#/usr/bin/env bash set -o errexit set -o nounset set -o pipefail cat << EOF > openssl.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = *.home DNS.2 = tammena.me DNS.3 = *.tammena.me EOF # Generate private key for the CA openssl ecparam -name prime256v1 -genkey -out ca.key # Generate CA certificate openssl req -new -x509 -sha256 -key ca.key -out ca.crt -subj "/CN=My Home CA" -days 36500 # Generate private key for certificate openssl ecparam -name prime256v1 -genkey -out server.key # Generate certificate signing request (CSR) for server certificate openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=*.home" # Generate server certificate using CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_req # Verify certificate openssl verify -CAfile ca.crt server.crt # Clean Up rm openssl.cnf server.csr