jbarber/sign.sh

## sign.sh
export HOST=foo.example.com
# Create a new CSR + key
# If you want a more complicated subject, '/' seperate the fields
openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST"

# Create a new CSR + key with SAN
echo -e "[SAN]\nsubjectAltName=DNS:$HOST,DNS:${HOST/foo/bar}\n" | \
  cat /etc/ssl/openssl.cnf - | \
  openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST" -reqexts SAN -config /dev/stdin

# Sign certificate with CA
cat <<'EOF' > openssl.cnf
HOME      = .

[ ca ]
default_ca  = CA_default

[ CA_default ]
dir           = ./CA            # Where everything is kept
certs         = $dir/certs          # Where the issued certs are kept
crl_dir       = $dir/crl            # Where the issued crl are kept
database      = $dir/index.txt      # database index file.
new_certs_dir = $dir/newcerts       # default place for new certs.
serial        = $dir/serial         # The current serial number
crlnumber     = $dir/crlnumber      # the current crl number
crl           = $dir/crl.pem        # The current CRL
RANDFILE      = $dir/private/.rand  # private random number file

name_opt  = ca_default
cert_opt  = ca_default

default_days     = 3650
default_crl_days = 30
default_md       = default
preserve         = no
policy           = policy_anything

[ policy_anything ]
commonName              = supplied
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
emailAddress            = optional
EOF

mkdir -p CA/newcerts
touch CA/index.txt{,.attr}
echo '01' > CA/serial
# Per CAB forum, limit cert validity to ~3 years (limit is actually 39 months)
openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -config openssl.cnf -in "$HOST.csr" -days $(( 30 * 12 * 3 ))
	export HOST=foo.example.com
	# Create a new CSR + key
	# If you want a more complicated subject, '/' seperate the fields
	openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST"

	# Create a new CSR + key with SAN
	echo -e "[SAN]\nsubjectAltName=DNS:$HOST,DNS:${HOST/foo/bar}\n" \| \
	cat /etc/ssl/openssl.cnf - \| \
	openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST" -reqexts SAN -config /dev/stdin

	# Sign certificate with CA
	cat <<'EOF' > openssl.cnf
	HOME = .

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = ./CA # Where everything is kept
	certs = $dir/certs # Where the issued certs are kept
	crl_dir = $dir/crl # Where the issued crl are kept
	database = $dir/index.txt # database index file.
	new_certs_dir = $dir/newcerts # default place for new certs.
	serial = $dir/serial # The current serial number
	crlnumber = $dir/crlnumber # the current crl number
	crl = $dir/crl.pem # The current CRL
	RANDFILE = $dir/private/.rand # private random number file

	name_opt = ca_default
	cert_opt = ca_default

	default_days = 3650
	default_crl_days = 30
	default_md = default
	preserve = no
	policy = policy_anything

	[ policy_anything ]
	commonName = supplied
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	emailAddress = optional
	EOF

	mkdir -p CA/newcerts
	touch CA/index.txt{,.attr}
	echo '01' > CA/serial
	# Per CAB forum, limit cert validity to ~3 years (limit is actually 39 months)
	openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -config openssl.cnf -in "$HOST.csr" -days $(( 30 * 12 * 3 ))