Skip to content

Instantly share code, notes, and snippets.

@strayge
Last active March 19, 2019 07:17
Show Gist options
  • Save strayge/2a61bcd739ca68477d8d08fa996e8dd5 to your computer and use it in GitHub Desktop.
Save strayge/2a61bcd739ca68477d8d08fa996e8dd5 to your computer and use it in GitHub Desktop.
self-signed cert with Subject Alternative Names
#!/bin/bash
cat<<EOF>caconfig.cnf
# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = ./
certificate = ./ca_crt.pem
database = ./ca_index.txt
new_certs_dir = ./ca_signedcerts
private_key = ./ca_key.pem
serial = ./ca_serial
#
#
# Default expiration and encryption policies for certificates
#
default_crl_days = 3650
default_days = 3650
# sha1 is no longer recommended, we will be using sha256
default_md = sha256
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
#
#
# Default policy to use when generating server certificates.
# The following fields must be defined in the server certificate.
#
# DO NOT CHANGE "supplied" BELOW TO ANYTHING ELSE.
# It is the correct content.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating server certificates
#
[ local_ca_extensions ]
basicConstraints = CA:false
#
#
# The default root certificate generation policy
#
[ req ]
default_bits = 4096
default_keyfile = ./ca_key.pem
#
# sha1 is no longer recommended, we will be using sha256
default_md = sha256
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name
#
# DO CHANGE THE CONTENT OF THESE FIELDS TO MATCH
# YOUR OWN SETTINGS!
#
[ root_ca_distinguished_name ]
commonName = LOCAL ROOT CA
stateOrProvinceName = 1
countryName = AU
emailAddress = 1@1.com
organizationName = 1
organizationalUnitName = 1
#
[ root_ca_extensions ]
basicConstraints = CA:true
EOF
cat<<EOF>local.cnf
#
# localhost.cnf
#
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req
[ server_distinguished_name ]
commonName = Random Name
stateOrProvinceName = 1
countryName = AU
emailAddress = 1@1.com
organizationName = 1
organizationalUnitName = 1
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[ alt_names ]
IP.0 = 192.168.1.10
EOF
openssl req -x509 -newkey rsa:4096 -out ca_crt.pem -outform PEM -days 3650 -config caconfig.cnf
openssl req -newkey rsa:4096 -keyout key.pem -keyform PEM -out req.pem -outform PEM -config local.cnf
mkdir ca_signedcerts
touch ca_index.txt
echo '01' > ca_serial
openssl ca -in req.pem -out ssl.crt -config caconfig.cnf
openssl pkcs8 -topk8 -inform pem -in key.pem -outform pem -nocrypt -out ssl.key
#cp ssl.crt /etc/nginx/
#cp ssl.key /etc/nginx/
# it's root cert for import in windows' certmgr.msc
#cp ca_crt.pem /etc/nginx/
# concat with root for full chain
cp ssl.crt ssl_chain.crt
cat ca_crt.pem >> ssl_chain.crt
#cat ca_crt.pem >> /etc/nginx/ssl.crt
#chmod +r /etc/nginx/ssl.*
#chmod +r /etc/nginx/ca_crt.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment