specific about the CA / root certificate, you’ll still need to generate some certificate signing requests (CSRs) and request a certificate the old-school way from someone like GoDaddy, NameCheap, or Entrust.
My solution
openssl is great, but I find it really hard to remember the commands to generate the CSR goodies you need. To make things a bit easier I used a CSR generation script in my home folder.
# makecsr.sh
# if there is no argumenet error out.
if [ -z $1 ]
then
echo "please provide a fully qualified domain name (i.e. app.mykal.codes)"
echo "makecsr.sh <fqdn>"
exit 1
fi
# if there is a valid fully qualified domain name...
# generate a certificate using SSL
openssl req -new -newkey rsa:2048 -nodes -keyout $1__private.key -out $1__csr.csr -subj "/C=CA/ST=BC/L=Vancouver/O=Tinybox Software Development/OU=Mykal Machon/CN=$1"
# output the location and filenames for the new CSR and Private key.
echo "generated a CSR and Private Key for ya!"
echo "./$1__csr.csr"
echo "./$1__private.key"
Then when I need a certificate it’s as easy as running this in my terminal.
~/scripts/makecsr.sh app.mykal.codes
generated a CSR and Private Key for ya!
./app.mykal.codes__csr.csr
./app.mykal.codes__private.key
Take those newly generated CSR file off to your certificate authority of choice, and move your private key to the legacy/internal server in preparation for your new SSL certificates.