#!/bin/sh # minimum-ca - create a minimal Certificate Authority certificate, a # certificate with a signing request, and sign that request # TWEAK change the details as need be name=minca keysize=4096 digest=-sha256 subjfoo='C=US/ST=Washington/L=Seattle/O=None' # create the certificate authority keypair ( umask 0077 [ -f "$name".key ] || openssl genrsa -out "$name".key "$keysize" ) openssl req -x509 -new -nodes -key "$name".key -out "$name".cert -days 1826 \ "$digest" -subj /CN=Minimum\ CA/"$subjfoo" # generate a certificate signing request openssl req -new -nodes -out "$name"-test.csr -newkey rsa:"$keysize" \ -keyout "$name"-test.key -subj /CN=localhost/"$subjfoo" # sign the certificate signing request cat > "$name"-test.ext << EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost IP.1 = 127.0.0.1 EOF openssl x509 -req -in "$name"-test.csr -CA "$name".cert -CAkey "$name".key \ -CAcreateserial -out "$name"-test.cert -days 365 "$digest" \ -extfile "$name"-test.ext