forked from jpuck/openssl.csr.bash
-
Notifications
You must be signed in to change notification settings - Fork 0
/
openssl.csr.bash
executable file
·51 lines (40 loc) · 1.56 KB
/
openssl.csr.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/bin/bash
site_name="example.walton.uark.edu"
email_address="[email protected]"
organization="University of Arkansas"
organizational_unit="Sam M. Walton College of Business"
country="US"
state="AR"
city="Fayetteville"
use_subject_alternative_names=true
# common name MUST also be included as subject alternative name
# per RFC 6125 (https://tools.ietf.org/html/rfc6125#section-6.4.4), published in 2011:
# the validator must check SAN first, and if SAN exists, then CN should not be checked.
# http://stackoverflow.com/a/5937270/4233593
# failure to include CN as one of the SANs will result in certificate errors in some browsers
declare -a subject_alternative_names=(
"$site_name"
"*.$site_name"
)
set -e
if [ ! -d outssl ]; then
mkdir outssl
fi
command="openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout \"outssl/$site_name.key\" -out \"outssl/$site_name.csr\" -subj \"/emailAddress=$email_address/CN=$site_name/O=$organization/OU=$organizational_unit/C=$country/ST=$state/L=$city\""
if $use_subject_alternative_names; then
sanstring=""
for san in "${subject_alternative_names[@]}"; do
sanstring="$sanstring""DNS:$san,"
done
# trim trailing comma
sanstring="${sanstring::-1}"
if [[ -z "$OPENSSL_CONF" ]]; then
# get default openssl.cnf
# thanks Jeff Walton http://stackoverflow.com/a/37042289/4233593
opensslcnf="$(openssl version -d | cut -d '"' -f2)/openssl.cnf"
else
opensslcnf="$OPENSSL_CONF"
fi
command="$command -reqexts SAN -config <(cat \"$opensslcnf\" <(printf \"[SAN]\nsubjectAltName=$sanstring\"))"
fi
eval "$command"