jbarber · April 24, 2017 09:00
diff --git a/sign.sh b/sign.sh
 export HOST=foo.example.com
 # Create a new CSR + key
 # If you want a more complicated subject, '/' seperate the fields
 openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST"

 # Create a new CSR + key with SAN
 echo -e "[SAN]\nsubjectAltName=DNS:$HOST,DNS:${HOST/foo/bar}\n" | \
  cat /etc/ssl/openssl.cnf - | \
  openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST" -reqexts SAN -config /dev/stdin

 # Sign certificate with CA
 cat <<'EOF' > openssl.cnf
 HOME      = .

 [ ca ]
 default_ca  = CA_default

 [ CA_default ] 
 dir           = ./CA            # Where everything is kept
 certs         = $dir/certs          # Where the issued certs are kept
 crl_dir       = $dir/crl            # Where the issued crl are kept
 database      = $dir/index.txt      # database index file.
 new_certs_dir = $dir/newcerts       # default place for new certs.
 serial        = $dir/serial         # The current serial number
 crlnumber     = $dir/crlnumber      # the current crl number
 crl           = $dir/crl.pem        # The current CRL
 RANDFILE      = $dir/private/.rand  # private random number file

 name_opt  = ca_default
 cert_opt  = ca_default

 default_days     = 3650
 default_crl_days = 30
 default_md       = default
 preserve         = no
 policy           = policy_anything

 [ policy_anything ]
 commonName              = supplied
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 emailAddress            = optional
 EOF

 mkdir -p CA/newcerts
 touch CA/index.txt{,.attr}
 echo '01' > CA/serial
 # Per CAB forum, limit cert validity to ~3 years (limit is actually 39 months)
 openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -config openssl.cnf -in "$HOST.csr" -days $(( 30 * 12 * 3 ))
	export HOST=foo.example.com
	# Create a new CSR + key
	# If you want a more complicated subject, '/' seperate the fields
	openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST"

	# Create a new CSR + key with SAN
	echo -e "[SAN]\nsubjectAltName=DNS:$HOST,DNS:${HOST/foo/bar}\n" \| \
	cat /etc/ssl/openssl.cnf - \| \
	openssl req -nodes -keyout "$HOST.key" -out "$HOST.csr" -new -subj "/CN=$HOST" -reqexts SAN -config /dev/stdin

	# Sign certificate with CA
	cat <<'EOF' > openssl.cnf
	HOME = .

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = ./CA # Where everything is kept
	certs = $dir/certs # Where the issued certs are kept
	crl_dir = $dir/crl # Where the issued crl are kept
	database = $dir/index.txt # database index file.
	new_certs_dir = $dir/newcerts # default place for new certs.
	serial = $dir/serial # The current serial number
	crlnumber = $dir/crlnumber # the current crl number
	crl = $dir/crl.pem # The current CRL
	RANDFILE = $dir/private/.rand # private random number file

	name_opt = ca_default
	cert_opt = ca_default

	default_days = 3650
	default_crl_days = 30
	default_md = default
	preserve = no
	policy = policy_anything

	[ policy_anything ]
	commonName = supplied
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	emailAddress = optional
	EOF

	mkdir -p CA/newcerts
	touch CA/index.txt{,.attr}
	echo '01' > CA/serial
	# Per CAB forum, limit cert validity to ~3 years (limit is actually 39 months)
	openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -config openssl.cnf -in "$HOST.csr" -days $(( 30 * 12 * 3 ))