pnck/create-cert.sh

## create-cert.sh
# Define where to store the generated certs and metadata.
DIR="$(pwd)"


# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat > "${DIR}/openssl.cnf" << EOF
[req]
default_bits = 2048
encrypt_key  = no # Change to encrypt the private key using des3 or similar
default_md   = sha256
prompt       = yes
utf8         = yes

# Speify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name

# Extensions for SAN IP and SAN DNS
req_extensions = v3_req

# Be sure to update the subject to match your organization.
[req_distinguished_name]
C  = Country Name (2 letter code)
ST = State or Province Name (full name)
L  = Locality Name (eg, city)
O  = Organization Name (eg, company)
CN = Common Name (e.g. server FQDN or YOUR name)

# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints     = CA:FALSE
subjectKeyIdentifier = hash
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = clientAuth, serverAuth
subjectAltName       = @alt_names

# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
IP.1  = 192.168.1.1
IP.2  = 10.0.0.1
DNS.1 = hostname
EOF


echo -e "\n\n-----------------------------------\nCreate CA\n-----------------------------------\n"
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
#
# To put a password on the key, remove the -nodes option.
#
# Be sure to update the subject to match your organization.
openssl req \
  -new \
  -newkey rsa:2048 \
  -days 1825 \
  -nodes \
  -x509 \
  -keyout "${DIR}/ca.key" \
  -out "${DIR}/ca.crt"


echo -e "\n\n-----------------------------------\nCreate Sub Service\n-----------------------------------\n"
# Generate the private key for the service. Again, you may want to increase
# the bits to 4096.
# openssl genrsa -out "${DIR}/private.key" 2048

# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req \
  -new -newkey rsa:2048 \
  -keyout "${DIR}/sub_service.key" \
  -out "${DIR}/sub_service.csr" \
  -config "${DIR}/openssl.cnf"

# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509 \
  -req \
  -days 1825 \
  -in "${DIR}/sub_service.csr" \
  -extensions v3_req \
  -extfile "${DIR}/openssl.cnf" \
  -CA "${DIR}/ca.crt" \
  -CAkey "${DIR}/ca.key" \
  -CAcreateserial \
  -out "${DIR}/sub_service.pem"

# (Optional) Verify the certificate.
openssl x509 -in "${DIR}/sub_service.pem" -noout -text
	# Define where to store the generated certs and metadata.
	DIR="$(pwd)"


	# Create the openssl configuration file. This is used for both generating
	# the certificate as well as for specifying the extensions. It aims in favor
	# of automation, so the DN is encoding and not prompted.
	cat > "${DIR}/openssl.cnf" << EOF
	[req]
	default_bits = 2048
	encrypt_key = no # Change to encrypt the private key using des3 or similar
	default_md = sha256
	prompt = yes
	utf8 = yes

	# Speify the DN here so we aren't prompted (along with prompt = no above).
	distinguished_name = req_distinguished_name

	# Extensions for SAN IP and SAN DNS
	req_extensions = v3_req

	# Be sure to update the subject to match your organization.
	[req_distinguished_name]
	C = Country Name (2 letter code)
	ST = State or Province Name (full name)
	L = Locality Name (eg, city)
	O = Organization Name (eg, company)
	CN = Common Name (e.g. server FQDN or YOUR name)

	# Allow client and server auth. You may want to only allow server auth.
	# Link to SAN names.
	[v3_req]
	basicConstraints = CA:FALSE
	subjectKeyIdentifier = hash
	keyUsage = digitalSignature, keyEncipherment
	extendedKeyUsage = clientAuth, serverAuth
	subjectAltName = @alt_names

	# Alternative names are specified as IP.# and DNS.# for IP addresses and
	# DNS accordingly.
	[alt_names]
	IP.1 = 192.168.1.1
	IP.2 = 10.0.0.1
	DNS.1 = hostname
	EOF



	echo -e "\n\n-----------------------------------\nCreate CA\n-----------------------------------\n"
	# Create the certificate authority (CA). This will be a self-signed CA, and this
	# command generates both the private key and the certificate. You may want to
	# adjust the number of bits (4096 is a bit more secure, but not supported in all
	# places at the time of this publication).
	#
	# To put a password on the key, remove the -nodes option.
	#
	# Be sure to update the subject to match your organization.
	openssl req \
	-new \
	-newkey rsa:2048 \
	-days 1825 \
	-nodes \
	-x509 \
	-keyout "${DIR}/ca.key" \
	-out "${DIR}/ca.crt"




	echo -e "\n\n-----------------------------------\nCreate Sub Service\n-----------------------------------\n"
	# Generate the private key for the service. Again, you may want to increase
	# the bits to 4096.
	# openssl genrsa -out "${DIR}/private.key" 2048

	# Generate a CSR using the configuration and the key just generated. We will
	# give this CSR to our CA to sign.
	openssl req \
	-new -newkey rsa:2048 \
	-keyout "${DIR}/sub_service.key" \
	-out "${DIR}/sub_service.csr" \
	-config "${DIR}/openssl.cnf"

	# Sign the CSR with our CA. This will generate a new certificate that is signed
	# by our CA.
	openssl x509 \
	-req \
	-days 1825 \
	-in "${DIR}/sub_service.csr" \
	-extensions v3_req \
	-extfile "${DIR}/openssl.cnf" \
	-CA "${DIR}/ca.crt" \
	-CAkey "${DIR}/ca.key" \
	-CAcreateserial \
	-out "${DIR}/sub_service.pem"

	# (Optional) Verify the certificate.
	openssl x509 -in "${DIR}/sub_service.pem" -noout -text