AfroThundr3007730/create-pki-certs.sh

## create-pki-certs.sh
#!/bin/bash

config='
[ca_cert]
basicConstraints=critical,CA:true,pathlen:1
authorityKeyIdentifier=keyid:always,issuer
subjectKeyIdentifier=hash
keyUsage=critical,keyCertSign,cRLSign

[sign_cert]
basicConstraints=critical,CA:false
subjectKeyIdentifier=hash
keyUsage=critical,digitalSignature
extendedKeyUsage=codeSigning

[san_cert]
basicConstraints=critical,CA:false
subjectKeyIdentifier=hash
keyUsage=critical,digitalSignature
extendedKeyUsage=serverAuth
subjectAltName=@alt_names

[alt_names]
DNS.1=foo.example.com
DNS.2=bar.example.com
'

# The Root Cert
openssl req -x509 -days 3660 -sha384 -utf8 -noenc \
    -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
    -keyout /etc/keys/ca.key -out /etc/keys/ca.crt \
    -config <(printf "$config") -extensions ca_cert \
    -subj '/CN=My CA Cert'

# The Leaf Cert (code signing)
openssl req -x509 -days 730 -sha384 -utf8 -noenc \
    -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
    -keyout /etc/keys/db.key -out /etc/keys/db.crt \
    -CAkey /etc/keys/ca.key -CA /etc/keys/ca.crt \
    -config <(printf "$config") -extensions sign_cert \
    -subj '/CN=MY Leaf Cert'

# The Leaf Cert (SAN inline)
openssl req -x509 -days 730 -sha384 -utf8 -noenc \
    -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
    -keyout /etc/keys/db.key -out /etc/keys/db.crt \
    -CAkey /etc/keys/ca.key -CA /etc/keys/ca.crt \
    -config <(printf "$config") -extensions san_cert \
    -subj '/' -addext 'subjectAltNames=DNS.1:foo.bar.baz'

# The Leaf Cert (SAN full)
openssl req -x509 -days 730 -sha384 -utf8 -noenc \
    -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
    -keyout /etc/keys/db.key -out /etc/keys/db.crt \
    -CAkey /etc/keys/ca.key -CA /etc/keys/ca.crt \
    -config <(printf "$config") -extensions san_cert \
    -subj '/'
	#!/bin/bash

	config='
	[ca_cert]
	basicConstraints=critical,CA:true,pathlen:1
	authorityKeyIdentifier=keyid:always,issuer
	subjectKeyIdentifier=hash
	keyUsage=critical,keyCertSign,cRLSign

	[sign_cert]
	basicConstraints=critical,CA:false
	subjectKeyIdentifier=hash
	keyUsage=critical,digitalSignature
	extendedKeyUsage=codeSigning

	[san_cert]
	basicConstraints=critical,CA:false
	subjectKeyIdentifier=hash
	keyUsage=critical,digitalSignature
	extendedKeyUsage=serverAuth
	subjectAltName=@alt_names

	[alt_names]
	DNS.1=foo.example.com
	DNS.2=bar.example.com
	'

	# The Root Cert
	openssl req -x509 -days 3660 -sha384 -utf8 -noenc \
	-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
	-keyout /etc/keys/ca.key -out /etc/keys/ca.crt \
	-config <(printf "$config") -extensions ca_cert \
	-subj '/CN=My CA Cert'

	# The Leaf Cert (code signing)
	openssl req -x509 -days 730 -sha384 -utf8 -noenc \
	-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
	-keyout /etc/keys/db.key -out /etc/keys/db.crt \
	-CAkey /etc/keys/ca.key -CA /etc/keys/ca.crt \
	-config <(printf "$config") -extensions sign_cert \
	-subj '/CN=MY Leaf Cert'

	# The Leaf Cert (SAN inline)
	openssl req -x509 -days 730 -sha384 -utf8 -noenc \
	-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
	-keyout /etc/keys/db.key -out /etc/keys/db.crt \
	-CAkey /etc/keys/ca.key -CA /etc/keys/ca.crt \
	-config <(printf "$config") -extensions san_cert \
	-subj '/' -addext 'subjectAltNames=DNS.1:foo.bar.baz'

	# The Leaf Cert (SAN full)
	openssl req -x509 -days 730 -sha384 -utf8 -noenc \
	-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
	-keyout /etc/keys/db.key -out /etc/keys/db.crt \
	-CAkey /etc/keys/ca.key -CA /etc/keys/ca.crt \
	-config <(printf "$config") -extensions san_cert \
	-subj '/'
No results found