script to generate a CA and server key

gen.sh

#!/bin/bash

set -e

usage() {
    echo "the following environment variables are required:"
    echo "COUNTRY - Country code"
    echo "STATE - State / Province"
    echo "CITY - City"
    echo "ORG - Organization"
    echo "ORGUNIT - Organizational Unit"
    echo "CACN - Common Name for CA Certificate"
    echo "SERVERCN - Common Name for Server Certificate"
    echo "DNSALT - Space-separated list of DNS subjectAltName entries for server cert"
    echo "IPALT - Space-separated list of IP subjectAltName entries for server cert"

    exit 1
}

if [ "$COUNTRY" == "" ]; then
    usage
fi
if [ "$STATE" == "" ]; then
    usage
fi
if [ "$CITY" == "" ]; then
    usage
fi
if [ "$ORG" == "" ]; then
    usage
fi
if [ "$ORGUNIT" == "" ]; then
    usage
fi
if [ "$CACN" == "" ]; then
    usage
fi
if [ "$SERVERCN" == "" ]; then
    usage
fi
if [ "$SERVERSAN" == "" ]; then
    usage
fi

# generate the CA _work key
openssl genrsa -out rootca.key 4096

mkdir -p _work

cat >_work/ca.cfg <<EOF
[ca]
default_ca = CA_default

[CA_default]
dir = ./
certs	= \$dir
crl_dir	= \$dir/_work
database = \$dir/_work/index.txt
new_certs_dir	= \$dir

certificate	= \$dir/rootca.crt
serial = \$dir/_work/serial
crlnumber	= \$dir/_work/crlnumber
crl = \$dir/crl.pem
private_key	= \$dir/rootca.key
RANDFILE = \$dir/.rand

default_days = 365
default_crl_days = 30
default_md = default
preserve = false
copy_extensions = copy

policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = $COUNTRY
ST = $STATE
L = $CITY
O = $ORG
OU = $ORGUNIT
CN = $CACN

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
EOF

rm -f _work/index.txt _work/index.txt.attr
touch _work/index.txt
touch _work/index.txt.attr
echo 1000 > _work/serial
echo 1000 > _work/crlnumber

openssl req -batch -config _work/ca.cfg -sha256 -new -x509 -days 3650 -key rootca.key -out rootca.crt

# generate the server cert
openssl genrsa -out server.key 4096

cat >_work/server.cfg <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = $COUNTRY
ST = $STATE
L = $CITY
O = $ORG
OU = $ORGUNIT
CN = $SERVERCN

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
EOF

count=0
for dnsalt in $DNSALT
do
    count=$((count + 1))
    echo "DNS.${count} = ${dnsalt}" >> _work/server.cfg
done

count=0
for ipalt in $IPALT
do
    count=$((count + 1))
    echo "IP.${count} = ${ipalt}" >> _work/server.cfg
done

# generate the server csr
openssl req -batch -config _work/server.cfg -new -sha256 -nodes -extensions v3_req -key server.key -out server.csr

# sign the server cert
openssl ca -batch -config _work/ca.cfg -extensions v3_req -notext -in server.csr -out server.crt

# final verification
openssl verify -CAfile rootca.crt server.crt

echo -e "\n\nDone!\n"

echo "CA certificate is    : rootca.crt"
echo "CA key is            : rootca.key"
echo "Server certificate is: server.crt"
echo "Server key is        : server.key"

echo -e "\nYou can inspect the server certificate by running:"
echo -e "\n\topenssl x509 -in server.crt -text -noout"

run.sh

export IPALT="192.168.100.1 192.168.200.2"
export DNSALT="foo.example.org example.org"
export SERVERCN="foo.example.com"
export CACN="Test CA"
export ORG="SUSE Internal"
export ORGUNIT=CaaSP
export CITY=Seattle
export STATE=Washington
export COUNTRY=US
./gen.sh