easyrsa3-quick-wildcardcert

easyrsa3-quick-wildcardcert

#!/bin/bash

FQDN="domain.local"
CERT_FILENAME="wildcard.${FQDN}"
CERT_COMMONNAME="*.${FQDN}"

wget "https://github.com/OpenVPN/easy-rsa/archive/master.zip"
unzip master.zip
mv easy-rsa-master/easyrsa3/ .
rm -rf master.zip easy-rsa-master/

cd easyrsa3
cp vars.example vars
#
# Edit vars file
#

# For EKU set clientAuth and serverAuth
# cp openssl-1.0.cnf openssl-1.0.cnf.original
# sed -ri '/^keyUsage = cRLSign, keyCertSign$/ a extendedKeyUsage = clientAuth, serverAuth' openssl-1.0.cnf
#
# To check if EKU is correct:
#
# openssl x509 -in pki/ca.crt -text -noout | grep -A1 'X509v3 Extended Key Usage'
#           X509v3 Extended Key Usage: 
#               TLS Web Client Authentication, TLS Web Server Authentication
#
# Now you can import it into your Browser or cert store
#

./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch --req-cn="${CERT_COMMONNAME}" gen-req ${CERT_FILENAME} nopass
./easyrsa --batch sign-req server ${CERT_FILENAME}
./easyrsa --batch gen-dh


# Haproxy bundle
# cat pki/private/