💾 Archived View for thrig.me › tech › ssl › minimum-ca.sh captured on 2023-07-22 at 18:23:31.

View Raw

More Information

⬅️ Previous capture (2023-05-24)

-=-=-=-=-=-=-

#!/bin/sh
# minimum-ca - create a minimal Certificate Authority certificate, a
# certificate with a signing request, and sign that request

# TWEAK change the details as need be
name=minca
keysize=4096
digest=-sha256
subjfoo='C=US/ST=Washington/L=Seattle/O=None'

# create the certificate authority keypair
( umask 0077
  [ -f "$name".key ] || openssl genrsa -out "$name".key "$keysize"
)
openssl req -x509 -new -nodes -key "$name".key -out "$name".cert -days 1826 \
"$digest" -subj /CN=Minimum\ CA/"$subjfoo"

# generate a certificate signing request
openssl req -new -nodes -out "$name"-test.csr -newkey rsa:"$keysize" \
-keyout "$name"-test.key -subj /CN=localhost/"$subjfoo"

# sign the certificate signing request
cat > "$name"-test.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
openssl x509 -req -in "$name"-test.csr -CA "$name".cert -CAkey "$name".key \
-CAcreateserial -out "$name"-test.cert -days 365 "$digest" \
-extfile "$name"-test.ext