├── .gitignore ├── cert-details.png ├── cert-summary.png ├── gencert.sh └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.crt 2 | *.key -------------------------------------------------------------------------------- /cert-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/frntn/x509-san/HEAD/cert-details.png -------------------------------------------------------------------------------- /cert-summary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/frntn/x509-san/HEAD/cert-summary.png -------------------------------------------------------------------------------- /gencert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | :<<-USAGE 4 | See https://github.com/frntn/x509-san/blob/master/README.md 5 | USAGE 6 | 7 | umask 377 8 | 9 | certname="${CRT_FILENAME:-"frntn-x509-san"}" 10 | openssl x509 \ 11 | -in <( 12 | openssl req \ 13 | -days 3650 \ 14 | -newkey rsa:4096 \ 15 | -nodes \ 16 | -keyout "${certname}.key" \ 17 | -subj "/C=${CRT_C:-"FR"}/L=${CRT_L:-"Paris"}/O=${CRT_O:-"Frntn"}/OU=${CRT_OU:-"DevOps"}/CN=${CRT_CN:-"base.example.com"}" 18 | ) \ 19 | -req \ 20 | -signkey "${certname}.key" \ 21 | -sha256 \ 22 | -days 3650 \ 23 | -out "${certname}.crt" \ 24 | -extfile <(echo -e "basicConstraints=critical,CA:true,pathlen:0\nsubjectAltName=${CRT_SAN:-"DNS.1:logs.example.com,DNS.2:metrics.example.com,IP.1:192.168.0.1,IP.2:10.0.0.50"}") 25 | 26 | chmod 600 ${certname}.crt 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # frntn/x509-san 2 | 3 | Generate a self-signed x509v3 certificate for use with multiple URLs / IPs 4 | 5 | ## Generate 6 | 7 | #### Default values 8 | 9 | ```bash 10 | curl -sSL https://raw.githubusercontent.com/frntn/x509-san/master/gencert.sh | CRT_CN="client.com" CRT_SAN="DNS.1:www.client.com,DNS.2:admin.client.com,IP.1:192.168.1.10,IP.2:10.0.0.234" bash 11 | ``` 12 | 13 | #### Custom values 14 | 15 | Simply **change the `CRT_CN` and `CRT_SAN` values** of the above command to fit your needs... 16 | 17 | Additionally you can use any of these environment variables : 18 | - `CRT_C` : Country value 19 | - `CRT_L` : Locality value 20 | - `CRT_O` : Organization value 21 | - `CRT_OU` : Organizational Unit value 22 | - `CRT_CN` : Common Name value 23 | - `CRT_SAN` : SubjectAltName value 24 | 25 | #### Result 26 | 27 | The command will generate two files: 28 | - pkcs#8 private key : `frntn-x509-san.key` 29 | - x509v3 certificate : `frntn-x509-san.crt` 30 | 31 | You can then check the certificate content by using the following standard `x509` command : 32 | 33 | ```bash 34 | openssl x509 -in frntn-x509-san.crt -noout -text 35 | ``` 36 | 37 | ## Secure 38 | 39 | The generated private key is passwordless by default. 40 | 41 | You can secure/unsecure using standard `pkcs8` commands : 42 | 43 | ```bash 44 | # secure 45 | openssl pkcs8 -in frntn-x509-san.key -topk8 -v2 des3 -out frntn-x509-san.secure.key 46 | 47 | # unsecure 48 | openssl pkcs8 -in frntn-x509-san.secure.key -topk8 -nocrypt -out frntn-x509-san.key 49 | ``` 50 | 51 | ## Screenshots 52 | 53 | With the default values, the certificate will look like *(screenshots from Chrome certificate viewer)*: 54 | 55 | ![certificate-viewer-summary](cert-summary.png) 56 | ![certificate-viewer-extensions-details](cert-details.png) 57 | 58 | ## Additional Reading 59 | 60 | - OpenSSL's Subject Alternative Name [documentation](https://www.openssl.org/docs/apps/x509v3_config.html#Subject-Alternative-Name) 61 | - SubjectAltName page on [wikipedia](https://en.wikipedia.org/wiki/SubjectAltName) 62 | --------------------------------------------------------------------------------