#!/usr/bin/env bash
set -euo pipefail
CN="${1:-example.org}"
mkdir -p out
openssl genrsa -out out/${CN}.key 2048
openssl req -new -key out/${CN}.key -subj "/CN=${CN}" -out out/${CN}.csr
# Self-sign with root for demo
openssl x509 -req -in out/${CN}.csr -CA ca/root.crt -CAkey ca/root.key -CAcreateserial -out out/${CN}.crt -days 825 -sha256
echo "[✓] Issued out/${CN}.crt (demo; use ACME for production)"