Skip to content

Instantly share code, notes, and snippets.

@haydonryan
Last active September 5, 2017 22:42
Show Gist options
  • Save haydonryan/165bd48b47bed51bdea7d85a993a634d to your computer and use it in GitHub Desktop.
Save haydonryan/165bd48b47bed51bdea7d85a993a634d to your computer and use it in GitHub Desktop.
#!/bin/bash
set -e
if [[ ($# -ne 3) && ($# -ne 2) ]]
then echo "wrong number of arguments:"
echo "create_cert sys_domain app_domain"
exit 1
fi
SYS_DOMAIN=$1
APP_DOMAIN=$2
VIP=$3
SSL_FILE=sslconf-${SYS_DOMAIN}.conf
#Generate SSL Config with SANs
if [ ! -f $SSL_FILE ]; then
cat > $SSL_FILE <<EOM
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
#countryName = Country Name (2 letter code)
#countryName_default = US
#stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = TX
#localityName = Locality Name (eg, city)
#localityName_default = Frisco
#organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Pivotal Labs
#commonName = Pivotal
#commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = critical, CA:true
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectKeyIdentifier = hash
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.${SYS_DOMAIN}
#IP.1 = ${VIP}
DNS.2 = *.login.${SYS_DOMAIN}
#IP.2 = ${VIP}
DNS.3 = *.uaa.${SYS_DOMAIN}
#IP.3 = ${VIP}
DNS.4 = *.${APP_DOMAIN}
#IP.4 = ${VIP}
EOM
fi
openssl genrsa -out ${SYS_DOMAIN}.key 2048
openssl req -new -out ${SYS_DOMAIN}.csr -subj "/CN=*.${SYS_DOMAIN}/O=Pivotal/C=US" -key ${SYS_DOMAIN}.key -config ${SSL_FILE}
openssl req -text -noout -in ${SYS_DOMAIN}.csr
openssl x509 -req -days 3650 -in ${SYS_DOMAIN}.csr -signkey ${SYS_DOMAIN}.key -out ${SYS_DOMAIN}.crt -extensions v3_req -extfile ${SSL_FILE}
openssl x509 -in ${SYS_DOMAIN}.crt -text -noout
@DRuggeri
Copy link

DRuggeri commented May 24, 2017

To get this working with clients that verify signature purposes, I updated the v3_req section to be:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = critical, CA:true
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectKeyIdentifier = hash
subjectAltName = @alt_names

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment