Last active
September 23, 2018 05:54
-
-
Save syfluqs/a01fb573815be4f4730fa2c9f27db1bb to your computer and use it in GitHub Desktop.
Creating ca certificates for multiple hostnames
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
default_bits = 2048 | |
prompt = no | |
default_md = sha256 | |
req_extensions = v3_ca | |
distinguished_name = dn | |
[ca] | |
default_ca = CA_default | |
[CA_default] | |
copy_extensions = copy | |
[dn] | |
C=US | |
ST=. | |
L=. | |
O=. | |
OU=. | |
emailAddress=myemailaddress@email.com | |
CN = primaryhostname.com | |
[v3_ca] | |
basicConstraints = CA:FALSE | |
keyUsage = digitalSignature, keyEncipherment | |
subjectAltName = DNS: primaryhostname.com, DNS: secondaryhostname1.com, DNS: secondaryhostname2.com, IP: 192.168.1.101 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
CERT_NAME=$([ -z "$1" ] && echo "cert" || echo "$1") | |
VALIDITY=3650 # days | |
# private key (2048 bit), to sign all certificates with | |
openssl genrsa -out $CERT_NAME-ca.key 2048 | |
# X509 certificate (certification auithority certificate) with the private key | |
openssl req -new -x509 -days $VALIDITY -key $CERT_NAME-ca.key -out $CERT_NAME-ca.crt | |
# server certificate private key | |
openssl genrsa -out $CERT_NAME-serv.key 2048 | |
# certificate signing request (CSR) | |
# to be sent to certification authority if not a self-signed certificate | |
# openssl req -new -key $CERT_NAME-serv.key -out $CERT_NAME-serv.csr | |
openssl req -new -sha256 -nodes -out $CERT_NAME-serv.csr -key $CERT_NAME-serv.key -newkey rsa:2048 -config ./00_csr_details.txt | |
# verify CSR | |
openssl req -text -noout -in $CERT_NAME-serv.csr | |
# server certificate (signing CSR) | |
openssl x509 -req -in $CERT_NAME-serv.csr -CA $CERT_NAME-ca.crt -CAkey $CERT_NAME-ca.key -CAcreateserial -out $CERT_NAME-serv.crt -days $VALIDITY -sha256 -extensions v3_ca -extfile ./00_csr_details.txt | |
# verify certificate | |
openssl x509 -in $CERT_NAME-serv.crt -noout -text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl s_client -connect $HOST_NAME:$PORT -showcerts |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment