| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- #!/bin/bash
- set -euo pipefail
- CN="${1:-}"
- HOST="${2:-}"
- if [[ -z "$CN" || -z "$HOST" ]]; then
- echo "Usage: $0 <CN> <HOST>" >&2
- exit 1
- fi
- # Set up working temp dir
- WORKDIR=$(mktemp -d)
- trap "rm -rf $WORKDIR" EXIT
- CA_KEY="ca.key"
- CA_CERT="ca.pem"
- # === Ensure CA exists ===
- if [[ ! -f $CA_KEY || ! -f $CA_CERT ]]; then
- echo "🔧 Generating CA..."
- openssl genrsa -out $CA_KEY 4096
- openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -out $CA_CERT \
- -subj "/CN=Local Dev CA"
- fi
- # === Generate key and CSR ===
- openssl genrsa -out "$WORKDIR/key.pem" 2048
- openssl req -new -key "$WORKDIR/key.pem" -out "$WORKDIR/cert.csr" \
- -subj "/CN=$CN"
- cat > "$WORKDIR/cert.ext" <<EOF
- authorityKeyIdentifier=keyid,issuer
- basicConstraints=CA:FALSE
- keyUsage = digitalSignature, keyEncipherment
- extendedKeyUsage = serverAuth, clientAuth
- subjectAltName = DNS:$HOST
- EOF
- # === Sign cert ===
- openssl x509 -req \
- -in "$WORKDIR/cert.csr" \
- -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial \
- -out "$WORKDIR/cert.pem" -days 825 -sha256 -extfile "$WORKDIR/cert.ext"
- # === Build full chain and mark alias ===
- cat "$WORKDIR/cert.pem" "$CA_CERT" > "$WORKDIR/chain.pem"
- cp "$CA_CERT" "$WORKDIR/ca.pem"
- echo "$CN" > "$WORKDIR/alias"
- # === Emit tarball to stdout ===
- tar -C "$WORKDIR" -cf - cert.pem key.pem chain.pem ca.pem alias
|
