#!/bin/sh

# http://www.vanemery.com/Linux/Apache/apache-SSL.html

CA="C=RU
ST=ST
O=MyOrg
localityName=Minsk
commonName=My Name
organizationalUnitName=None
emailAddress=myemail@gmail.com"

CERT="commonName=7x7.test
organization=MyOrg
organizationalUnitName=None"

EXTS="
[req]
x509_extensions = v3_ca

[v3_ca]
nsCertType              = server
keyUsage                = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
subjectAltName          = @alt_names
[alt_names]
DNS.1   = localhost
DNS.2   = 7x7.test
DNS.3   = *.7x7.test
IP.1   = 127.0.0.1
"

extfile="/tmp/openssl.conf.tmp"

# this creates a CA certificate, which should be added as trusted to operating system keychain / browser CA list

openssl genrsa -out "localhost-ca.key" 4096
openssl req -new -x509 -days 3650 -key "localhost-ca.key" -out "localhost-ca.crt" -subj "/$(echo "$CA" | tr "\n" "/")"

echo "$EXTS" > $extfile

openssl genrsa -out "7x7.test.key" 4096
openssl req -new -key "7x7.test.key" -out "7x7.test.csr" -subj "/$(echo "$CERT" | tr "\n" "/")" -sha256
openssl x509 -req -in "7x7.test.csr" -out "7x7.test.crt" -sha256 -CA "localhost-ca.crt" -CAkey "localhost-ca.key" -CAcreateserial -days 3650 -extfile "$extfile" -extensions v3_ca

rm -f "$extfile"