self-signed.sh

#!/bin/bash

set -e

key='-algorithm EC -pkeyopt ec_paramgen_curve:secp384r1'
enc=-aes256
subj=-subj\ /C=XX/O=XXX/OU=XXX/CN

domain=xxx.lan

req="\
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alts

[alts]
DNS.1 = $domain
DNS.2 = *.$domain
IP.1 = 10.255.255.255
"

conf="\
[req]
x509_extensions = ca_ext
req_extensions = srv_ext

[ca_ext]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign
subjectAltName = @alts

[srv_ext]
$req\
"

read -s -p Passphrase: pass
pass="pass:$(printf %q "$pass")"

openssl genpkey $key -out ca.key -pass $pass $enc
openssl req -x509 -new -key ca.key -passin $pass -days 825 -sha512 -out ca.pem -config <(printf %s "$conf") $subj=XXX\ CA

openssl genpkey $key -out server.key
openssl req -new -key server.key -out server.csr -config <(printf %s "$conf") $subj=$domain

openssl x509 -req -in server.csr -passin $pass -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 47 -sha512 -extfile <(printf %s "$req")