Generate TLS certificate signed by root certificate

.gitignore

/root.crt
/root.key
/root.srl
/*.crt
/*.csr
/*.key
/*.packed.pem
/*.fullchain

generate-root-certificate.sh

#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'

openssl req -new -newkey rsa:2048 -sha256 -days 3650 -x509 -extensions v3_ca -keyout root.key -out root.crt

generate-root-signed-certificate.sh

#!/usr/bin/env bash
# http://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
# https://blog.zencoffee.org/2013/04/creating-and-signing-an-ssl-cert-with-alternative-names/
set -euo pipefail
IFS=$'\n\t'

OPENSSL_CONF='/usr/local/etc/openssl/openssl.cnf'

if [[ "$#" -lt 1 ]]; then
    echo "Usage: $0 <domain> [<filename>] [<alternative domains>...]"
    exit 1
fi

DOMAIN="$1"
NAME="${2:-$DOMAIN}"
ALTERNATIVES="$(python - "${@:3}" <<EOF
import sys
sys.stdout.write("DNS:$DOMAIN")
for arg in sys.argv[1:]:
	sys.stdout.write(",DNS:%s" % arg)
EOF
)"

# generate private key
openssl genrsa -out "$NAME.key" 2048

CONFIG="$(mktemp)"
cat "$OPENSSL_CONF" > "$CONFIG"
tee -a "$CONFIG" <<EOC >/dev/null
[ req ]
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = $ALTERNATIVES
EOC

# generate signing request
openssl req -new -nodes -sha256 -subj "/CN=$DOMAIN" \
	-config "$CONFIG" \
	-key "$NAME.key" -out "$NAME.csr"

openssl req -in "$NAME.csr" -text -noout

# generate public certificate
openssl x509 -req -sha256 -days 180 -in "$NAME.csr" \
 	-extensions v3_req \
	-extfile "$CONFIG" \
	-CA root.crt -CAkey root.key -CAcreateserial \
	-out "$NAME.crt"

# remove signing request
rm "$NAME.csr"
rm "$CONFIG"

cat "$NAME.crt" "root.crt" > "$NAME.fullchain"