Copy the cert gen script from cro-tls

Patrick Böker · Patrick Böker · commit 7632145b3cd8 · 2024-07-18T14:50:00.000+02:00
I only just noticed there already is such a script. Just use that.
diff --git a/xt/certs-and-keys/my.conf b/xt/certs-and-keys/my.conf
@@ -0,0 +1,21 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[dn]
+C = CZ
+ST = Central Bohemia
+L = Prague
+O = CA
+OU = IT
+CN = localhost
+emailAddress = foo@example.net
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
diff --git a/xt/certs-and-keys/refresh.sh b/xt/certs-and-keys/refresh.sh
diff --git a/xt/certs-and-keys/tls.sh b/xt/certs-and-keys/tls.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Generate self signed root CA cert
+openssl req -days 365 -config my.conf -nodes -x509 -newkey rsa:4096 -keyout ca.key -out ca-crt.pem -subj "/C=CZ/ST=Central Bohemia/L=Prague/O=CA/OU=IT/CN=localhost/emailAddress=foo@example.net"
+
+# Generate server cert to be signed
+openssl req -nodes -newkey rsa:4096 -keyout server-key.pem -out server.csr -subj "/C=CZ/ST=Central Bohemia/L=Prague/O=foo/OU=IT/CN=localhost/emailAddress=foo@example.net"
+
+# Sign the server cert
+openssl x509 -req -days 365 -in server.csr -CA ca-crt.pem -CAkey ca.key -CAcreateserial -out server-crt.pem -extensions req_ext -extfile my.conf
+
+# Clean up extra files
+rm ca-crt.srl ca.key server.csr
+
+# Verify certs validate correctly
+echo "-----"
+echo "Verifying certs"
+openssl verify -CAfile ca-crt.pem ca-crt.pem
+openssl verify -CAfile ca-crt.pem server-crt.pem
