--- /dev/null
+#! /bin/sh -e
+
+unset email unit key ext extra
+config=/etc/ca/openssl.conf
+good=t
+while getopts e:u:k:x: opt; do
+ case $opt in
+ e) email=$OPTARG ;;
+ u) unit=$OPTARG ;;
+ k) key=$OPTARG ;;
+ x) ext=$OPTARG ;;
+ *) good=nil ;;
+ esac
+done
+shift $(( $OPTIND - 1 ))
+
+case $#,$good in
+ 2,t) ;;
+ *) echo >&2 "usage: $0 [-e EMAIL] [-k KEY] [-u UNIT] [-x EXT] LABEL CN"; exit 1 ;;
+esac
+label=$1 cn=$2
+
+if [ ! -d private ]; then
+ mkdir -m700 private
+fi
+
+case ${ext+t} in
+ t)
+ { cat "$config"
+ echo
+ echo "[genx509-custom]"
+ cat "$ext"; } >"tmp.$label.conf"
+ config=tmp.$label.conf
+ extra="$extra -reqexts genx509-custom"
+ ;;
+esac
+
+name="/C=GB/ST=Cambridgeshire/L=Cambridge/O=distorted.org.uk"
+name="$name/${unit+OU=$unit/}CN=$cn${email+/emailAddress=$email}"
+case ${key+t} in
+ t)
+ openssl req -batch -config "$config" \
+ -new -subj "$name" -text -out "$label.req.new" \
+ -key "$key" $extra
+ ;;
+ *)
+ openssl req -batch -config "$config" \
+ -new -subj "$name" -text -out "$label.req.new" \
+ -nodes -keyout "private/$label.key.new" $extra
+ chmod 600 "private/$label.key.new"
+ mv "private/$label.key.new" "private/$label.key"
+ ;;
+esac
+rm -f "tmp.$label.conf"
+mv "$label.req.new" "$label.req"
+sha256sum "$label.req"