Interactive OpenSSL cert generator — prompts for DN fields (including OU and email), key size, digest, basicConstraints, and DNS/IP SANs. Includes serverAuth + clientAuth extended key usage. Generates a reusable config, CSR, and optionally a self-signed certificate from an existing private key.
./gen-cert.sh [key.pem] [cert.pem] [days]All arguments are optional. Defaults: key.pem. If cert.pem is provided it becomes the default for the certificate prompt. If days is omitted, no expiry is set on the certificate.
| Prompt | Default | Notes |
|---|---|---|
| Key size (default_bits) | 2048 | RSA key size |
| Message digest (default_md) | sha256 | Hash algorithm |
| Challenge password | (none) | Hidden input; blank to skip |
| Country (C) | US | 2-letter country code |
| State (ST) | Texas | State or province |
| City (L) | Dallas | City or locality |
| Organization (O) | GoodmanHP | Organization name |
| Organizational Unit (OU) | (none) | Blank to omit |
| Common Name (CN) | GoodmanHP Controller | FQDN of the server |
| (none) | Blank to omit from certificate | |
| CSR filename | CN.csr | Defaults to CN with spaces replaced by underscores |
| Certificate filename | CN.pem | Enter "none" to skip self-signing (CSR only) |
| Config filename | CN.conf | Defaults to CN with spaces replaced by underscores |
| basicConstraints CA | (none) | TRUE, FALSE, or blank (omit entirely) |
| DNS names | (none) | Enter one per line, blank to finish |
| IP addresses | (none) | Enter one per line, blank to finish |
The generated config always includes:
keyUsage = digitalSignature, keyEnciphermentextendedKeyUsage = serverAuth, clientAuthbasicConstraints = CA:TRUE/FALSE(if specified)subjectAltName(if DNS or IP entries provided)
- Config — OpenSSL
.conffile (CN.conf) saved for reuse withopenssl reqdirectly. - CSR — Always generated. Submit to a CA or use for self-signing.
- Certificate — Optional. Self-signed cert generated from the CSR. Enter "none" at the prompt to produce only the CSR.
The saved .conf can be passed directly to OpenSSL:
openssl req -out server.csr -key server.key -config GoodmanHP_Controller.conf -new$ ./gen-cert.sh /mnt/sd/key.pem
=== Certificate Settings ===
Key size (default_bits) [2048]:
Message digest (default_md) [sha256]:
Challenge password (blank for none):
=== Distinguished Name ===
Country (C) [US]:
State (ST) [Texas]:
City (L) [Dallas]:
Organization (O) [GoodmanHP]:
Organizational Unit (OU) (blank to omit):
Common Name / FQDN (CN) [GoodmanHP Controller]:
Email (blank to omit):
CSR filename [GoodmanHP_Controller.csr]:
Certificate filename ("none" to skip) [GoodmanHP_Controller.pem]:
Config filename [GoodmanHP_Controller.conf]:
=== Extensions ===
basicConstraints CA: (TRUE/FALSE, blank for none): FALSE
=== Subject Alternative Names ===
Enter DNS names (blank line to finish):
DNS.1: goodmanhp.local
DNS.2:
Enter IP addresses (blank line to finish):
IP.1: 192.168.0.100
IP.2: 192.168.4.1
IP.3:
=== Summary ===
Key: /mnt/sd/key.pem
Config: GoodmanHP_Controller.conf
CSR: GoodmanHP_Controller.csr
Cert: GoodmanHP_Controller.pem
Valid: (no expiry set)
Bits: 2048
Digest: sha256
Subject: C=US, ST=Texas, L=Dallas, O=GoodmanHP, CN=GoodmanHP Controller
CA: FALSE
DNS: goodmanhp.local
IP: 192.168.0.100 192.168.4.1
Config saved: GoodmanHP_Controller.conf
CSR generated: GoodmanHP_Controller.csr
To regenerate the CSR from the saved config:
openssl req -out GoodmanHP_Controller.csr -key /mnt/sd/key.pem -config GoodmanHP_Controller.conf -new
Certificate generated: GoodmanHP_Controller.pem
subject=C=US, ST=Texas, L=Dallas, O=GoodmanHP, CN=GoodmanHP Controller
X509v3 Subject Alternative Name:
DNS:goodmanhp.local, IP Address:192.168.0.100, IP Address:192.168.4.1
Press Enter to accept defaults. Blank lines skip DNS/IP sections entirely.
If you don't have an existing key:
openssl ecparam -genkey -name prime256v1 -noout -out key.pem- OpenSSL
- Bash