OpenSSLで代替名入りの自己証明書をコマンド一発で作成する

自己証明書を作成するスクリプトは探せばみつかるとはおもいますが、代替名入りの自己証明書をコマンド一発で作成する記事は見かけなかったので、備忘録として挙げておくことにしました。
以下のスクリプトを 例えば sv113-gen-cert.shとして保存し、実行するだけでOKです。

#!/bin/bash
openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -extensions v3_req -config - << EOF
HOME			= .

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
distinguished_name	= req_distinguished_name
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

prompt = no

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName			= JP

stateOrProvinceName		= jp

localityName			= jp

0.organizationName		= Example Company

organizationalUnitName		= location00

commonName			= sv113.location00.example.com

emailAddress			= admin@example.com

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth,clientAuth

subjectAltName = @alt_names

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

[ alt_names ]
DNS.1 = sv113.location00.xronos-msys.com
IP.1 = 172.16.113.113
EOF

今回は決め打ちにしていますが、例えば commonNameやDNS.1などを変数にしたい場合は、コマンド一発ではありませんが、以下のようにすると良いと思います。

# 変数を環境変数として設定
DNS1=sv113.location00.xronos-msys.com
IP1=172.16.113.113 
# 環境変数を含むヒアドキュメントを標準入力で与える
openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -extensions v3_req -config - << EOF
--snip
commonName			= $DNS1
--snip
[ alt_names ]
DNS.1 = $DNS1
IP.1 = $IP1

なお、"-extenions v3_req" の記述がないと代替名が入りませんので注意してください。
今回は以上です。それでは。