casebeer/ecc-tls-certs.sh

## ecc-tls-certs.sh
#!/bin/bash

cat <<EOF > req.template
[req]
#default_bits = 2048
distinguished_name = dn
prompt             = no
#req_extensions = req_ext

[dn]
C = US
stateOrProvinceName = New York
L = Brooklyn
# n.b. blank values must be removed, not provided as empty string
#O = OrgName
#OU = OrgUnit
#emailAddress = test@example.com
CN = servername.example.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
#DNS.0 = *.example.com
#DNS.1 = *.dev.example.com
EOF

#################################
# Self-signed ECC TLS certificate
# ###############################
#
# - Generate a P-256 ECC private key
# - Generate a certificate request using pre-configured template above
# - Self-sign the request for 3650 days

# openssl ecparam -list_curves
# prime256v1, secp384r1
openssl ecparam -genkey -out key.pem -name prime256v1
openssl req -new -key key.pem -config req.template > cert.csr
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 3650

# print cert details
openssl x509 -in cert.pem -text -noout

## ed25519-certs.sh
#!/bin/bash

# per https://blog.pinterjann.is/ed25519-certificates.html

cat <<EOF > req.template
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
CN = www.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com
EOF

openssl genpkey -algorithm ED25519 > example.com.key
openssl req -new -out example.com.csr -key example.com.key -config req.template
openssl req -in example.com.csr -text -noout
openssl x509 -req -days 700 -in example.com.csr -signkey example.com.key -out example.com.crt
openssl x509 -in example.com.crt -text -noout
	#!/bin/bash

	cat <<EOF > req.template
	[req]
	#default_bits = 2048
	distinguished_name = dn
	prompt = no
	#req_extensions = req_ext

	[dn]
	C = US
	stateOrProvinceName = New York
	L = Brooklyn
	# n.b. blank values must be removed, not provided as empty string
	#O = OrgName
	#OU = OrgUnit
	#emailAddress = test@example.com
	CN = servername.example.com

	[req_ext]
	subjectAltName = @alt_names

	[alt_names]
	#DNS.0 = *.example.com
	#DNS.1 = *.dev.example.com
	EOF

	#################################
	# Self-signed ECC TLS certificate
	# ###############################
	#
	# - Generate a P-256 ECC private key
	# - Generate a certificate request using pre-configured template above
	# - Self-sign the request for 3650 days

	# openssl ecparam -list_curves
	# prime256v1, secp384r1
	openssl ecparam -genkey -out key.pem -name prime256v1
	openssl req -new -key key.pem -config req.template > cert.csr
	openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 3650

	# print cert details
	openssl x509 -in cert.pem -text -noout
	#!/bin/bash

	# per https://blog.pinterjann.is/ed25519-certificates.html

	cat <<EOF > req.template
	[req]
	distinguished_name = req_distinguished_name
	req_extensions = v3_req
	prompt = no
	[req_distinguished_name]
	C = DE
	CN = www.example.com
	[v3_req]
	keyUsage = keyEncipherment, dataEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = www.example.com
	DNS.2 = example.com
	EOF

	openssl genpkey -algorithm ED25519 > example.com.key
	openssl req -new -out example.com.csr -key example.com.key -config req.template
	openssl req -in example.com.csr -text -noout
	openssl x509 -req -days 700 -in example.com.csr -signkey example.com.key -out example.com.crt
	openssl x509 -in example.com.crt -text -noout