Updates self signed certificates for local development via HTTPs.

new-certificates

#!/bin/bash

#
# Updates self signed certificates for local development via HTTPs.
#

# Exit on errors, use last pipe error code, do not overwrite files, ensure
# variables exist
set -o errexit -o pipefail -o noclobber -o nounset

# Set color codes for use with echo
NC='\033[0m'
YELLOW='\033[0;93m'

function usage {
	echo "Updates self signed certificates for local development via HTTPs."
	echo ""
	echo "usage: $0 <ProjectConfig> [-r <Path> | --root <Path>] [-h | --help]"
	echo ""
	echo "		<ProjectConfig>		path to target project's .cnf file"
	echo ""
	echo "		-r, --root		path to directory in which the root" \
		"certificate lives (defaults to '~/certificates/development/')"
	echo "		-h, --help		display this help"
	exit 1
}

# Check if getopt is available
! getopt --test > /dev/null
if [[ ${PIPESTATUS[0]} -ne 4 ]]
then
	echo "`getopt --test` failed, cannot parse parameters."
	exit 1
fi

# Parse command line parameters
OPTIONS=hr:
LONGOPTS=help,root:

! PARSED=$(getopt --options=$OPTIONS --longoptions=$LONGOPTS \
	--name "$0" -- "$@")
if [[ ${PIPESTATUS[0]} -ne 0 ]]; then
	exit 2
fi

eval set -- "$PARSED"

root="$HOME/certificates/development/"

while true
do
	case "$1" in
		-h|--help)
			usage
			;;
		-r|--root)
			root="$2"
			shift 2
			;;
		--)
			shift
			break
			;;
		*)
			echo "Programming error"
			exit 2
			;;
	esac
done

if [[ $# -gt 1 ]]
then
	echo -e "${YELLOW}ignoring everything after $1${NC}!"
fi

if [ $# -eq 0 ]
then
	echo -e "${RED}No parameter provided!${NC}"
	exit 1
fi

if [ ! -f "$1" ]
then
	echo -e "${RED}Configuration in $1 does not exist!${NC}"
	exit 1
fi

stty -echo
printf "Password: "
read password
stty echo
printf "\n"

catrunk="${root}development_root_ca"
projectname="${1##*/}"
projectname="${projectname%\.*}"
projectpath="${1%/*}/"
projecttrunk="$projectpath$projectname"

if [ ! -d "$root" ]
then
	mkdir -p "$root"
fi

if [ ! -s "$catrunk.cnf" ]
then
	cat >"$catrunk.cnf" <<EOL
# OpenSSL configuration for Root CA

[ req ]
prompt             = no
string_mask        = default
default_bits       = 2048
distinguished_name = req_distinguished_name
x509_extensions    = x509_ext

[ req_distinguished_name ]
countryName = de
organizationName = Development
commonName = Development Root CA

[ x509_ext ]
keyUsage=critical,keyCertSign,cRLSign
basicConstraints=critical,CA:true,pathlen:0
EOL
fi

regen=false

if [ -s "$catrunk.crt" ] && [ -s "$catrunk.key" ]
then
	valid=$(openssl x509 -checkend 86400 -noout -in "$catrunk.crt")

	if [ "$valid" == "Certificate will not expire" ]
	then
		echo "Valid CA certificate & private key already exist."
	else
		echo -e "${YELLOW}Invalid CA certificate & private key" \
		"already exist.${NC}"
		regen=true
	fi
else
	regen=true
fi

if [ "$regen" == "true" ]
then
	echo "Creating CA certificate & private key..."
	openssl req \
		-config "$catrunk.cnf" \
		-days 365 \
		-keyout "$catrunk.key" \
		-new \
		-out "$catrunk.crt" \
		-passout pass:"$password" \
		-x509
fi

echo "Creating server certificate & private key..."
openssl req \
	-config "$projecttrunk.cnf" \
	-keyout "$projecttrunk.key" \
	-new \
	-nodes \
	-out "$projecttrunk.csr"

echo "Signing with CA..."
openssl x509 \
	-CA "$catrunk.crt" \
	-CAkey "$catrunk.key" \
	-CAcreateserial \
	-days 365 \
	-extensions x509_ext \
	-extfile "$projecttrunk.cnf" \
	-in "$projecttrunk.csr" \
	-out "$projecttrunk.crt" \
	-passin pass:"$password" \
	-req

Deprecated, use https://github.com/FiloSottile/mkcert 🔥 instead!