diff --git a/basic_configs/ssl/CA.cnf.base b/basic_configs/ssl/CA.cnf.base new file mode 100644 index 0000000..930da15 --- /dev/null +++ b/basic_configs/ssl/CA.cnf.base @@ -0,0 +1,16 @@ +[ req ] +prompt = no +distinguished_name = req_distinguished_name +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = ${CA_COUNTRYCODE} +ST = ${CA_STATEORTERRITORY} +L = ${CA_LOCATION} +O = ${CA_ORGNAME} + +[v3_ca] +subjectKeyIdentifier = hash +basicConstraints = critical,CA:TRUE +keyUsage = cRLSign, keyCertSign +nameConstraints = permitted;DNS:272254864.xyz diff --git a/basic_configs/ssl/gen.fish b/basic_configs/ssl/gen.fish index 10b0847..0216403 100755 --- a/basic_configs/ssl/gen.fish +++ b/basic_configs/ssl/gen.fish @@ -1,9 +1,17 @@ #!/usr/bin/fish -openssl genrsa -out key.pem 2048 +# setup vars +envsubst CA.cnf -openssl req -new -out server.csr -key key.pem -config local_cert.cnf +# gen CA Root +openssl genpkey -algorithm RSA -out self_ca.key -pkeyopt rsa_keygen_bits:4096 +openssl req -new -key self_ca.key -out ca.csr -extensions v3_ca -config CA.cnf +openssl x509 -req -sha256 -days 365 -in ca.csr -signkey self_ca.key -extfile CA.cnf -out self_ca.crt -extensions v3_ca -openssl x509 -req -days 9999 -in server.csr -signkey key.pem -out cert.pem -extensions v3_req -extfile local_cert.cnf +# gen cert +openssl genpkey -algorithm RSA -out local.key -pkeyopt rsa_keygen_bits:2048 +openssl req -new -key local.key -extensions v3_ca -out local.csr -config local_cert.cnf +openssl x509 -req -sha256 -days 365 -in local.csr -CAkey self_ca.key -CA self_ca.crt -out local.crt -extfile local_cert.cnf -extensions v3_ca -rm server.csr +# cleanup +rm self_ca.key ca.csr local.csr CA.cnf