Write a Cakefile describing your CA and the certificates you need, then build everything with cake:
£ ls
Cakefile
£ cat Cakefile
ca Cake Corporation Internal CA
email root@cake.com
domain www.cake.com
email webmaster@cake.com
size 1024
domain mail.cake.com
email postmaster@cake.com
alt imap.cake.com
alt smtp.cake.com
£ cake
🍰 new CA key
Generating RSA private key, 4096 bit long modulus
[...]
🍰 summary:
🍰 new CA key
🍰 new CA cert
🍰 new key for www.cake.com
🍰 new cert for www.cake.com
🍰 new key for mail.cake.com
🍰 new cert for mail.cake.com
🍰 all up to date!
£ ls
Cakefile
ca.cert.pem
ca.key.pem
mail.cake.com.cert.pem
mail.cake.com.key.pem
www.cake.com.cert.pem
www.cake.com.key.pem
- Generated keys don't bother with passphrases
- Only use cake on hardware you trust, I guess?
- Lots of output from openssl passed directly to you, unedited
- No support for anything other than CN=[fqdn] with DNS:... subjectAltNames!
- But who uses anything else?!
- Maybe it should support user certificates?
- Full support for using weak 1024 bit keys though
- Not hard to use: it's piece of cake!
- Jamie Nguyen's excellent documentation on how to do this properly, by hand.
- Debian Administration's guide to using Eric Young and Tim Hudson's original scripts (1996!) that ship with OpenSSL. If it ain't broke, rewrite it.
- Stack Exchange answer on passing subjectAltName as an environment variable, instead of hard-coding in the config file.