Skip to content

Instantly share code, notes, and snippets.

@L-P
Last active Dec 18, 2020
Embed
What would you like to do?
Create CA and TLS certificate for local development (.test TLD)
#!/usr/bin/env sh
# Usage: ./certgen DOMAIN.TLD CA_CERT_PATH SERVER_CERT_PATH
# Server key will be written to SERVER_CERT_PATH with its extension replaced
# with '.key'.
set -eu
domain="$1"
caCert="$2"
caKey="$(mktemp --suffix .key)"
caName="Local $domain CA"
serverCert="$3"
serverKey="${serverCert%.*}.key"
serverCSR="$(mktemp --suffix .csr)"
# Create CA key and cert
openssl req -x509 -newkey rsa:4096 -days 365 -nodes \
-keyout "$caKey" \
-out "$caCert" \
-subj "/CN=$caName" \
-addext "nameConstraints=critical,permitted;DNS:.test" \
-addext "subjectAltName=DNS:$caName"
# Create server key
openssl genrsa -out "$serverKey" 4096
# Create server certificate request
openssl req -new -key "$serverKey" -out "$serverCSR" \
-subj "/CN=$domain" \
-addext "subjectAltName=DNS:$domain"
conf="$(mktemp)"
printf "[v3_ext]\\nsubjectAltName=DNS:%s" "$domain" > "$conf"
# Sign server certificate request
openssl x509 -req -in "$serverCSR" -CA "$caCert" -CAkey "$caKey" \
-CAcreateserial -out "$serverCert" -days 365 \
-extensions v3_ext -extfile "$conf"
# Delete key to ensure it can't be reused, also do some cleanup.
rm -f "$caKey" "${caCert%.*}.srl" "$conf" "$serverCSR"
printf "\\e[1;34mPlease add %s to your browser Certificate Manager as a Certificate Authority\\e[0m\\n" "$caCert"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment