tbeyer567 · June 9, 2022 15:30
diff --git a/ca.cnf b/ca.cnf
 [ca]
 default_ca = CA_default

 [ CA_default ]
 # Directory and file locations.
 dir               = .
 certs             = $dir/certs
 crl_dir           = $dir/crl
 new_certs_dir     = $dir/newcerts
 database          = $dir/index.txt
 serial            = $dir/serial
 RANDFILE          = $dir/private/.rand

 private_key       = tmp-ca.pem
 certificate       = tmp-ca-key.pem

 [req]
 distinguished_name = req_distinguished_name
 extensions         = root_ca
 req_extensions     = root_ca
 prompt             = no

 [root_ca]
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints       = critical, CA:true
 keyUsage               = critical, digitalSignature, cRLSign, keyCertSign

 [req_distinguished_name]
 countryName         = US
 stateOrProvinceName = CA
 localityName        = San Francisco
 organizationName    = HashiCorp
 commonName          = HashiCorp Vault Self-signed CA
diff --git a/create-chain.sh b/create-chain.sh
 #!/bin/bash

 test -d out || mkdir out

 # Create CA key and 365-day cert
 openssl req \
 -config ca.cnf \
 -new \
 -x509 \
 -extensions root_ca \
 -days 365 \
 -out out/ca.pem \
 -newkey rsa:2048 \
 -nodes \
 -keyout out/ca-key.pem

 # Create server certificate signing request
 openssl req \
 -config server.cnf \
 -out out/server.csr \
 -newkey rsa:2048 \
 -nodes \
 -keyout out/cert-key.pem

 # Sign CSR and issue 365-day server cert
 openssl x509 \
 -req \
 -days 365 \
 -in out/server.csr \
 -extensions req_ext \
 -extfile ./server-extensions.cnf \
 -out out/cert.pem \
 -CA out/ca.pem \
 -CAkey out/ca-key.pem  \
 -CAcreateserial \
 -CAserial out/ca.srl

 # Inspect server certificate and verify chain
 openssl x509 -in out/cert.pem -noout -text
 openssl verify -CAfile out/ca.pem out/cert.pem
diff --git a/server-extensions.cnf b/server-extensions.cnf
 [req_ext]
 basicConstraints = CA:FALSE
 subjectAltName = @alt_names

 [alt_names]
 DNS.1 = *.example.net
diff --git a/server.cnf b/server.cnf
 [req]
 default_bits       = 2048
 distinguished_name = req_distinguished_name
 req_extensions     = req_ext
 prompt             = no

 [req_distinguished_name]
 countryName         = US
 stateOrProvinceName = CA
 localityName        = San Francisco
 organizationName    = HashiCorp
 commonName          = HashiCorp Vault Self-Signed Server Certificate

 [req_ext]
 basicConstraints = CA:FALSE
 subjectAltName   = @alt_names

 [alt_names]
 DNS.1 = *.example.net
	[ca]
	default_ca = CA_default

	[ CA_default ]
	# Directory and file locations.
	dir = .
	certs = $dir/certs
	crl_dir = $dir/crl
	new_certs_dir = $dir/newcerts
	database = $dir/index.txt
	serial = $dir/serial
	RANDFILE = $dir/private/.rand

	private_key = tmp-ca.pem
	certificate = tmp-ca-key.pem

	[req]
	distinguished_name = req_distinguished_name
	extensions = root_ca
	req_extensions = root_ca
	prompt = no

	[root_ca]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[req_distinguished_name]
	countryName = US
	stateOrProvinceName = CA
	localityName = San Francisco
	organizationName = HashiCorp
	commonName = HashiCorp Vault Self-signed CA
	#!/bin/bash

	test -d out \|\| mkdir out

	# Create CA key and 365-day cert
	openssl req \
	-config ca.cnf \
	-new \
	-x509 \
	-extensions root_ca \
	-days 365 \
	-out out/ca.pem \
	-newkey rsa:2048 \
	-nodes \
	-keyout out/ca-key.pem

	# Create server certificate signing request
	openssl req \
	-config server.cnf \
	-out out/server.csr \
	-newkey rsa:2048 \
	-nodes \
	-keyout out/cert-key.pem

	# Sign CSR and issue 365-day server cert
	openssl x509 \
	-req \
	-days 365 \
	-in out/server.csr \
	-extensions req_ext \
	-extfile ./server-extensions.cnf \
	-out out/cert.pem \
	-CA out/ca.pem \
	-CAkey out/ca-key.pem \
	-CAcreateserial \
	-CAserial out/ca.srl

	# Inspect server certificate and verify chain
	openssl x509 -in out/cert.pem -noout -text
	openssl verify -CAfile out/ca.pem out/cert.pem
	[req_ext]
	basicConstraints = CA:FALSE
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = *.example.net
	[req]
	default_bits = 2048
	distinguished_name = req_distinguished_name
	req_extensions = req_ext
	prompt = no

	[req_distinguished_name]
	countryName = US
	stateOrProvinceName = CA
	localityName = San Francisco
	organizationName = HashiCorp
	commonName = HashiCorp Vault Self-Signed Server Certificate

	[req_ext]
	basicConstraints = CA:FALSE
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = *.example.net