#!/bin/sh usage() { printf "Usage: %s [-c curve] [-d days] domain\n" "${0##*/}" >&2 exit 1 } tonumber() { printf "%u\n" "$*" } curve=secp384r1 days=3650 while getopts c:d: flag; do case $flag in c) [ -n "$OPTARG" ] || usage curve=$OPTARG ;; d) days=$(tonumber "$OPTARG") || usage ;; *) usage ;; esac done shift $((OPTIND - 1)) [ $# -eq 1 ] && [ -n "$1" ] || usage domain=$1 if [ -f "$domain.key" ]; then printf "%s: key for %s already exists; reusing it.\n" \ "${0##*/}" "$domain" >&2 else (umask 077 && openssl genpkey -aes256 \ -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" \ -out "$domain.key") if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then # openssl doesn't return an error code if there is a password # mismatch or a password too short, and it creates the output # file anyways rm -f "$domain.key" exit 1 fi fi openssl req -new -x509 -days "$days" -subj "/CN=$domain" \ -key "$domain.key" -out "$domain.pem"