Script to create (1) a local certificate authority, (2) a host certificate signed by that authority for the hostname of your choice
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # Usage: dev_signed_cert.sh HOSTNAME | |
| # | |
| # Creates a CA cert and then generates an SSL certificate signed by that CA for the | |
| # given hostname. | |
| # | |
| # After running this, add the generated dev_cert_ca.cert.pem to the trusted root | |
| # authorities in your browser / client system. | |
| # | |
| set -x | |
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
| NAME=${1:-localhost} | |
| CA_KEY=$DIR/dev_cert_ca.key.pem | |
| [ -f $CA_KEY ] || openssl genrsa -des3 -out $CA_KEY 2048 | |
| CA_CERT=$DIR/dev_cert_ca.cert.pem | |
| [ -f $CA_CERT ] || openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 365 -out $CA_CERT | |
| HOST_KEY=$DIR/$NAME.key.pem | |
| [ -f $HOST_KEY ] || openssl genrsa -out $HOST_KEY 2048 | |
| HOST_CERT=$DIR/$NAME.cert.pem | |
| if ! [ -f $HOST_CERT ] ; then | |
| HOST_CSR=$DIR/$NAME.csr.pem | |
| [ -f $HOST_CSR ] || openssl req -new -key $HOST_KEY -out $HOST_CSR | |
| HOST_EXT=$DIR/$NAME.ext | |
| echo >$HOST_EXT | |
| echo >>$HOST_EXT authorityKeyIdentifier=keyid,issuer | |
| echo >>$HOST_EXT basicConstraints=CA:FALSE | |
| echo >>$HOST_EXT keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
| echo >>$HOST_EXT subjectAltName = @alt_names | |
| echo >>$HOST_EXT | |
| echo >>$HOST_EXT [alt_names] | |
| NAME_N=1 | |
| for ALT_NAME in "$@" ; do | |
| echo >>$HOST_EXT DNS.$NAME_N = $NAME | |
| NAME_N=$(( NAME_N + 1 )) | |
| done | |
| openssl x509 -req -in $HOST_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial \ | |
| -out $HOST_CERT -days 365 -sha256 -extfile $HOST_EXT | |
| rm $HOST_EXT | |
| fi | |
I changed the script to use 365 days, hopefully that doesn't cause issues for anyone.
Thanks, was very helpful
Thank you for putting this script together and sharing it
I am getting errors with the bash script ?
Error Loading extension section default
140168142116160:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=subjectAltName,section=@alt_names
140168142116160:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names
- rm /home/user/localhost.ext
can anyone help me please.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I used this successfully today with one edit - I needed to lower the number of days in order to get the certificate trusted by Chrome. I used
600days instead of1825and that made Chrome accept it.Thanks for the script!