Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to create (1) a local certificate authority, (2) a host certificate signed by that authority for the hostname of your choice
#!/usr/bin/env bash
#
# Usage: dev_signed_cert.sh HOSTNAME
#
# Creates a CA cert and then generates an SSL certificate signed by that CA for the
# given hostname.
#
# After running this, add the generated dev_cert_ca.cert.pem to the trusted root
# authorities in your browser / client system.
#
set -x
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
NAME=${1:-localhost}
CA_KEY=$DIR/dev_cert_ca.key.pem
[ -f $CA_KEY ] || openssl genrsa -des3 -out $CA_KEY 2048
CA_CERT=$DIR/dev_cert_ca.cert.pem
[ -f $CA_CERT ] || openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 365 -out $CA_CERT
HOST_KEY=$DIR/$NAME.key.pem
[ -f $HOST_KEY ] || openssl genrsa -out $HOST_KEY 2048
HOST_CERT=$DIR/$NAME.cert.pem
if ! [ -f $HOST_CERT ] ; then
HOST_CSR=$DIR/$NAME.csr.pem
[ -f $HOST_CSR ] || openssl req -new -key $HOST_KEY -out $HOST_CSR
HOST_EXT=$DIR/$NAME.ext
echo >$HOST_EXT
echo >>$HOST_EXT authorityKeyIdentifier=keyid,issuer
echo >>$HOST_EXT basicConstraints=CA:FALSE
echo >>$HOST_EXT keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
echo >>$HOST_EXT subjectAltName = @alt_names
echo >>$HOST_EXT
echo >>$HOST_EXT [alt_names]
NAME_N=1
for ALT_NAME in "$@" ; do
echo >>$HOST_EXT DNS.$NAME_N = $NAME
NAME_N=$(( NAME_N + 1 ))
done
openssl x509 -req -in $HOST_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial \
-out $HOST_CERT -days 365 -sha256 -extfile $HOST_EXT
rm $HOST_EXT
fi
@SubJunk

This comment has been minimized.

Copy link

SubJunk commented Feb 26, 2020

I used this successfully today with one edit - I needed to lower the number of days in order to get the certificate trusted by Chrome. I used 600 days instead of 1825 and that made Chrome accept it.
Thanks for the script!

@dobesv

This comment has been minimized.

Copy link
Owner Author

dobesv commented Feb 26, 2020

I changed the script to use 365 days, hopefully that doesn't cause issues for anyone.

@shaharmor

This comment has been minimized.

Copy link

shaharmor commented May 18, 2020

Thanks, was very helpful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.