Creating ca certificates for multiple hostnames

00_csr_details.txt

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = v3_ca
distinguished_name = dn

[ca]
default_ca = CA_default

[CA_default]
copy_extensions = copy

[dn]
C=US
ST=.
L=.
O=.
OU=.
emailAddress=myemailaddress@email.com
CN = primaryhostname.com

[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS: primaryhostname.com, DNS: secondaryhostname1.com, DNS: secondaryhostname2.com, IP: 192.168.1.101

01_create_cert.sh

#!/bin/sh

CERT_NAME=$([ -z "$1" ] && echo "cert" || echo "$1")
VALIDITY=3650 # days

# private key (2048 bit), to sign all certificates with
openssl genrsa -out $CERT_NAME-ca.key 2048

# X509 certificate (certification auithority certificate) with the private key
openssl req -new -x509 -days $VALIDITY -key $CERT_NAME-ca.key -out $CERT_NAME-ca.crt

# server certificate private key
openssl genrsa -out $CERT_NAME-serv.key 2048

# certificate signing request (CSR)
# to be sent to certification authority if not a self-signed certificate
# openssl req -new -key $CERT_NAME-serv.key -out $CERT_NAME-serv.csr
openssl req -new -sha256 -nodes -out $CERT_NAME-serv.csr -key $CERT_NAME-serv.key -newkey rsa:2048 -config ./00_csr_details.txt

# verify CSR
openssl req -text -noout -in $CERT_NAME-serv.csr

# server certificate (signing CSR)
openssl x509 -req -in $CERT_NAME-serv.csr -CA $CERT_NAME-ca.crt -CAkey $CERT_NAME-ca.key -CAcreateserial -out $CERT_NAME-serv.crt -days $VALIDITY -sha256 -extensions v3_ca -extfile ./00_csr_details.txt

# verify certificate
openssl x509 -in $CERT_NAME-serv.crt -noout -text

02_check_server_cert.sh

openssl s_client -connect $HOST_NAME:$PORT -showcerts