...
This script requires a self-signed Certificate Authority (CA) to be present to self-sign all certs. If your organisation has restrictions on self-signed root CA you can still adapt this script to generate all certreq and get them signed by external root CA.
For the purpose of this script, you can quickly generate a CA cert using:
Code Block |
---|
openssl req -new -x509 -keyout ca-key.key -out ca-cert.crt -days 365 -passin pass:sameAsOthers |
For convenience, you can keep the password same for everything. Always store passwords separately from code, and never share it with anyone outside the authorized user list.
Since hostname verification is enabled by default, the script honours X509v3 extensions so that Subject Alt Names (SAN) are added. By default, OpenSSL will not add SAN info in your signed cert unless ext file is also provided. This script does just that. This has both SAN and CN setup for this.
Please adjust the variable values and X500 Distinguished Name settings to your need. For Windows users, you can use MinGW bash shell (if you use Git, it's the best route), you can use that to run this script.
...