Skip to content

Instantly share code, notes, and snippets.

@dobesv

dobesv/dev_signed_cert.sh

Last active Nov 25, 2022
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Script to create (1) a local certificate authority, (2) a host certificate signed by that authority for the hostname of your choice
Raw
dev_signed_cert.sh
#!/usr/bin/env bash
#
# Usage: dev_signed_cert.sh HOSTNAME
#
# Creates a CA cert and then generates an SSL certificate signed by that CA for the
# given hostname.
#
# After running this, add the generated dev_cert_ca.cert.pem to the trusted root
# authorities in your browser / client system.
#
set -x
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
NAME=${1:-localhost}
CA_KEY=$DIR/dev_cert_ca.key.pem
[ -f $CA_KEY ] || openssl genrsa -des3 -out $CA_KEY 2048
CA_CERT=$DIR/dev_cert_ca.cert.pem
[ -f $CA_CERT ] || openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 365 -out $CA_CERT
HOST_KEY=$DIR/$NAME.key.pem
[ -f $HOST_KEY ] || openssl genrsa -out $HOST_KEY 2048
HOST_CERT=$DIR/$NAME.cert.pem
if ! [ -f $HOST_CERT ] ; then
HOST_CSR=$DIR/$NAME.csr.pem
[ -f $HOST_CSR ] || openssl req -new -key $HOST_KEY -out $HOST_CSR
HOST_EXT=$DIR/$NAME.ext
echo >$HOST_EXT
echo >>$HOST_EXT authorityKeyIdentifier=keyid,issuer
echo >>$HOST_EXT basicConstraints=CA:FALSE
echo >>$HOST_EXT keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
echo >>$HOST_EXT subjectAltName = @alt_names
echo >>$HOST_EXT
echo >>$HOST_EXT [alt_names]
NAME_N=1
for ALT_NAME in "$@" ; do
echo >>$HOST_EXT DNS.$NAME_N = $NAME
NAME_N=$(( NAME_N + 1 ))
done
openssl x509 -req -in $HOST_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial \
-out $HOST_CERT -days 365 -sha256 -extfile $HOST_EXT
rm $HOST_EXT
fi
@SubJunk
Copy link

SubJunk commented Feb 26, 2020

I used this successfully today with one edit - I needed to lower the number of days in order to get the certificate trusted by Chrome. I used 600 days instead of 1825 and that made Chrome accept it.
Thanks for the script!

@dobesv
Copy link
Author

dobesv commented Feb 26, 2020

I changed the script to use 365 days, hopefully that doesn't cause issues for anyone.

@shaharmor
Copy link

shaharmor commented May 18, 2020

Thanks, was very helpful

@meuter
Copy link

meuter commented Oct 1, 2021

Thank you for putting this script together and sharing it 😃

@lokilust
Copy link

lokilust commented May 8, 2022

I am getting errors with the bash script ?

Error Loading extension section default
140168142116160:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=subjectAltName,section=@alt_names
140168142116160:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names

  • rm /home/user/localhost.ext

can anyone help me please.

@xbipin
Copy link

xbipin commented Nov 25, 2022

im also getting the below error

Error Loading extension section default
3069763648:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:93:name=subjectAltName,section=@alt_names
3069763648:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment