38 lines
921 B
Bash
Executable file
38 lines
921 B
Bash
Executable file
#!/bin/sh
|
|
tmp=$(mktemp -d)
|
|
trap 'rm -rf -- "$tmp"' EXIT
|
|
|
|
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
|
|
openssl req -x509 -nodes \
|
|
-newkey RSA:2048 \
|
|
-keyout "$tmp/ca.key" \
|
|
-days 365 \
|
|
-out "$tmp/ca.cert" \
|
|
-subj '/CN=hd_root'
|
|
|
|
rm secrets/tlskey.age
|
|
openssl req -nodes \
|
|
-newkey rsa:2048 \
|
|
-keyout - \
|
|
-out "$tmp/server.csr" \
|
|
-subj '/CN=lan' \
|
|
| agenix -e secrets/tlskey.age
|
|
|
|
cat > "$tmp/extfile" << EOF
|
|
subjectAltName=DNS:roam.lan,DNS:*.roam.lan,DNS:git.lan
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage=digitalSignature,keyEncipherment
|
|
extendedKeyUsage=serverAuth
|
|
EOF
|
|
|
|
openssl x509 -req \
|
|
-CA "$tmp/ca.cert" \
|
|
-CAkey "$tmp/ca.key" \
|
|
-in "$tmp/server.csr" \
|
|
-out pki/server.cert \
|
|
-days 365 \
|
|
-CAcreateserial \
|
|
-extfile "$tmp/extfile"
|
|
|
|
mv "$tmp/ca.cert" pki/ca.cert
|