initial revision.

d2d17958 · Xueshan Feng · d2d17958 · d2d17958 · d2d17958
Commit d2d17958 authored Apr 06, 2016 by Xueshan Feng
--- a/.gitignore
+++ b/.gitignore
+*.key
+*.csr
+site.cnf
--- a/create-star-cert-req.sh
+++ b/create-star-cert-req.sh
+#!/bin/bash -e
+#
+# Generate star ssl certificate request for a subdomain, e.g, *.anchorage.stanford.edu:
+#
+# ./create-star-cert-req.sh -s anchorage -o "IT Services" -e "emerging-tech@lists.stanford.edu"
+# 
+# Note: the subdomain key and the csr will be saved in your current working directory. 
+# 
+# If the subdomain is delegated to a cloud vendor, you will need to send the csr to its-ssl-service@lists.stanford.edu 
+# Otherwise you can use https://tools.stanford.edu/cgi-bin/cert-request form to submit your request. 
+# 
+
+# Default top domain
+domain="stanford.edu"
+
+while getopts ":s:o:e:" OPTION
+do
+  case $OPTION in
+    d)
+      domain=$OPTARG
+      ;;
+    s)
+      subdomain="${OPTARG%%/*}"
+      ;;
+    o)
+      ou=$OPTARG
+      ;;
+    e)
+      email=$OPTARG
+      ;;
+    ?)
+      echo "$0 -s <subdomain> -o <ou> -e <email>"
+      exit 0
+      ;;
+  esac
+done
+
+if [[ ! $subdomain|| ! $ou || ! $email || ! $domain ]]; then
+    echo "subdomain, ou, or email are missing."
+    echo "Usage: $0 -s <subdomain> -o <ou> -e <email>"
+    exit 1
+fi
+
+echo "creating the $subdomain.key and $subdomain.csr...."
+cat site.cnf.tmpl | sed "s/FQDN/$subdomain.$domain/;s/OU/$ou/;s/EMAIL/$email/" > site.cnf
+openssl req -new -config site.cnf  -rand /dev/urandom -nodes -keyout $subdomain.$domain.key -out $subdomain.$domain.csr
+
+echo "$subdomain.csr is generated:"
+openssl  req -text -noout -in $subdomain.$domain.csr
--- a/site.cnf.tmpl
+++ b/site.cnf.tmpl
+# OpenSSL configuration to generate a new key with signing requst for a x509v3 
+# multidomain certificate
+#
+# openssl req -config bla.cnf -new | tee csr.pem
+# or
+# openssl req -config bla.cnf -new -out csr.pem
+[ req ]
+default_bits       = 2048
+default_md         = sha512
+default_keyfile    = site.key
+prompt             = no
+encrypt_key        = no
+
+# base request
+distinguished_name = req_distinguished_name
+
+# extensions
+req_extensions     = v3_req
+
+# distinguished_name
+[ req_distinguished_name ]
+countryName            = "US"                     # C=
+stateOrProvinceName    = "CA"                     # ST=
+localityName           = "Stanford"          # L=
+organizationName       = "Stanford University"              # O=
+organizationalUnitName = "OU"          # OU=
+commonName             = "FQDN"        # CN=
+emailAddress           = "EMAIL"     # CN/emailAddress=
+
+# req_extensions
+[ v3_req ]
+# The subject alternative name extension allows various literal values to be 
+# included in the configuration file
+# http://www.openssl.org/docs/apps/x509v3_config.html
+
+#keyUsage = keyEncipherment, dataEncipherment, digitalSignature
+#extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = FQDN
+DNS.2 = *.FQDN