You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
1.6 KiB
76 lines
1.6 KiB
#!/bin/bash
|
|
|
|
set -euo pipefail
|
|
|
|
years=3
|
|
domain='klingt.vnet'
|
|
cert_out_path='./roles/caddy/files'
|
|
root_out_path="${HOME}/.ssl"
|
|
csr_cnf_file="$(mktemp)"
|
|
v3_ext_file="$(mktemp)"
|
|
|
|
[[ ! -e "${root_out_path}/root-ca.key" ]] &&\
|
|
openssl genrsa\
|
|
-out "${root_out_path}/root-ca.key"\
|
|
2048
|
|
|
|
cat <<HEREDOC > "${csr_cnf_file}"
|
|
[req]
|
|
default_bits=2048
|
|
prompt=no
|
|
default_md=sha256
|
|
distinguished_name=dn
|
|
|
|
[dn]
|
|
C=DE
|
|
ST=Leipzig
|
|
L=Saxony
|
|
O=klingt.vnet
|
|
OU=klingt.vnet
|
|
emailAddress=admin@klingt.vnet
|
|
CN=klingt.vnet
|
|
HEREDOC
|
|
|
|
[[ ! -e "${root_out_path}/root-ca.pem" ]] &&\
|
|
openssl req\
|
|
-x509\
|
|
-new\
|
|
-nodes\
|
|
-key "${root_out_path}/root-ca.key"\
|
|
-sha256\
|
|
-days $((365 * $years))\
|
|
-out "${root_out_path}/root-ca.pem"\
|
|
-config <(cat "${csr_cnf_file}")
|
|
|
|
cat <<HEREDOC > "${v3_ext_file}"
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = klingt.vnet
|
|
DNS.2 = *.klingt.vnet
|
|
HEREDOC
|
|
|
|
openssl req\
|
|
-new\
|
|
-sha256\
|
|
-nodes\
|
|
-out "${cert_out_path}/${domain}.csr"\
|
|
-newkey rsa:2048\
|
|
-keyout "${cert_out_path}/${domain}.key"\
|
|
-config <(cat "${csr_cnf_file}")
|
|
|
|
openssl x509\
|
|
-req\
|
|
-in "${cert_out_path}/${domain}.csr"\
|
|
-CA "${root_out_path}/root-ca.pem"\
|
|
-CAkey "${root_out_path}/root-ca.key"\
|
|
-CAcreateserial\
|
|
-out "${cert_out_path}/${domain}.crt"\
|
|
-days $((365 * $years))\
|
|
-sha256\
|
|
-extfile "${v3_ext_file}"
|
|
|
|
rm "${csr_cnf_file}" "${v3_ext_file}" "${cert_out_path}/${domain}.csr"
|