mrts · May 11, 2021 08:44
diff --git a/generate-ssl-cert-for-webserver.bash b/generate-ssl-cert-for-webserver.bash
 set -e
 set -u

 CERT_HOSTNAME=www.example.com

 # create private CA key

 openssl genrsa -out $CERT_HOSTNAME-CA.key 2048

 # create private CA certificate

 openssl req \
  -x509 \
  -nodes \
  -new \
  -key $CERT_HOSTNAME-CA.key \
  -out $CERT_HOSTNAME-CA.crt \
  -subj /CN=$CERT_HOSTNAME-ROOT-CA \
  -sha256 \
  -days 3650

 # create webserver key

 openssl genrsa -out $CERT_HOSTNAME.key 2048

 # assure subject alternative name is set to hostname, Chrome >= v58 requires this

 (cat /etc/ssl/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:$CERT_HOSTNAME") > /tmp/$CERT_HOSTNAME-openssl.cnf

 # create webserver certificate signing request

 openssl req \
  -new \
  -key $CERT_HOSTNAME.key \
  -out $CERT_HOSTNAME.req \
  -subj /CN=$CERT_HOSTNAME \
  -reqexts SAN \
  -extensions SAN \
  -config /tmp/$CERT_HOSTNAME-openssl.cnf

 # create webserver certificate by signing the certificate signing request

 openssl x509 \
  -req \
  -in $CERT_HOSTNAME.req \
  -out $CERT_HOSTNAME.crt \
  -CA $CERT_HOSTNAME-CA.crt \
  -CAkey $CERT_HOSTNAME-CA.key \
  -CAcreateserial \
  -CAserial $CERT_HOSTNAME-CA.serial \
  -extensions SAN \
  -extfile /tmp/$CERT_HOSTNAME-openssl.cnf \
  -sha256 \
  -days 3650

 # copy the certificates and keys to a safe system location

 sudo mkdir -p /etc/ssl/$CERT_HOSTNAME
 sudo mv -i *.key /etc/ssl/$CERT_HOSTNAME
 sudo mv -i *.crt /etc/ssl/$CERT_HOSTNAME
 sudo mv -i *.serial /etc/ssl/$CERT_HOSTNAME
 sudo chgrp ssl-cert /etc/ssl/$CERT_HOSTNAME/*.key
 sudo chmod 640 /etc/ssl/$CERT_HOSTNAME/*.key

 # install the CA certificate to system certificate store

 cd /usr/local/share/ca-certificates/
 sudo ln -sf /etc/ssl/$CERT_HOSTNAME/*-CA.crt .
 sudo update-ca-certificates
	set -e
	set -u

	CERT_HOSTNAME=www.example.com

	# create private CA key

	openssl genrsa -out $CERT_HOSTNAME-CA.key 2048

	# create private CA certificate

	openssl req \
	-x509 \
	-nodes \
	-new \
	-key $CERT_HOSTNAME-CA.key \
	-out $CERT_HOSTNAME-CA.crt \
	-subj /CN=$CERT_HOSTNAME-ROOT-CA \
	-sha256 \
	-days 3650

	# create webserver key

	openssl genrsa -out $CERT_HOSTNAME.key 2048

	# assure subject alternative name is set to hostname, Chrome >= v58 requires this

	(cat /etc/ssl/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:$CERT_HOSTNAME") > /tmp/$CERT_HOSTNAME-openssl.cnf

	# create webserver certificate signing request

	openssl req \
	-new \
	-key $CERT_HOSTNAME.key \
	-out $CERT_HOSTNAME.req \
	-subj /CN=$CERT_HOSTNAME \
	-reqexts SAN \
	-extensions SAN \
	-config /tmp/$CERT_HOSTNAME-openssl.cnf

	# create webserver certificate by signing the certificate signing request

	openssl x509 \
	-req \
	-in $CERT_HOSTNAME.req \
	-out $CERT_HOSTNAME.crt \
	-CA $CERT_HOSTNAME-CA.crt \
	-CAkey $CERT_HOSTNAME-CA.key \
	-CAcreateserial \
	-CAserial $CERT_HOSTNAME-CA.serial \
	-extensions SAN \
	-extfile /tmp/$CERT_HOSTNAME-openssl.cnf \
	-sha256 \
	-days 3650

	# copy the certificates and keys to a safe system location

	sudo mkdir -p /etc/ssl/$CERT_HOSTNAME
	sudo mv -i *.key /etc/ssl/$CERT_HOSTNAME
	sudo mv -i *.crt /etc/ssl/$CERT_HOSTNAME
	sudo mv -i *.serial /etc/ssl/$CERT_HOSTNAME
	sudo chgrp ssl-cert /etc/ssl/$CERT_HOSTNAME/*.key
	sudo chmod 640 /etc/ssl/$CERT_HOSTNAME/*.key

	# install the CA certificate to system certificate store

	cd /usr/local/share/ca-certificates/
	sudo ln -sf /etc/ssl/$CERT_HOSTNAME/*-CA.crt .
	sudo update-ca-certificates