|
1 | 1 | #!/bin/sh |
2 | 2 |
|
3 | 3 | ME=$(basename $0) |
4 | | -KEY=/etc/nginx/certs/server.key |
5 | | -CERT=/etc/nginx/certs/server.pem |
| 4 | +CERTS_DIR=/etc/nginx/certs |
| 5 | +ROOT_KEY=$CERTS_DIR/root-ca.key |
| 6 | +ROOT_CERT=$CERTS_DIR/root-ca.crt |
| 7 | +KEY=$CERTS_DIR/server.key |
| 8 | +CERT=$CERTS_DIR/server.pem |
| 9 | +CSR=$CERTS_DIR/server.csr |
| 10 | +EXT_FILE=$CERTS_DIR/server-ext.cnf |
6 | 11 | CN=$SSL_DOMAIN |
7 | 12 | SAN=$SSL_ALT_NAME |
8 | 13 |
|
9 | 14 | if [ -f $KEY ] && [ -f $CERT ]; then |
10 | 15 | echo "$ME: Server certificate already exists, do nothing." |
11 | 16 | else |
12 | | - if [ -n "$SAN" ]; then |
13 | | - openssl req -x509 -newkey rsa:2048 -keyout $KEY \ |
14 | | - -out $CERT -sha256 -days 3650 -nodes -subj "/CN=$CN" -addext "subjectAltName = $SAN" |
15 | | - else |
16 | | - openssl req -x509 -newkey rsa:2048 -keyout $KEY \ |
17 | | - -out $CERT -sha256 -days 3650 -nodes -subj "/CN=$CN" |
18 | | - fi |
19 | | - echo "$ME: Server certificate has been generated." |
| 17 | + openssl req -x509 -newkey rsa:2048 -keyout $ROOT_KEY -out $ROOT_CERT \ |
| 18 | + -sha256 -days 3650 -nodes -subj "/CN=$CN Root CA" |
| 19 | + |
| 20 | + openssl req -newkey rsa:2048 -keyout $KEY -out $CSR \ |
| 21 | + -nodes -subj "/CN=$CN" |
| 22 | + |
| 23 | + { |
| 24 | + echo "basicConstraints = CA:FALSE" |
| 25 | + echo "keyUsage = digitalSignature, keyEncipherment" |
| 26 | + echo "extendedKeyUsage = serverAuth" |
| 27 | + if [ -n "$SAN" ]; then |
| 28 | + echo "subjectAltName = $SAN" |
| 29 | + fi |
| 30 | + } > $EXT_FILE |
| 31 | + |
| 32 | + openssl x509 -req -in $CSR -CA $ROOT_CERT -CAkey $ROOT_KEY \ |
| 33 | + -CAcreateserial -out $CERT -sha256 -days 3650 -extfile $EXT_FILE |
| 34 | + |
| 35 | + rm -f $CSR $EXT_FILE $CERTS_DIR/root-ca.srl |
| 36 | + echo "$ME: Root CA and server certificate have been generated." |
| 37 | + echo "$ME: Import $ROOT_CERT into your browser to trust the certificate." |
20 | 38 | fi |
0 commit comments