Updates self signed certificates for local development via HTTPs.

New-Certificates.ps1

<#
    .SYNOPSIS
    Updates self signed certificates for local development via HTTPs.

    .DESCRIPTION
    Creates (or updates if needed) a root ca certificate for development and a
    project certificate which is signed by the root certificate.

    .PARAMETER ConfigPath
    Path to server certificate configuration.

    .PARAMETER Password
    Password for root certificate.

    .PARAMETER RootPath
    Path to root CA files.

    .EXAMPLE
    ./New-Certificates.ps1 project/certificates/project.cnf

    .LINK
    https://gist.github.com/Dargmuesli/2db49386cd1ef3f1ad114de19bfebe1e
#>
Param (
    [Parameter(Mandatory = $True, Position = 0)]
    [ValidateScript({Test-Path -Path $PSItem})]
    [String] $ConfigPath,

    [Parameter(Mandatory = $True, Position = 1)]
    [ValidateNotNullOrEmpty()]
    [SecureString] $Password,

    [Parameter(Mandatory = $False)]
    [String] $RootPath = (Join-Path -Path $HOME -ChildPath "certificates" `
            | Join-Path -ChildPath "development")
)

$ClearPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
    [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password));

$CaTrunk = Join-Path -Path $RootPath -ChildPath "development_root_ca"
$ProjectName = [System.IO.Path]::GetFileNameWithoutExtension($ConfigPath)
$ProjectTrunk = Join-Path -Path ([System.IO.Path]::GetDirectoryName(
        $ConfigPath)) -ChildPath $ProjectName

If (-Not (Test-Path -Path $RootPath)) {
    New-Item -Path "$RootPath" -ItemType "directory" -Force
}

If (-Not (Test-Path -Path "$CaTrunk.cnf")) {
    [System.IO.File]::WriteAllLines("$CaTrunk.cnf", @"
# OpenSSL configuration for Root CA
[ req ]
prompt             = no
string_mask        = default
default_bits       = 2048
distinguished_name = req_distinguished_name
x509_extensions    = x509_ext
[ req_distinguished_name ]
countryName = de
organizationName = Development
commonName = Development Root CA
[ x509_ext ]
keyUsage=critical,keyCertSign,cRLSign
basicConstraints=critical,CA:true,pathlen:0
"@)
}

$ReGen = $False

If ((Test-Path -Path "$CaTrunk.crt") -And (Test-Path -Path "$CaTrunk.key")) {
    $Valid = (openssl x509 -checkend 86400 -noout -in "$CaTrunk.crt")

    If ("$Valid" -Eq "Certificate will not expire") {
        Write-Host "Valid CA certificate & private key already exist." `
            -ForegroundColor "Cyan"
    } Else {
        Write-Warning "Invalid CA certificate & private key already exist."
        $ReGen = $True
    }
} Else {
    $ReGen = $True
}

If ($ReGen) {
    Write-Host "Creating CA certificate & private key..." `
        -ForegroundColor "Cyan"
    openssl req `
        -config "$CaTrunk.cnf" `
        -days 365 `
        -keyout "$CaTrunk.key" `
        -new `
        -out "$CaTrunk.crt" `
        -passout pass:"$ClearPassword" `
        -x509
}

Write-Host "Creating server certificate & private key..." `
    -ForegroundColor "Cyan"
openssl req `
    -config "$ProjectTrunk.cnf" `
    -keyout "$ProjectTrunk.key" `
    -new `
    -nodes `
    -out "$ProjectTrunk.csr"

Write-Host "Signing with CA..." -ForegroundColor "Cyan"
openssl x509 `
    -CA "$CaTrunk.crt" `
    -CAkey "$CaTrunk.key" `
    -CAcreateserial `
    -days 365 `
    -extensions x509_ext `
    -extfile "$ProjectTrunk.cnf" `
    -in "$ProjectTrunk.csr" `
    -out "$ProjectTrunk.crt" `
    -passin pass:"$ClearPassword" `
    -req

Deprecated, use https://github.com/FiloSottile/mkcert 🔥 instead!