#!/usr/bin/bash
set -eu

#These openssl commands will create the following files:
#  - selfsigned-ca.pem is a self-signed certificate chain for a certificate authority
#  - db_server.key is a new private key
#  - db_server.csr is a new signing request with the following attributes:
#      Subject: CN = db_server.local
#      Subject Alternative Name:
#        DNS: db_server, DNS: db_server.local
#     db_server.csr must be signed by db_server.key
#  - db_server.pem is the signed certificate produced by the certificate authority from db_server.csr

# root certificate
openssl req -verbose -new -x509 -newkey rsa:2048 -days 10 -nodes \
  -subj 'CN=Self-signed CA' \
  -keyout selfsigned-ca.key -out selfsigned-ca.pem

# db_server signing request
openssl req -verbose -newkey rsa:2048 -nodes \
  -subj '/CN=db_server.local' \
  -keyout db_server.key -out db_server.csr

# db_server certificate
echo 'subjectAltName=DNS:db_server,DNS:db_server.local' > db_server.ext
openssl x509 -req -days 10 -set_serial 01 \
  -CA selfsigned-ca.pem -CAkey selfsigned-ca.key \
  -in db_server.csr -extfile db_server.ext \
  -out db_server.pem