Multi cert Creator is not easy-rsa

MC Cine is Open Source software and licensed under CC BY-SA 4.0. It helps you to create self-signed SSL certificates which are able to handle multiple DNS names and/or IP addresses.
New in v3 is the ability to create self-signed S/MIME certificates for secure EMail communication (of course with multiple alias addresses in one certificate)!

That means you can create 1 SSL certificate with a common name = www.secure-diversity.de and that would be valid for www.anotherdomain.de or/and for 1.1.1.1, too!

MC Cine is a very powerful tool. Here comes the full help for the current version:

./bin/mccine.sh -h full
Version: 2019-04-25 - by www.se-di.de

This will do stuff to easily self-sign multiple/alternative FQDN/IPs. It is NOT easy-rsa!
mccine can (easy-rsa can not) sign certs with multiple FQDNs/IPs and is not such comfortable as this tool ;o).

When you want >1< common name only you may (but don't need to) use easy-rsa instead.
mccine can sign single CN's, too of course.

Getting starting is VERY easy and done in 2 simple steps!

1) ./bin/mccine.sh -m CA -F my.CA-SERVER.com

You will be guided to the initial setup of your own and new CA
and you will get at the end an example output for the next step:

2) ./bin/mccine.sh -m sign -F my.main-servername.com,IamNOTaFQDN,1.1.1.1 -C my.ROOT-CA.pem -i my.ROOT-CA.crt

(You can copy & paste the ROOT-CA filenames right from step 1)
Again you will be guided to the whole process - this time for creating your new certificate
signed with the CA created in step 1 and with default options.

You're done! Next time you need step <2> only because you already have a CA! Isn't that easy? :o)
More examples and the full help are available within the specific help sections.

Usage:
$> ./bin/mccine.sh -m [MODE] [options]

MODE = usage mode. can be one of: <ROOTCA> | <SUBCA> | <sign> | <csr>

-h ROOTCA
<ROOTCA> will create a ROOT-CA and you need to start here when using mccine the first time.
-h SUBCA
<SUBCA> requires a ROOT-CA! If you have one already choose this to create a signing SUB-CA.
-h sign
<sign> requires a ROOT- or SUB-CA! This helps you in self-signing a user cert.
-h csr
<csr> requires a FQDN/IP only. No self-signing here. Use this mode if you want to sign
your csr by another CA.
-h full
will show all help output of the above.


MODE = <csr>

-m csr|req

The csr mode will be used to create a new certificate request only!
It will NOT sign anything so you need to sign it manually or by another CA.

(Order of args is totally free and case insensitive)

Required:
-f|F MAIN-FQDN,CNx,IP1,IPx,... = One ore multiple common name(s) AND/OR IPs of the server certificate,
normally that will be the DNS name(s)/IP(s) of your target server.

Optional:
-p|P CERT PEM file = The private key file of the existing/new server cert (will be created if not existing)
-d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
-b|B CERT KEY-STRENGTH = Defines the strength of the private key
-s mail|MAIL = you can define 'MAIL' as special signing mode and then create a S/MIME certificate request

Defaults:
CERT PEM file = <CN defined by -F arg>.pem
DAYS-FOR-SIGNING = 2190 days
CERT KEY-STRENGTH = 4096 bit


Examples:
$> ./bin/mccine.sh -m csr -F my.ssl-server.de,myhostname,1.1.1.1 -d 365 -b 2048
$> ./bin/mccine.sh -m csr -s MAIL -F support@se-di.de,info@se-di.de,info@sicherevielfalt.de
$> ./bin/mccine.sh -m csr -F my.ssl-server.de

MODE = <ROOTCA>

-m ROOTCA|CA|rootca|ca

The ROOT-CA mode will be used normally once only. It is not recommended to sign user certs with a ROOT-CA
and it is needed in order to create a SUB-CA (which then signing your certs).
If you already have a CA which is able to do that (check your openssl.cnf settings!) or if you
have created a ROOT-CA with this tool already you can skip that and proceed with <SUBCA> and / or <sign> mode.

(Order of args is totally free and case insensitive)

Required:
-f|F CA CN = Common name of your ROOT-CA cert, e.g the DNS name or IP address of the CA system

Optional:
-c|C CA PEM file = The private key file of the signing ROOT-CA
-d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
-b|B CA KEY-STRENGTH = Defines the strength of the encryption key of the CA

Defaults:
DAYS-FOR-SIGNING = 4380 days
CA KEY-STRENGTH = 8192 bit
CA PEM file = <CN defined by -F arg>.pem

Examples:
$> ./bin/mccine.sh -m ROOTCA -F my.CA-SERVER.com -C my.CA-server.pem -d 3650 -b 4096
$> ./bin/mccine.sh -m CA -F my.CA-SERVER.com


MODE = <SUBCA>

-m SUBCA|subca

The SUBCA mode will be used normally once to create an intermediate CA for a specific purpose. 
It then will be used to sign the user / mail / webservers certificates.
Such a intermediate or SUB-CA is recommended and should be used to be secure.

(Order of args is totally free and case insensitive)

Required:
-f|F CA CN = Common name of your SUB-CA cert, e.g the DNS name or IP address of the SUBCA system
-r|R CA PEM file = The private key file of the signing ROOT-CA which will sign your cert-request
-i|I CA CERT file = The CA certificate file of the signing ROOT-CA.

Optional:
-d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
-b|B CA KEY-STRENGTH = Defines the strength of the encryption key of the CA

Defaults:
DAYS-FOR-SIGNING = 2190 days
CA KEY-STRENGTH = 8192 bit
CA PEM file = <CN-you-defined-by -F arg>.pem

Examples:
$> ./bin/mccine.sh -m SUBCA -F my.subca.com -r my.ROOTca.pem -i my.ROOTca.crt
$> ./bin/mccine.sh -m SUBCA -F my.subca.com -r my.ROOTca.pem -i my.ROOTca.crt -d 3650 -b 4096


MODE = <sign>

-m SIGN|sign

The sign mode will be your 'normal' operation mode once you have created your ROOT-CA and
will be used to self-sign your certs with the CA you created in MODE = <CA>.

(Order of args is totally free and case insensitive)

Required:
-f|F MAIN-FQDN,CNx,IP1,IPx,... = One ore multiple common name(s) AND/OR IPs of the server certificate,
normally that will be the DNS name(s)/IP(s) of your target server.
-c|C CA PEM file = The private key file of the signing ROOT-CA which will sign your cert-request
-i|I CA CERT file = The CA certificate file of the signing ROOT-CA.

Optional:
-p|P CERT PEM file = The private key file of the existing/new server cert (will be created if not existing)
-d|D DAYS-FOR-SIGNING = How long should the cert be valid in days.
-b|B CERT KEY-STRENGTH = Defines the strength of the private key
-s mail|MAIL = you can define 'MAIL' as special signing mode and then create a S/MIME certificate

Defaults:
CERT PEM file = <CN defined by -F arg>.pem
DAYS-FOR-SIGNING = 2190 days
CERT KEY-STRENGTH = 4096 bit


Examples:
$> ./bin/mccine.sh -m sign -F my.ssl-server.de,myhostname,1.1.1.1 -C my.SUB-CA.pem -p my.CERT.pem -d 365 -b 2048 -i my.SUB-CA.crt
$> ./bin/mccine.sh -m sign -s MAIL -F support@se-di.de,info@se-di.de,info@sicherevielfalt.de -C my.SUB-CA.pem -i my.SUB-CA.crt
$> ./bin/mccine.sh -m sign -F my.ssl-server.de -C my.SUB-CA.pem -i my.SUB-CA.crt

Download

Since 2016 McCine has been tracked and developed on github.com so please find the current stable versions here: github .
Let me know if you have any issues in the github tracker: issues