## Copyright © 2017 Bret Human
## https://cynop.me/
##
##    Documentation at:
## https://psi.cynop.me/Caffarius/letsEncryptScripts
##
## For questions or comments write:
##    info@cynop.me
#
# Random script samples for SSL cert generation



############### Generate a new domain key (must be root) ################
# 1. Replace "example.com" with your intended  domain name and run the
#    commands below.
# 2. Make sure to keep this key safe. It is the basis for all SSL certs
#    signed with it in the future. If an attacker gets it, they can
#    generate certificates that seem like they're genuinely from you.


openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/keys/example.com.key
chmod 700 /etc/ssl/keys
chmod 400 /etc/ssl/keys/example.com.key



################### Generate a new csr (must be root) ###################
# Only perform this if you're creating a new subdomain with an existing
# domain key.
#
# 1. Replace "subdomain.example.com" with your intended hostname
#    and run the command below
# 2. Move existing csr files to /etc/acme-tiny/temp/
#       mv /etc/acme-tiny/csr/* /etc/acme-tiny/temp/
# 3. Place new csr in /etc/acme-tiny/csr/
# 4. Run /root/.script/letsencrypt.sh
# 5. Move the other csr files back so they can be renewed later
#       mv /etc/acme-tiny/temp/* /etc/acme-tiny/csr/
# 6. Don't forget to renew the certs before the 90 day expiration!

openssl req -new -sha256 -key /etc/ssl/keys/example.com.key -subj "/CN=subdomain.example.com" > /etc/acme-tiny/csr/subdomain.example.com.csr