nathansizemore · September 24, 2022 21:26
diff --git a/certs-gen.sh b/certs-gen.sh
 #!/bin/sh

 set -xe

 openssl req -nodes \
    -x509 \
    -days 3650 \
    -newkey rsa:4096 \
    -keyout ca.key \
    -out ca.cert \
    -sha256 \
    -batch \
    -subj "/CN=rsa-ca"

 openssl req -nodes \
    -newkey rsa:3072 \
    -keyout inter.key \
    -out inter.req \
    -sha256 \
    -batch \
    -subj "/CN=rsa-inter"

 openssl req -nodes \
    -newkey rsa:2048 \
    -keyout end.key \
    -out end.req \
    -sha256 \
    -batch \
    -subj "/CN=testserver.com"

 openssl rsa \
    -in end.key \
    -out end.rsa

 openssl req -nodes \
    -newkey rsa:2048 \
    -keyout client.key \
    -out client.req \
    -sha256 \
    -batch \
    -subj "/CN=rsa-client"

 openssl rsa \
    -in client.key \
    -out client.rsa

 openssl x509 -req \
    -in inter.req \
    -out inter.cert \
    -CA ca.cert \
    -CAkey ca.key \
    -sha256 \
    -days 3650 \
    -set_serial 123 \
    -extensions v3_inter -extfile openssl.cnf

 openssl x509 -req \
    -in end.req \
    -out end.cert \
    -CA inter.cert \
    -CAkey inter.key \
    -sha256 \
    -days 2000 \
    -set_serial 456 \
    -extensions v3_end -extfile openssl.cnf

 openssl x509 -req \
    -in client.req \
    -out client.cert \
    -CA inter.cert \
    -CAkey inter.key \
    -sha256 \
    -days 2000 \
    -set_serial 789 \
    -extensions v3_client -extfile openssl.cnf

 cat inter.cert ca.cert > end.chain
 cat end.cert inter.cert ca.cert > end.fullchain

 cat inter.cert ca.cert > client.chain
 cat client.cert inter.cert ca.cert > client.fullchain

 openssl asn1parse -in ca.cert -out ca.der > /dev/null
diff --git a/openssl.cnf b/openssl.cnf
 [ v3_end ]
 basicConstraints = critical,CA:false
 keyUsage = nonRepudiation, digitalSignature
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 subjectAltName = @alt_names

 [ v3_client ]
 basicConstraints = critical,CA:false
 keyUsage = nonRepudiation, digitalSignature
 extendedKeyUsage = critical, clientAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always

 [ v3_inter ]
 subjectKeyIdentifier = hash
 extendedKeyUsage = critical, serverAuth, clientAuth
 basicConstraints = CA:true
 keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign

 [ alt_names ]
 DNS.1 = testserver.com
 DNS.2 = second.testserver.com
 DNS.3 = localhost
	#!/bin/sh

	set -xe

	openssl req -nodes \
	-x509 \
	-days 3650 \
	-newkey rsa:4096 \
	-keyout ca.key \
	-out ca.cert \
	-sha256 \
	-batch \
	-subj "/CN=rsa-ca"

	openssl req -nodes \
	-newkey rsa:3072 \
	-keyout inter.key \
	-out inter.req \
	-sha256 \
	-batch \
	-subj "/CN=rsa-inter"

	openssl req -nodes \
	-newkey rsa:2048 \
	-keyout end.key \
	-out end.req \
	-sha256 \
	-batch \
	-subj "/CN=testserver.com"

	openssl rsa \
	-in end.key \
	-out end.rsa

	openssl req -nodes \
	-newkey rsa:2048 \
	-keyout client.key \
	-out client.req \
	-sha256 \
	-batch \
	-subj "/CN=rsa-client"

	openssl rsa \
	-in client.key \
	-out client.rsa

	openssl x509 -req \
	-in inter.req \
	-out inter.cert \
	-CA ca.cert \
	-CAkey ca.key \
	-sha256 \
	-days 3650 \
	-set_serial 123 \
	-extensions v3_inter -extfile openssl.cnf

	openssl x509 -req \
	-in end.req \
	-out end.cert \
	-CA inter.cert \
	-CAkey inter.key \
	-sha256 \
	-days 2000 \
	-set_serial 456 \
	-extensions v3_end -extfile openssl.cnf

	openssl x509 -req \
	-in client.req \
	-out client.cert \
	-CA inter.cert \
	-CAkey inter.key \
	-sha256 \
	-days 2000 \
	-set_serial 789 \
	-extensions v3_client -extfile openssl.cnf

	cat inter.cert ca.cert > end.chain
	cat end.cert inter.cert ca.cert > end.fullchain

	cat inter.cert ca.cert > client.chain
	cat client.cert inter.cert ca.cert > client.fullchain

	openssl asn1parse -in ca.cert -out ca.der > /dev/null
	[ v3_end ]
	basicConstraints = critical,CA:false
	keyUsage = nonRepudiation, digitalSignature
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer:always
	subjectAltName = @alt_names

	[ v3_client ]
	basicConstraints = critical,CA:false
	keyUsage = nonRepudiation, digitalSignature
	extendedKeyUsage = critical, clientAuth
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer:always

	[ v3_inter ]
	subjectKeyIdentifier = hash
	extendedKeyUsage = critical, serverAuth, clientAuth
	basicConstraints = CA:true
	keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign

	[ alt_names ]
	DNS.1 = testserver.com
	DNS.2 = second.testserver.com
	DNS.3 = localhost