pki.sh/issue-root.sh

#!/bin/sh

RSA_OPTS="-newkey rsa:2048 -sha256"
ECDSA_OPTS="-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -sha384"
 
while getopts ":h:t:n:d:s:" opt; do
  case $opt in
    h)
      echo "Usage:  -t rsa|ec -n <name> -d <days>"
      exit 0
      ;;
    t)
      if [ "$OPTARG" = "rsa" ]; then
        NEWKEY_OPT=$RSA_OPTS
      elif [ "$OPTARG" = "ec" ]; then
        NEWKEY_OPT=$ECDSA_OPTS
      else 
        echo "Invalid option: -t $OPTARG" >&2
        exit 1
      fi
      ;;
    n)
      NAME_OPT=(-keyout "$OPTARG".key -out "$OPTARG".crt)
      ;;
    d)
      DAYS_OPT="-days $OPTARG"
      ;;
    s)
      SUBJECT_OPT=(-subj "/C=CN/CN=Root CA/O=$OPTARG")
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
  esac
done

openssl req -x509 -batch $NEWKEY_OPT "${NAME_OPT[@]}" $DAYS_OPT "${SUBJECT_OPT[@]}" \
    -addext "subjectKeyIdentifier=hash" \
    -addext "authorityKeyIdentifier=keyid:always,issuer" \
    -addext "basicConstraints=critical,CA:true" \
    -addext "keyUsage=critical,keyCertSign,cRLSign" \