redneck-f25 · March 24, 2024 23:56
diff --git a/makecert.cmd b/makecert.cmd
 @echo off & setlocal enableextensions enabledelayedexpansion & set "_bang=^!"

 for /f "usebackq tokens=2 delims==" %%T in (`wmic os get LocalDateTime /value`) do (
  for /f "usebackq tokens=* delims=" %%T in ('%%T') do (
    set "_t=%%T"
    set "_n=!_bang!localhost [!_t:+=\+!]"
  )
 )

 pushd "%~dp0"
 pushd ..
 set "_HTTPD_BIN=%CD%\bin"
 path "%_HTTPD_BIN%";%PATH%
 popd

 > server-%_t%.cnf (
  echo authorityKeyIdentifier=keyid,issuer
  echo basicConstraints=CA:FALSE
  echo keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
  echo extendedKeyUsage  = serverAuth, clientAuth, codeSigning
  echo subjectAltName = @alt_names
  echo [alt_names]
  echo DNS.001 = localhost
  echo DNS.002 = *.localhost
  echo DNS.003 = BigKahuna
  echo DNS.004 = LittleKahuna
  echo DNS.005 = TinyKahuna
  echo DNS.006 = *.localhost.dyndns.example.org
  echo DNS.007 = *.v4.dyndns.example.org
  echo DNS.008 = *.127-8.v4.dyndns.example.org
  echo DNS.009 = *.192-0-2-24.v4.dyndns.example.org
  echo DNS.010 = *.198-51-100-24.v4.dyndns.example.org
  echo DNS.011 = *.203-0-113-24.v4.dyndns.example.org
  echo IP.1 = 127.0.0.1
  echo IP.2 = 127.0.0.2
  echo IP.3 = 192.0.2.1
  echo IP.4 = 198.51.100.1
  echo IP.5 = 203.0.113.24
 )

 > ca-issue-%_t%.cnf (
  echo authorityKeyIdentifier=keyid,issuer
  echo basicConstraints=CA:TRUE
 )

 openssl req -new -newkey rsa:4096 -keyout server.key -out server-%_t%.csr -nodes ^ -subj "/CN=!_n! Leaf"

 openssl req -new -newkey rsa:4096 -keyout ca-issue-%_t%.key -out ca-issue-%_t%.csr -nodes ^ -subj "/CN=!_n! Issue CA"

 openssl req -x509 -newkey rsa:4096 -keyout ca-root-%_t%.key -out ca-root.crt -sha256 -days 365242 -nodes -subj "/CN=!_n! Root CA"

 openssl x509 -req -in ca-issue-%_t%.csr -CA ca-root.crt -CAkey ca-root-%_t%.key -out ca-issue.crt -sha256 -days 365242 -extfile ca-issue-%_t%.cnf

 del ca-root-%_t%.key ca-issue-%_t%.csr ca-issue-%_t%.cnf

 openssl x509 -req -in server-%_t%.csr -CA ca-issue.crt -CAkey ca-issue-%_t%.key -out server.crt -sha256 -days 365242 -extfile server-%_t%.cnf

 del ca-issue-%_t%.key server-%_t%.csr server-%_t%.cnf

 copy /b ca-issue.crt + ca-root.crt server-ca.crt

 openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -passout "pass:sEcret"

 surun /wait cmd /d /c ^
  certutil -addstore root "%CD%\ca-root.crt" ^&^& ^
  certutil -addstore CA "%CD%\ca-issue.crt" ^&^& ^
  certutil -p "sEcret" -importPFX my "%CD%\server.pfx" ^&^& ^
  ^( for %%X in ^( Big Little Tiny ^) do "%_HTTPD_BIN%\httpd.exe" -k restart -n Apache2.4-%%XKahuna ^) ^& ^
  pause

 del ca-root.crt ca-issue.crt

 popd
	@echo off & setlocal enableextensions enabledelayedexpansion & set "_bang=^!"

	for /f "usebackq tokens=2 delims==" %%T in (`wmic os get LocalDateTime /value`) do (
	for /f "usebackq tokens=* delims=" %%T in ('%%T') do (
	set "_t=%%T"
	set "_n=!_bang!localhost [!_t:+=\+!]"
	)
	)

	pushd "%~dp0"
	pushd ..
	set "_HTTPD_BIN=%CD%\bin"
	path "%_HTTPD_BIN%";%PATH%
	popd

	> server-%_t%.cnf (
	echo authorityKeyIdentifier=keyid,issuer
	echo basicConstraints=CA:FALSE
	echo keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	echo extendedKeyUsage = serverAuth, clientAuth, codeSigning
	echo subjectAltName = @alt_names
	echo [alt_names]
	echo DNS.001 = localhost
	echo DNS.002 = *.localhost
	echo DNS.003 = BigKahuna
	echo DNS.004 = LittleKahuna
	echo DNS.005 = TinyKahuna
	echo DNS.006 = *.localhost.dyndns.example.org
	echo DNS.007 = *.v4.dyndns.example.org
	echo DNS.008 = *.127-8.v4.dyndns.example.org
	echo DNS.009 = *.192-0-2-24.v4.dyndns.example.org
	echo DNS.010 = *.198-51-100-24.v4.dyndns.example.org
	echo DNS.011 = *.203-0-113-24.v4.dyndns.example.org
	echo IP.1 = 127.0.0.1
	echo IP.2 = 127.0.0.2
	echo IP.3 = 192.0.2.1
	echo IP.4 = 198.51.100.1
	echo IP.5 = 203.0.113.24
	)

	> ca-issue-%_t%.cnf (
	echo authorityKeyIdentifier=keyid,issuer
	echo basicConstraints=CA:TRUE
	)

	openssl req -new -newkey rsa:4096 -keyout server.key -out server-%_t%.csr -nodes ^ -subj "/CN=!_n! Leaf"

	openssl req -new -newkey rsa:4096 -keyout ca-issue-%_t%.key -out ca-issue-%_t%.csr -nodes ^ -subj "/CN=!_n! Issue CA"

	openssl req -x509 -newkey rsa:4096 -keyout ca-root-%_t%.key -out ca-root.crt -sha256 -days 365242 -nodes -subj "/CN=!_n! Root CA"

	openssl x509 -req -in ca-issue-%_t%.csr -CA ca-root.crt -CAkey ca-root-%_t%.key -out ca-issue.crt -sha256 -days 365242 -extfile ca-issue-%_t%.cnf

	del ca-root-%_t%.key ca-issue-%_t%.csr ca-issue-%_t%.cnf

	openssl x509 -req -in server-%_t%.csr -CA ca-issue.crt -CAkey ca-issue-%_t%.key -out server.crt -sha256 -days 365242 -extfile server-%_t%.cnf

	del ca-issue-%_t%.key server-%_t%.csr server-%_t%.cnf

	copy /b ca-issue.crt + ca-root.crt server-ca.crt

	openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -passout "pass:sEcret"

	surun /wait cmd /d /c ^
	certutil -addstore root "%CD%\ca-root.crt" ^&^& ^
	certutil -addstore CA "%CD%\ca-issue.crt" ^&^& ^
	certutil -p "sEcret" -importPFX my "%CD%\server.pfx" ^&^& ^
	^( for %%X in ^( Big Little Tiny ^) do "%_HTTPD_BIN%\httpd.exe" -k restart -n Apache2.4-%%XKahuna ^) ^& ^
	pause

	del ca-root.crt ca-issue.crt

	popd