earthquakesan/gist:6996324a18151e5ee059a4d4e507b33a

## gistfile1.txt
export SERVER=example.org
export EMAIL=mail@example.org

mkdir tls
touch tls/index.txt

cat <<EOF > tls/openssl-ca.cnf
[ ca ]
default_ca = CA_LOC

[ CA_LOC ]
prompt            = no
dir               = $PWD/tls
certs             = \$dir/
crl_dir           = \$dir/
new_certs_dir     = \$dir/
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/.rand
private_key       = \$dir/ca.key
certificate       = \$dir/ca.crt
crlnumber         = \$dir/crlnum
crl               = \$dir/mycrl.pem
default_crl_days  = 30
preserve          = no
policy            = policy
default_days      = 365
default_md        = sha256

[ policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied

[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name

string_mask         = utf8only
default_md          = sha256
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = DE
stateOrProvinceName             = Region
localityName                    = Locality
organizationName                = myOrg
organizationalUnitName          = myUnit
commonName                      = ${SERVER}
emailAddress                    = ${EMAIL}

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature
EOF

cat <<EOF > tls/openssl-server.cnf
[ req ]
prompt                 = no
days                   = 365
distinguished_name     = req_distinguished_name
req_extensions         = v3_req

[ req_distinguished_name ]
countryName                     = DE
stateOrProvinceName             = Region
localityName                    = Locality
0.organizationName              = myOrg
organizationalUnitName          = myUnit
commonName                      = ${SERVER}
emailAddress                    = ${EMAIL}

[ v3_req ]
basicConstraints       = CA:false
extendedKeyUsage       = serverAuth
subjectAltName         = @sans

[ sans ]
DNS.0 = localhost
DNS.1 = ${SERVER}
EOF

openssl genrsa -out tls/ca.key 4096
openssl req -x509 -new -nodes -key tls/ca.key -subj "/CN=${SERVER}" -days 3650 -out tls/ca.crt -extensions v3_ca -config tls/openssl-ca.cnf

openssl req -out tls/cert.csr -newkey rsa:2048 -nodes -keyout tls/cert.key -config tls/openssl-server.cnf

openssl ca -create_serial -config tls/openssl-server.cnf -cert tls/ca.crt -keyfile tls/ca.key -in tls/cert.csr -out tls/cert.crt
	export SERVER=example.org
	export EMAIL=mail@example.org

	mkdir tls
	touch tls/index.txt

	cat <<EOF > tls/openssl-ca.cnf
	[ ca ]
	default_ca = CA_LOC

	[ CA_LOC ]
	prompt = no
	dir = $PWD/tls
	certs = \$dir/
	crl_dir = \$dir/
	new_certs_dir = \$dir/
	database = \$dir/index.txt
	serial = \$dir/serial
	RANDFILE = \$dir/.rand
	private_key = \$dir/ca.key
	certificate = \$dir/ca.crt
	crlnumber = \$dir/crlnum
	crl = \$dir/mycrl.pem
	default_crl_days = 30
	preserve = no
	policy = policy
	default_days = 365
	default_md = sha256

	[ policy ]
	commonName = supplied
	stateOrProvinceName = supplied
	countryName = supplied
	emailAddress = supplied
	organizationName = supplied
	organizationalUnitName = supplied

	[ req ]
	default_bits = 4096
	distinguished_name = req_distinguished_name

	string_mask = utf8only
	default_md = sha256
	x509_extensions = v3_ca

	[ req_distinguished_name ]
	countryName = DE
	stateOrProvinceName = Region
	localityName = Locality
	organizationName = myOrg
	organizationalUnitName = myUnit
	commonName = ${SERVER}
	emailAddress = ${EMAIL}

	[ v3_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature
	EOF

	cat <<EOF > tls/openssl-server.cnf
	[ req ]
	prompt = no
	days = 365
	distinguished_name = req_distinguished_name
	req_extensions = v3_req

	[ req_distinguished_name ]
	countryName = DE
	stateOrProvinceName = Region
	localityName = Locality
	0.organizationName = myOrg
	organizationalUnitName = myUnit
	commonName = ${SERVER}
	emailAddress = ${EMAIL}

	[ v3_req ]
	basicConstraints = CA:false
	extendedKeyUsage = serverAuth
	subjectAltName = @sans

	[ sans ]
	DNS.0 = localhost
	DNS.1 = ${SERVER}
	EOF

	openssl genrsa -out tls/ca.key 4096
	openssl req -x509 -new -nodes -key tls/ca.key -subj "/CN=${SERVER}" -days 3650 -out tls/ca.crt -extensions v3_ca -config tls/openssl-ca.cnf

	openssl req -out tls/cert.csr -newkey rsa:2048 -nodes -keyout tls/cert.key -config tls/openssl-server.cnf

	openssl ca -create_serial -config tls/openssl-server.cnf -cert tls/ca.crt -keyfile tls/ca.key -in tls/cert.csr -out tls/cert.crt
No results found