Stackoverflow: 77795697

certs.sh

# CA
# CN is "ca"
# Expiry in 10 years
openssl req \
-x509 \
-newkey rsa:4096 \
-keyout ${PWD}/certs/ca.key \
-out ${PWD}/certs/ca.crt \
-nodes \
-days 3650 \
-subj "/CN=ca"

# Server key|CSR
# CN is "server"
openssl req \
-newkey rsa:4096 \
-keyout ${PWD}/certs/server.key \
-out ${PWD}/certs/server.csr \
-nodes \
-subj "/CN=server"

# Server X509
# Applies "config"
# includes SAN which includes "DNS:localhost,IP:127.0.0.1"
openssl x509 \
-req \
-in ${PWD}/certs/server.csr \
-CA ${PWD}/certs/ca.crt \
-CAkey ${PWD}/certs/ca.key \
-CAcreateserial \
-out ${PWD}/certs/server.crt \
-extfile ${PWD}/config

# Client key|CSR
# CN is "client"
openssl req \
-newkey rsa:4096 \
-keyout ${PWD}/certs/client.key \
-out ${PWD}/certs/client.csr \
-nodes \
-subj "/CN=client"

# Client X509
# Applies "config"
# includes SAN which includes "DNS:localhost,IP:127.0.0.1"
openssl x509 \
-req \
-in ${PWD}/certs/client.csr \
-CA ${PWD}/certs/ca.crt \
-CAkey ${PWD}/certs/ca.key \
-CAcreateserial \
-out ${PWD}/certs/client.crt \
-extfile ${PWD}/config

config

subjectAltName=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1