This repo contains bash scripts for issuing client and server certificates used for TESTING (not PRODUCTION).
USE at your OWN RISK!
-
to create a new CA (and wipe any previous one)
./init-ca.sh
-
to issue a server certificate providing multiple FQDNs and IPs (
subjectAlternativeNames)./gen-server-cert.sh myservername myservername.local 127.0.0.1
-
to issue a client certificate
./gen-client-cert.sh kpe
Each time you issue a certificate, the following files gets written locally, i.e. calling:
./gen-server-cert.sh localhost 127.0.0.1
would result in (you would usually only need either the .p12 or the .key/.crt files):
localhost.key- private keylocalhost.crt- signed certificatelocalhost-and-ca.crt- signed certificate and root CA chainlocalhost.p12- PKCS12 key store with private key and certificate chainlocalhost.nopass.p12- PKCS12 like above but without passwordlocalhost.pkcs12- PKCS12 like above but with name/alias for the private keylocalhost.jks- a Java key store filelocalhost.csr- the certificate sign request
All password protected key stores would use the password specified in gencert.sh.
To renew a certificate,
call the ./renew-cert.sh script with the certificate base file name and optional expiration in days:
./renew-cert.sh ca 3650 # for the root CA
./renew-cert.sh localhost # defaults to 365 days