Skip to content

Instantly share code, notes, and snippets.

@jbarber
Last active April 24, 2017 09:00
Show Gist options
  • Save jbarber/290c067240e2f293ef568890d84211e7 to your computer and use it in GitHub Desktop.
Save jbarber/290c067240e2f293ef568890d84211e7 to your computer and use it in GitHub Desktop.
Creating a CSR and sign it with OpenSSL
export HOST=foo.example.com
# Create a new CSR + key
# If you want a more complicated subject, '/' seperate the fields
openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST"
# Create a new CSR + key with SAN
echo -e "[SAN]\nsubjectAltName=DNS:$HOST,DNS:${HOST/foo/bar}\n" | \
cat /etc/ssl/openssl.cnf - | \
openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST" -reqexts SAN -config /dev/stdin
# Sign certificate with CA
cat <<'EOF' > openssl.cnf
HOME = .
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
RANDFILE = $dir/private/.rand # private random number file
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = default
preserve = no
policy = policy_anything
[ policy_anything ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
EOF
mkdir -p CA/newcerts
touch CA/index.txt{,.attr}
echo '01' > CA/serial
# Per CAB forum, limit cert validity to ~3 years (limit is actually 39 months)
openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -config openssl.cnf -in "$HOST.csr" -days $(( 30 * 12 * 3 ))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment