bongtrop/cert.ext

## cert.ext
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.snoppy.com
IP.1 = 1.3.3.7

## gen_cert.sh
# Root CA

echo "[*] Generate CA private key"
openssl genrsa -out ca.key 4096

echo "[*] Generate self-signed CA"
openssl req -x509 -new -nodes -key ca.key -sha256 -days 356 -subj "/C=TH/ST=Bangkok/L=Bangkok/O=Snoppy/OU=Snoppy/CN=Snoppy Internal CA/emailAddress=g@snoppy.com" -out ca.crt

echo "[*] Generate CA truststore PKCS#12"
openssl pkcs12 -export -nokeys -in ca.crt -out snoppy_truststore.p12 -passout pass:snoppy

# Server Certificate

echo "[*] Generate server certificate private key"
openssl genrsa -out server.key 2048

echo "[*] Generate server certificate certificate signing request"
openssl req -new -key server.key -out server.csr -subj "/C=TH/ST=Bangkok/L=Bangkok/O=Snoppy/OU=Snoppy/CN=snoppy.com/emailAddress=g@snoppy.com"

echo "[*] Sign server certificate with generated CA"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile cert.ext -extensions server_cert

echo "[*] Generate server keystore PKCS#12"
openssl pkcs12 -export -nokeys -in server.crt -inkey server.key -out snoppy_server_keystore.p12 -passout pass:snoppy
	[ server_cert ]
	basicConstraints = CA:FALSE
	nsCertType = server
	nsComment = "OpenSSL Generated Server Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names

	[ alt_names ]
	DNS.1 = *.snoppy.com
	IP.1 = 1.3.3.7
	# Root CA

	echo "[*] Generate CA private key"
	openssl genrsa -out ca.key 4096

	echo "[*] Generate self-signed CA"
	openssl req -x509 -new -nodes -key ca.key -sha256 -days 356 -subj "/C=TH/ST=Bangkok/L=Bangkok/O=Snoppy/OU=Snoppy/CN=Snoppy Internal CA/emailAddress=g@snoppy.com" -out ca.crt

	echo "[*] Generate CA truststore PKCS#12"
	openssl pkcs12 -export -nokeys -in ca.crt -out snoppy_truststore.p12 -passout pass:snoppy

	# Server Certificate

	echo "[*] Generate server certificate private key"
	openssl genrsa -out server.key 2048

	echo "[*] Generate server certificate certificate signing request"
	openssl req -new -key server.key -out server.csr -subj "/C=TH/ST=Bangkok/L=Bangkok/O=Snoppy/OU=Snoppy/CN=snoppy.com/emailAddress=g@snoppy.com"

	echo "[*] Sign server certificate with generated CA"
	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile cert.ext -extensions server_cert

	echo "[*] Generate server keystore PKCS#12"
	openssl pkcs12 -export -nokeys -in server.crt -inkey server.key -out snoppy_server_keystore.p12 -passout pass:snoppy