Generate SSL certificates with IP SAN

genkeys.sh

#!/usr/bin/env bash
#
# Generate a set of TLS credentials that can be used to run development mode.
#
# Based on script by Ash Wilson (@smashwilson)
# https://github.com/cloudpipe/cloudpipe/pull/45/files#diff-15
#
# usage: sh ./genkeys.sh NAME HOSTNAME IP

set -o errexit

USAGE="usage: sh ./genkeys.sh NAME HOSTNAME IP"
ROOT="$(pwd)"
PASSFILE="${ROOT}/dev.password"
PASSOPT="file:${ROOT}/dev.password"
CAFILE="${ROOT}/ca.pem"
CAKEY="${ROOT}/ca-key.pem"

# Randomly create a password file, if you haven't supplied one already.
# For development mode, we'll just use the same (random) password for everything.
if [ ! -f "${PASSFILE}" ]; then
  echo ">> creating a random password in ${PASSFILE}."
  touch ${PASSFILE}
  chmod 600 ${PASSFILE}
  # "If the same pathname argument is supplied to -passin and -passout arguments then the first
  # line will be used for the input password and the next line for the output password."
  cat /dev/random | head -c 128 | base64 | sed -n '{p;p;}' >> ${PASSFILE}
  echo "<< random password created"
fi

# Generate the certificate authority that we'll use as the root for all the things.
if [ ! -f "${CAFILE}" ]; then
  echo ">> generating a certificate authority"
  openssl genrsa -des3 \
    -passout ${PASSOPT} \
    -out ${CAKEY} 2048
  openssl req -new -x509 -days 365 \
    -batch \
    -passin ${PASSOPT} \
    -key ${CAKEY} \
    -passout ${PASSOPT} \
    -out ${CAFILE}
  echo "<< certificate authority generated."
fi

# Generate a named keypair
keypair() {
  local NAME=$1
  local HOSTNAME=$2
  local IP=$3

  local SERIALOPT=""
  if [ ! -f "${ROOT}/ca.srl" ]; then
    echo ">> creating serial"
    SERIALOPT="-CAcreateserial"
  else
    SERIALOPT="-CAserial ${ROOT}/ca.srl"
  fi

  echo ">> generating a keypair for: ${NAME}"

  echo ".. key"
  openssl genrsa -des3 \
    -passout ${PASSOPT} \
    -out ${ROOT}/${NAME}-key.pem 2048

  cp ${ROOT}/openssl.cnf ${ROOT}/openssl-${NAME}.cnf
  echo "IP = ${IP}" >> ${ROOT}/openssl-${NAME}.cnf

  echo ".. request"
  openssl req -subj "/CN=${HOSTNAME}" -new \
    -batch \
    -passin ${PASSOPT} \
    -key ${ROOT}/${NAME}-key.pem \
    -passout ${PASSOPT} \
    -out ${ROOT}/${NAME}-req.csr \
    -config ${ROOT}/openssl-${NAME}.cnf

  echo ".. certificate"
  openssl x509 -req -days 365 \
    -passin ${PASSOPT} \
    -in ${ROOT}/${NAME}-req.csr \
    -CA ${CAFILE} \
    -CAkey ${CAKEY} \
    ${SERIALOPT} \
    -extensions v3_req \
    -extfile ${ROOT}/openssl-${NAME}.cnf \
    -out ${ROOT}/${NAME}-cert.pem \

  echo ".. removing key password"
  openssl rsa \
    -passin ${PASSOPT} \
    -in ${ROOT}/${NAME}-key.pem \
    -out ${ROOT}/${NAME}-key.pem

  echo "<< ${NAME} keypair generated."
}

# call with arguments name, hostname, and ip address
if [ -z "$1" ]; then
  echo "${USAGE}"
  exit 1
fi
if [ -z "$2" ]; then
  echo "${USAGE}"
  exit 1
fi
if [ -z "$3" ]; then
  echo "${USAGE}"
  exit 1
fi

keypair "$1" "$2" "$3"

openssl.cnf

# From http://apetec.com/support/GenerateSAN-CSR.htm

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MN
localityName = Locality Name (eg, city)
localityName_default = Minneapolis
organizationalUnitName	= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max	= 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth,serverAuth
subjectAltName = @alt_names

[alt_names]