Generate self-signed wildcard SSL certificate for development environment

generate-wildcard-certificate.sh

#!/usr/bin/env bash

# print usage
DOMAIN=$1
if [ -z "$1" ]; then
    echo "USAGE: $0 tld"
    echo ""
    echo "This will generate a non-secure self-signed wildcard certificate for "
    echo "a given development tld."
    echo "This should only be used in a development environment."
    exit
fi

# Add wildcard
WILDCARD="*.$DOMAIN"

# Set our variables
cat <<EOF > req.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = MD
O = home
localityName = home
commonName = $WILDCARD
organizationalUnitName = home
emailAddress = $(git config user.email)
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1   = https.$DOMAIN
DNS.2   = *.https.$DOMAIN
IP   = 10.0.0.1
EOF

# Generate our Private Key, and Certificate directly
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout "$DOMAIN.key" -config req.cnf \
  -out "$DOMAIN.crt" -sha256
rm req.cnf

echo ""
echo "Next manual steps:"
echo "- Use $DOMAIN.crt and $DOMAIN.key to configure Apache/nginx"
echo "- Import $DOMAIN.crt into Chrome settings: chrome://settings/certificates > tab 'Authorities'"

SAN required to serve https.

Note IP hardcoded on 38.

In conjunction with nginx rule that forwards xxx.https.tld -> xxx.tld and port.https.tld -> ip:port

problems making Certificate Request ... error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:

if $(git config user.email is empty/not set. Just put something in there

https://superuser.com/questions/1451895/err-ssl-key-usage-incompatible-solution

Replace line 32 (keyUsage) with:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment