openssl one liners

openssl.sh

#!/usr/bin/env bash


# ca
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes -keyout ca.key -out ca.pem -subj "/C=US/ST=CA/O=Lab/OU=Engineering/CN=ca.johnhardy.io" \
  -addext "subjectAltName=DNS:ca.johnhardy.io,IP:10.0.0.1"

# server csr
openssl req -new -newkey rsa:4096 -nodes  \
        -subj "/C=US/ST=CA/O=Lab/OU=Engineering/CN=johnhardy.io" \
        -keyout  johnhardy.io.key\
        -addext "subjectAltName=DNS:johnhardy.io,DNS:*.johnhardy.io,IP:10.0.0.1" \
        -out johnhardy.io.csr

# ext for client and server auth
#-addext "extendedKeyUsage = serverAuth, clientAuth"
# more key options
#-addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" 


# sign server csr
openssl x509 -req -days 3650 \
      -in johnhardy.io.csr \
      -copy_extensions copy \
      -CA ca.pem -CAkey ca.key -CAcreateserial \
      -out johnhardy.io.pem



# client csr
openssl req -new -newkey rsa:4096 -nodes  \
        -subj "/C=US/ST=CA/O=Lab/OU=Engineering/CN=client.johnhardy.io" \
        -keyout  client.johnhardy.io.key\
        -addext "subjectAltName=DNS:client.johnhardy.io,IP:10.0.0.1" \
        -out client.johnhardy.io.csr

# sign client csr
openssl x509 -req -days 3650 \
      -in client.johnhardy.io.csr \
      -copy_extensions copy \
      -CA ca.pem -CAkey ca.key -CAcreateserial \
      -out client.johnhardy.io.pem

# create client PFX/P12
openssl pkcs12 -export \
  -out client.johnhardy.io.p12 \
  -inkey client.johnhardy.io.key \
  -in client.johnhardy.io.pem \
  -passout "pass:password" \
  -certfile ca.pem