sebnyberg/cert.sh

## cert.sh
#!/local/bin/env bash
#
# Create certs
#
set -eux

# Create Root CA cert
ca="rootca"
cat > $ca.conf << EOM
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
[ req_dn ]
O = Your Organization
CN = Root CA
EOM
openssl genrsa -out out/$ca-key.pem 4096
openssl req -new -key out/$ca-key.pem -config $ca.conf -out out/$ca.csr
openssl x509 -req -days 3650 \
    -signkey out/$ca-key.pem \
    -extensions req_ext -extfile $ca.conf \
    -in out/$ca.csr -out out/$ca.pem

# Verify key and cert
openssl rsa -noout -text -in out/$ca-key.pem
openssl x509 -noout -text -in out/$ca.pem

# Create Intermediary Cluster Cert
clusterca="mycluster"
cat > $ca.conf << EOM
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName = @san
[ san ]
DNS.1 = istiod.istio-system.svc
[ req_dn ]
O = Your Organization
CN = Some Cluster CA
L = clustername
EOM
openssl genrsa -out out/$clusterca-key.pem 4096
openssl req -new -config $clusterca.conf -key out/$clusterca-key.pem -out out/$clusterca.csr
openssl x509 -req -days 1825 \
    -CA out/$ca.pem -CAkey out/$ca-key.pem -CAcreateserial \
    -extensions req_ext -extfile $clusterca.conf \
    -in out/$clusterca.csr -out out/$clusterca.pem

# Concatenate CA certs into a chain
cat out/$clusterca.pem out/$ca.pem > out/chain.pem

# Verify key and cert
openssl rsa -noout -text -in out/$clusterca-key.pem
openssl x509 -noout -text -in out/$clusterca.pem
openssl verify -CAfile out/$ca.pem out/$clusterca.pem

# Create Service cert
svc="myservice"
cat > $svc.conf << EOM
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@san
[ san ]
DNS.1 = yourwebsite.example.com
DNS.2 = localhost
[ req_dn ]
O = Your Organization
CN = yourwebsite.example.com
L = Your Service
EOM
openssl genrsa -out out/$svc-key.pem 4096
openssl req -new -config $svc.conf -key out/$svc-key.pem -out out/$svc.csr
openssl x509 -req -days 365 \
    -CA out/chain.pem -CAkey out/$clusterca-key.pem -CAcreateserial \
    -extensions req_ext -extfile $svc.conf \
    -in out/$svc.csr -out out/$svc.pem

# Create client cert (identical to previous)
client="myclient"
cat > $client.conf << EOM
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@san
[ san ]
DNS.1 = localhost
[ req_dn ]
O = Your Organization
CN = Some Client
EOM
openssl genrsa -out out/$client-key.pem 4096
openssl req -new -config $client.conf -key out/$client-key.pem -out out/$client.csr
openssl x509 -req -days 365 \
    -CA out/chain.pem -CAkey out/$clusterca-key.pem -CAcreateserial \
    -extensions req_ext -extfile $client.conf \
    -in out/$client.csr -out out/$client.pem
	#!/local/bin/env bash
	#
	# Create certs
	#
	set -eux

	# Create Root CA cert
	ca="rootca"
	cat > $ca.conf << EOM
	[ req ]
	encrypt_key = no
	prompt = no
	utf8 = yes
	default_md = sha256
	default_bits = 4096
	req_extensions = req_ext
	x509_extensions = req_ext
	distinguished_name = req_dn
	[ req_ext ]
	subjectKeyIdentifier = hash
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
	[ req_dn ]
	O = Your Organization
	CN = Root CA
	EOM
	openssl genrsa -out out/$ca-key.pem 4096
	openssl req -new -key out/$ca-key.pem -config $ca.conf -out out/$ca.csr
	openssl x509 -req -days 3650 \
	-signkey out/$ca-key.pem \
	-extensions req_ext -extfile $ca.conf \
	-in out/$ca.csr -out out/$ca.pem

	# Verify key and cert
	openssl rsa -noout -text -in out/$ca-key.pem
	openssl x509 -noout -text -in out/$ca.pem

	# Create Intermediary Cluster Cert
	clusterca="mycluster"
	cat > $ca.conf << EOM
	[ req ]
	encrypt_key = no
	prompt = no
	utf8 = yes
	default_md = sha256
	default_bits = 4096
	req_extensions = req_ext
	x509_extensions = req_ext
	distinguished_name = req_dn
	[ req_ext ]
	subjectKeyIdentifier = hash
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
	subjectAltName = @san
	[ san ]
	DNS.1 = istiod.istio-system.svc
	[ req_dn ]
	O = Your Organization
	CN = Some Cluster CA
	L = clustername
	EOM
	openssl genrsa -out out/$clusterca-key.pem 4096
	openssl req -new -config $clusterca.conf -key out/$clusterca-key.pem -out out/$clusterca.csr
	openssl x509 -req -days 1825 \
	-CA out/$ca.pem -CAkey out/$ca-key.pem -CAcreateserial \
	-extensions req_ext -extfile $clusterca.conf \
	-in out/$clusterca.csr -out out/$clusterca.pem

	# Concatenate CA certs into a chain
	cat out/$clusterca.pem out/$ca.pem > out/chain.pem

	# Verify key and cert
	openssl rsa -noout -text -in out/$clusterca-key.pem
	openssl x509 -noout -text -in out/$clusterca.pem
	openssl verify -CAfile out/$ca.pem out/$clusterca.pem

	# Create Service cert
	svc="myservice"
	cat > $svc.conf << EOM
	[ req ]
	encrypt_key = no
	prompt = no
	utf8 = yes
	default_md = sha256
	default_bits = 4096
	req_extensions = req_ext
	x509_extensions = req_ext
	distinguished_name = req_dn
	[ req_ext ]
	subjectKeyIdentifier = hash
	basicConstraints = critical, CA:false
	keyUsage = digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth, clientAuth
	subjectAltName=@san
	[ san ]
	DNS.1 = yourwebsite.example.com
	DNS.2 = localhost
	[ req_dn ]
	O = Your Organization
	CN = yourwebsite.example.com
	L = Your Service
	EOM
	openssl genrsa -out out/$svc-key.pem 4096
	openssl req -new -config $svc.conf -key out/$svc-key.pem -out out/$svc.csr
	openssl x509 -req -days 365 \
	-CA out/chain.pem -CAkey out/$clusterca-key.pem -CAcreateserial \
	-extensions req_ext -extfile $svc.conf \
	-in out/$svc.csr -out out/$svc.pem

	# Create client cert (identical to previous)
	client="myclient"
	cat > $client.conf << EOM
	[ req ]
	encrypt_key = no
	prompt = no
	utf8 = yes
	default_md = sha256
	default_bits = 4096
	req_extensions = req_ext
	x509_extensions = req_ext
	distinguished_name = req_dn
	[ req_ext ]
	subjectKeyIdentifier = hash
	basicConstraints = critical, CA:false
	keyUsage = digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth, clientAuth
	subjectAltName=@san
	[ san ]
	DNS.1 = localhost
	[ req_dn ]
	O = Your Organization
	CN = Some Client
	EOM
	openssl genrsa -out out/$client-key.pem 4096
	openssl req -new -config $client.conf -key out/$client-key.pem -out out/$client.csr
	openssl x509 -req -days 365 \
	-CA out/chain.pem -CAkey out/$clusterca-key.pem -CAcreateserial \
	-extensions req_ext -extfile $client.conf \
	-in out/$client.csr -out out/$client.pem