Usage:
./keys.sh [common name] [sans...]
Subdirectory named "certs" is removed and recreated each run
SANS should be in format "DNS:dns.name" or "IP:127.0.0.1"
| #!/bin/bash | |
| cd $(dirname $0) | |
| RSA_SIZE=4096 | |
| DAYS=3650 | |
| CA_DAYS=3651 | |
| SERVER_CN="localhost" | |
| if [ "$#" -gt 0 ]; then | |
| SERVER_CN="$1" | |
| shift | |
| fi | |
| SANS_EXT="subjectAltName=DNS:$SERVER_CN" | |
| for san in "$@"; do | |
| SANS_EXT="$SANS_EXT,$san" | |
| done | |
| SUBJ_BASE="/C=US/ST=NC/L=RTP/O=app" | |
| SUBJ_CA="${SUBJ_BASE}/CN=ca" | |
| SUBJ_SERVER="${SUBJ_BASE}/CN=${SERVER_CN}" | |
| SUBJ_CLIENT="${SUBJ_BASE}/CN=client" | |
| rm -rf "certs" | |
| mkdir -p "certs" && cd "certs" | |
| # filenames | |
| CA_KEY="ca-key.pem" | |
| CA_CERT="ca-cert.pem" | |
| SERVER_KEY="server-key.pem" | |
| SERVER_REQ="server-req.pem" | |
| SERVER_CERT="server-cert.pem" | |
| CLIENT_KEY="client-key.pem" | |
| CLIENT_REQ="client-req.pem" | |
| CLIENT_CERT="client-cert.pem" | |
| # generate the CA | |
| # note: CA must have different CN than certs | |
| openssl genrsa $RSA_SIZE > $CA_KEY | |
| openssl req -new -x509 -nodes -days $CA_DAYS -key $CA_KEY -out $CA_CERT -subj $SUBJ_CA | |
| # generate server cert | |
| openssl req -newkey rsa:$RSA_SIZE -nodes -keyout $SERVER_KEY -out $SERVER_REQ -subj $SUBJ_SERVER -addext "$SANS_EXT" | |
| openssl rsa -in $SERVER_KEY -out $SERVER_KEY | |
| openssl x509 -req -in $SERVER_REQ -days $DAYS -CA $CA_CERT -CAkey $CA_KEY -set_serial 01 -out $SERVER_CERT -extensions SANS -extfile <(echo "[SANS]"; echo "$SANS_EXT") | |
| # generate client cert | |
| openssl req -newkey rsa:$RSA_SIZE -nodes -keyout $CLIENT_KEY -out $CLIENT_REQ -subj $SUBJ_CLIENT | |
| openssl rsa -in $CLIENT_KEY -out $CLIENT_KEY | |
| openssl x509 -req -in $CLIENT_REQ -days $DAYS -CA $CA_CERT -CAkey $CA_KEY -set_serial 01 -out $CLIENT_CERT |