env/utils/gen-ec-cert.sh

40 lines
827 B
Bash
Raw Normal View History

#!/bin/sh
usage()
{
printf "Usage: %s [-c curve] [-d days] domain\n" "${0##*/}" >&2
exit 1
}
tonumber()
{
printf "%u\n" "$*"
}
curve=secp384r1
days=3650
while getopts c:d: flag; do
case $flag in
c) [ -n "$OPTARG" ] || usage
curve=$OPTARG
;;
d) days=$(tonumber "$OPTARG") || usage
;;
*) usage
;;
esac
done
shift $((OPTIND - 1))
[ $# -eq 1 ] && [ -n "$1" ] || usage
domain=$1
(umask 077 && openssl genpkey -aes256 \
2020-02-13 11:49:45 +01:00
-algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key")
if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
# openssl doesn't return an error code if there is a password mismatch
# or a password too short, and it creates the output file anyways
rm -f "$domain.key"
exit 1
fi
openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
-key "$domain.key" -out "$domain.pem"