Create certificate with custom CA

create_cert.sh

#!/bin/bash
# Config
COUNTRY="HK"
STATE="Hong Kong"
ORGANIZATION="Brian Choi"

# Create cert folder
mkdir -p cert

# Get domains
echo 'Enter your domains (Separated by space):'
read -a domains

if [ ${#domains[0]} -le 0 ]
then
    echo 'ERROR: No domain found.'
    exit 1
fi

# Get IPs
echo 'Enter your IPs (Separated by space, optional):'
read -a ips

# Print result
echo
echo "Settings:"

for ((i = 0; i < ${#domains[@]}; i++)); do
    echo "DNS."$(($i + 1))"="${domains[$i]}
done

for ((i = 0; i < ${#ips[@]}; i++)); do
    echo "IP."$(($i + 1))"="${ips[$i]}
done

echo
echo "Is that ok? (Enter to continue)"
read

# Create domain.ext
echo 'authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]' > "cert/"${domains[0]}".ext"

for ((i = 0; i < ${#domains[@]}; i++)); do
    echo "DNS."$(($i + 1))"="${domains[$i]} >> "cert/${domains[0]}.ext"
done

for ((i = 0; i < ${#ips[@]}; i++)); do
    echo "IP."$(($i + 1))"="${ips[$i]} >> "cert/${domains[0]}.ext"
done

# Create private key
openssl genrsa -out "cert/${domains[0]}.key" 2048

# Create CSR
openssl req -new -sha256 -key "cert/${domains[0]}.key" -subj "/C=$COUNTRY/ST=$STATE/O=$ORGANIZATION/CN=${domains[0]}" -out "cert/${domains[0]}.csr"

# Create certificate
openssl x509 -req -in "cert/${domains[0]}.csr" -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out "cert/${domains[0]}.crt" -days 3650 -sha256 -extfile "cert/${domains[0]}.ext"

echo
echo Done

Create CA by using the following command before using the above script:

# Create root ca key
openssl genrsa -des3 -out rootCA.key 4096

# Create CA
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt