#!/bin/bash
# Generate "modern" self-signed TLS certificate

echo 'Hostnames (space-separated, 1st will be CN, issuer, and filename prefix): '
read -r -e -i "${hostname:-host.example.com}" hostnames
echo 'IP addresses (space-separated): '
read -r -e -i "${ip:-192.168.2.1}"  ips

umask 0077

san_dns=''
for h in ${hostnames}
do
	[[ -z ${cn} ]] && dn="CN=${h}" && cn="${h}"
	san_dns="DNS:${h},${san_dns}"
done

for i in ${ips}
do
	san_ip="IP:${i},${san_ip}"
done

subjectAltName="${san_dns}"
[[ -n ${san_ip} ]] && subjectAltName="${subjectAltName}${san_ip}"
subjectAltName="${subjectAltName%,*}"

set -u
set -e
openssl ecparam -genkey -name secp384r1 -noout -out "${cn}.key.pem"
openssl req -reqexts san_details -new -key "${cn}.key.pem" -sha256 -days "${days:-10000}" -x509 -extensions san_details -out "${cn}.cert.pem" -config <(printf '[req] \n prompt=no \n utf8=yes \n distinguished_name=dn_details \n req_extensions=san_details \n [dn_details] \n %s \n [san_details] \n subjectAltName=%s\n' "${dn}" "${subjectAltName}")

echo "All done, cert data follows:"
openssl x509 -in "${cn}.cert.pem" -noout
openssl x509 -in "${cn}.cert.pem" -noout -text
ls -l "./${cn}.key.pem" "./${cn}.cert.pem"

# __END__