Skip to content

Instantly share code, notes, and snippets.

@casebeer
Last active April 25, 2024 04:47
Show Gist options
  • Save casebeer/cecc1cde5552a31a7e40c3f9bfed2406 to your computer and use it in GitHub Desktop.
Save casebeer/cecc1cde5552a31a7e40c3f9bfed2406 to your computer and use it in GitHub Desktop.
Scripts to generate self-signed ECC TLS certificates with OpenSSL
#!/bin/bash
cat <<EOF > req.template
[req]
#default_bits = 2048
distinguished_name = dn
prompt = no
#req_extensions = req_ext
[dn]
C = US
stateOrProvinceName = New York
L = Brooklyn
# n.b. blank values must be removed, not provided as empty string
#O = OrgName
#OU = OrgUnit
#emailAddress = test@example.com
CN = servername.example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
#DNS.0 = *.example.com
#DNS.1 = *.dev.example.com
EOF
#################################
# Self-signed ECC TLS certificate
# ###############################
#
# - Generate a P-256 ECC private key
# - Generate a certificate request using pre-configured template above
# - Self-sign the request for 3650 days
# openssl ecparam -list_curves
# prime256v1, secp384r1
openssl ecparam -genkey -out key.pem -name prime256v1
openssl req -new -key key.pem -config req.template > cert.csr
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 3650
# print cert details
openssl x509 -in cert.pem -text -noout
#!/bin/bash
# per https://blog.pinterjann.is/ed25519-certificates.html
cat <<EOF > req.template
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
CN = www.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com
EOF
openssl genpkey -algorithm ED25519 > example.com.key
openssl req -new -out example.com.csr -key example.com.key -config req.template
openssl req -in example.com.csr -text -noout
openssl x509 -req -days 700 -in example.com.csr -signkey example.com.key -out example.com.crt
openssl x509 -in example.com.crt -text -noout
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment