39 lines
1.1 KiB
Bash
39 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
cat <<EOF >openssl.cnf
|
|
[req]
|
|
req_extensions = v3_req
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
|
|
[v3_req]
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = *.home
|
|
DNS.2 = tammena.me
|
|
DNS.3 = *.tammena.me
|
|
EOF
|
|
|
|
# Generate private key for the CA
|
|
openssl ecparam -name prime256v1 -genkey -out ca.key
|
|
# Generate CA certificate
|
|
openssl req -new -x509 -sha256 -key ca.key -out ca.crt -subj "/CN=My Home CA" -days 36500
|
|
# Generate private key for certificate
|
|
openssl ecparam -name prime256v1 -genkey -out server.key
|
|
# Generate certificate signing request (CSR) for server certificate
|
|
openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=*.home"
|
|
# Generate server certificate using CA
|
|
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_req
|
|
# Verify certificate
|
|
openssl verify -CAfile ca.crt server.crt
|
|
|
|
# Clean Up
|
|
rm openssl.cnf server.csr
|