Egor3f · November 18, 2024 09:52
diff --git a/makecert.sh b/makecert.sh
 #!/usr/bin/env bash

 ROOTCERT=root.crt
 ROOTKEY=root.key
 ROOTDAYS=2000
 CERTDAYS=500

 if [[ ! -f $ROOTKEY ]]; then
  read -e -p "Root CA Organization name: " -i "PersonalRootCA" rootorgname
  openssl genrsa -out $ROOTKEY 4096 &&
  openssl req -x509 -new -nodes -key $ROOTKEY -sha256 -days $ROOTDAYS -out $ROOTCERT \
    -subj "/C=US/ST=CA/O=$rootorgname"
 fi

 read -p "Domain names, separated by comma: " domains
 read -e -p "Organization name: " -i "PersonalServer" orgname
 read -e -p "Save to path: " -i "$(pwd)" destpath
 destpath=$(echo $destpath | sed 's/\/$//g')

 domain1=$(echo $domains | cut -d, -f1)
 csr=$destpath/$domain1.csr
 key=$destpath/$domain1.key
 cert=$destpath/$domain1.crt
 dnslist=$(echo $domains | sed -E 's/([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/DNS:\1/g; s/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/IP:\1/g')

 if [[ -f $key ]]; then
  read -p "Destination file exists, overwrite? (y/n) " -r -n 1 confirmation
  echo
  if [[ ! $confirmation =~ ^[Yy]$ ]]; then exit 1; fi
 fi

 read -e -p "File owner (e.g. web server user): " -i $(whoami) destuser
 read -e -p "File permissions: " -i "0400" permissions

 sudopref=""
 if [[ ! -w $key ]]; then
  echo "Destination path is not writable for $(whoami), trying sudo..."
  sudopref="sudo"
 fi

 $sudopref bash -c "\
  openssl genrsa -out $key 2048 &&
  openssl req -new -sha256 -key $key -reqexts SAN -out $csr \
    -subj \"/C=US/ST=CA/O=$orgname/CN=$domain1\" \
    -config <(cat /etc/ssl/openssl.cnf ; printf \"\n[SAN]\nsubjectAltName=$dnslist\") &&
  openssl x509 -req -in $csr -CA $ROOTCERT -CAkey $ROOTKEY -out $cert -days $CERTDAYS -sha256 -CAcreateserial \
    -extfile <(printf \"subjectAltName=$dnslist\") &&
  chmod $permissions $cert $key && chown $destuser $cert $key && rm $csr"

 echo "Certificate is ready: $cert"
 echo "Private key: $key"
 echo "Root certificate (for importing to client OS): $(pwd)/$ROOTCERT"
	#!/usr/bin/env bash

	ROOTCERT=root.crt
	ROOTKEY=root.key
	ROOTDAYS=2000
	CERTDAYS=500

	if [[ ! -f $ROOTKEY ]]; then
	read -e -p "Root CA Organization name: " -i "PersonalRootCA" rootorgname
	openssl genrsa -out $ROOTKEY 4096 &&
	openssl req -x509 -new -nodes -key $ROOTKEY -sha256 -days $ROOTDAYS -out $ROOTCERT \
	-subj "/C=US/ST=CA/O=$rootorgname"
	fi

	read -p "Domain names, separated by comma: " domains
	read -e -p "Organization name: " -i "PersonalServer" orgname
	read -e -p "Save to path: " -i "$(pwd)" destpath
	destpath=$(echo $destpath \| sed 's/\/$//g')

	domain1=$(echo $domains \| cut -d, -f1)
	csr=$destpath/$domain1.csr
	key=$destpath/$domain1.key
	cert=$destpath/$domain1.crt
	dnslist=$(echo $domains \| sed -E 's/([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/DNS:\1/g; s/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/IP:\1/g')

	if [[ -f $key ]]; then
	read -p "Destination file exists, overwrite? (y/n) " -r -n 1 confirmation
	echo
	if [[ ! $confirmation =~ ^[Yy]$ ]]; then exit 1; fi
	fi

	read -e -p "File owner (e.g. web server user): " -i $(whoami) destuser
	read -e -p "File permissions: " -i "0400" permissions

	sudopref=""
	if [[ ! -w $key ]]; then
	echo "Destination path is not writable for $(whoami), trying sudo..."
	sudopref="sudo"
	fi

	$sudopref bash -c "\
	openssl genrsa -out $key 2048 &&
	openssl req -new -sha256 -key $key -reqexts SAN -out $csr \
	-subj \"/C=US/ST=CA/O=$orgname/CN=$domain1\" \
	-config <(cat /etc/ssl/openssl.cnf ; printf \"\n[SAN]\nsubjectAltName=$dnslist\") &&
	openssl x509 -req -in $csr -CA $ROOTCERT -CAkey $ROOTKEY -out $cert -days $CERTDAYS -sha256 -CAcreateserial \
	-extfile <(printf \"subjectAltName=$dnslist\") &&
	chmod $permissions $cert $key && chown $destuser $cert $key && rm $csr"

	echo "Certificate is ready: $cert"
	echo "Private key: $key"
	echo "Root certificate (for importing to client OS): $(pwd)/$ROOTCERT"