Last active
March 19, 2019 07:17
-
-
Save strayge/2a61bcd739ca68477d8d08fa996e8dd5 to your computer and use it in GitHub Desktop.
self-signed cert with Subject Alternative Names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
cat<<EOF>caconfig.cnf | |
# My sample caconfig.cnf file. | |
# | |
# Default configuration to use when one is not provided on the command line. | |
# | |
[ ca ] | |
default_ca = local_ca | |
# | |
# | |
# Default location of directories and files needed to generate certificates. | |
# | |
[ local_ca ] | |
dir = ./ | |
certificate = ./ca_crt.pem | |
database = ./ca_index.txt | |
new_certs_dir = ./ca_signedcerts | |
private_key = ./ca_key.pem | |
serial = ./ca_serial | |
# | |
# | |
# Default expiration and encryption policies for certificates | |
# | |
default_crl_days = 3650 | |
default_days = 3650 | |
# sha1 is no longer recommended, we will be using sha256 | |
default_md = sha256 | |
# | |
policy = local_ca_policy | |
x509_extensions = local_ca_extensions | |
# | |
# | |
# Copy extensions specified in the certificate request | |
# | |
copy_extensions = copy | |
# | |
# | |
# Default policy to use when generating server certificates. | |
# The following fields must be defined in the server certificate. | |
# | |
# DO NOT CHANGE "supplied" BELOW TO ANYTHING ELSE. | |
# It is the correct content. | |
# | |
[ local_ca_policy ] | |
commonName = supplied | |
stateOrProvinceName = supplied | |
countryName = supplied | |
emailAddress = supplied | |
organizationName = supplied | |
organizationalUnitName = supplied | |
# | |
# | |
# x509 extensions to use when generating server certificates | |
# | |
[ local_ca_extensions ] | |
basicConstraints = CA:false | |
# | |
# | |
# The default root certificate generation policy | |
# | |
[ req ] | |
default_bits = 4096 | |
default_keyfile = ./ca_key.pem | |
# | |
# sha1 is no longer recommended, we will be using sha256 | |
default_md = sha256 | |
# | |
prompt = no | |
distinguished_name = root_ca_distinguished_name | |
x509_extensions = root_ca_extensions | |
# | |
# | |
# Root Certificate Authority distinguished name | |
# | |
# DO CHANGE THE CONTENT OF THESE FIELDS TO MATCH | |
# YOUR OWN SETTINGS! | |
# | |
[ root_ca_distinguished_name ] | |
commonName = LOCAL ROOT CA | |
stateOrProvinceName = 1 | |
countryName = AU | |
emailAddress = 1@1.com | |
organizationName = 1 | |
organizationalUnitName = 1 | |
# | |
[ root_ca_extensions ] | |
basicConstraints = CA:true | |
EOF | |
cat<<EOF>local.cnf | |
# | |
# localhost.cnf | |
# | |
[ req ] | |
prompt = no | |
distinguished_name = server_distinguished_name | |
req_extensions = v3_req | |
[ server_distinguished_name ] | |
commonName = Random Name | |
stateOrProvinceName = 1 | |
countryName = AU | |
emailAddress = 1@1.com | |
organizationName = 1 | |
organizationalUnitName = 1 | |
[ v3_req ] | |
basicConstraints = CA:FALSE | |
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign | |
extendedKeyUsage = clientAuth, serverAuth | |
subjectAltName = @alt_names | |
[ alt_names ] | |
IP.0 = 192.168.1.10 | |
EOF | |
openssl req -x509 -newkey rsa:4096 -out ca_crt.pem -outform PEM -days 3650 -config caconfig.cnf | |
openssl req -newkey rsa:4096 -keyout key.pem -keyform PEM -out req.pem -outform PEM -config local.cnf | |
mkdir ca_signedcerts | |
touch ca_index.txt | |
echo '01' > ca_serial | |
openssl ca -in req.pem -out ssl.crt -config caconfig.cnf | |
openssl pkcs8 -topk8 -inform pem -in key.pem -outform pem -nocrypt -out ssl.key | |
#cp ssl.crt /etc/nginx/ | |
#cp ssl.key /etc/nginx/ | |
# it's root cert for import in windows' certmgr.msc | |
#cp ca_crt.pem /etc/nginx/ | |
# concat with root for full chain | |
cp ssl.crt ssl_chain.crt | |
cat ca_crt.pem >> ssl_chain.crt | |
#cat ca_crt.pem >> /etc/nginx/ssl.crt | |
#chmod +r /etc/nginx/ssl.* | |
#chmod +r /etc/nginx/ca_crt.pem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment