2021-08-24 12:48:30 +00:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
set -eEuo pipefail
|
2021-09-22 15:06:06 +00:00
|
|
|
unset CDPATH
|
2021-08-24 12:48:30 +00:00
|
|
|
|
2021-09-22 15:06:06 +00:00
|
|
|
# force the script to first switch to the directory containing the script before
|
|
|
|
# messing with the filesystem
|
|
|
|
cd "$(dirname "$0")"
|
2021-08-24 12:48:30 +00:00
|
|
|
rm -rf *.crt *.key
|
|
|
|
|
|
|
|
openssl genrsa -out ca-root.key 4096
|
|
|
|
openssl req -x509 -new -nodes -key ca-root.key -out ca-root.crt \
|
|
|
|
-subj "/C=US/ST=CA/O=/CN=SDS Test CA Cert" \
|
|
|
|
-sha256 -days 3650
|
|
|
|
|
|
|
|
function gen_cert {
|
|
|
|
local FILE_NAME=$1
|
|
|
|
local DNS_NAME=$2
|
|
|
|
|
|
|
|
openssl genrsa -out "$FILE_NAME.key" 2048
|
|
|
|
openssl req -new -key "$FILE_NAME.key" -out "$FILE_NAME.csr" \
|
|
|
|
-reqexts SAN \
|
|
|
|
-config <(cat /etc/ssl/openssl.cnf \
|
|
|
|
<(printf "\n[SAN]\nsubjectAltName=DNS:$DNS_NAME")) \
|
|
|
|
-subj "/C=US/ST=CA/O=/CN=$DNS_NAME"
|
|
|
|
|
|
|
|
openssl x509 -req -in "$FILE_NAME.csr" \
|
|
|
|
-CA ca-root.crt -CAkey ca-root.key -CAcreateserial \
|
|
|
|
-out "$FILE_NAME.crt" -days 3650 -sha256 \
|
|
|
|
-extfile <(printf "subjectAltName=DNS:$DNS_NAME")
|
|
|
|
|
|
|
|
rm "$FILE_NAME.csr"
|
|
|
|
}
|
|
|
|
|
|
|
|
DOMAINS="www.example.com foo.example.com *.ingress.consul"
|
|
|
|
|
|
|
|
for domain in $DOMAINS
|
|
|
|
do
|
2021-09-22 15:06:06 +00:00
|
|
|
# * in file names is interpreted as a global and all sorts of things go
|
2021-08-24 12:48:30 +00:00
|
|
|
# strange!
|
|
|
|
FILE_NAME="$domain"
|
|
|
|
if [ ${domain:0:2} == "*." ]; then
|
|
|
|
FILE_NAME="wildcard.${domain:2}"
|
|
|
|
fi
|
|
|
|
gen_cert $FILE_NAME $domain
|
|
|
|
done
|