Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
easyrsa3-quick-wildcardcert
#!/bin/bash
FQDN="domain.local"
CERT_FILENAME="wildcard.${FQDN}"
CERT_COMMONNAME="*.${FQDN}"
wget "https://github.com/OpenVPN/easy-rsa/archive/master.zip"
unzip master.zip
mv easy-rsa-master/easyrsa3/ .
rm -rf master.zip easy-rsa-master/
cd easyrsa3
cp vars.example vars
#
# Edit vars file
#
# For EKU set clientAuth and serverAuth
# cp openssl-1.0.cnf openssl-1.0.cnf.original
# sed -ri '/^keyUsage = cRLSign, keyCertSign$/ a extendedKeyUsage = clientAuth, serverAuth' openssl-1.0.cnf
#
# To check if EKU is correct:
#
# openssl x509 -in pki/ca.crt -text -noout | grep -A1 'X509v3 Extended Key Usage'
# X509v3 Extended Key Usage:
# TLS Web Client Authentication, TLS Web Server Authentication
#
# Now you can import it into your Browser or cert store
#
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch --req-cn="${CERT_COMMONNAME}" gen-req ${CERT_FILENAME} nopass
./easyrsa --batch sign-req server ${CERT_FILENAME}
./easyrsa --batch gen-dh
# Haproxy bundle
# cat pki/private/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment