Script to create (1) a local certificate authority, (2) a host certificate signed by that authority for the hostname of your choice
#!/usr/bin/env bash | |
# | |
# Usage: dev_signed_cert.sh HOSTNAME | |
# | |
# Creates a CA cert and then generates an SSL certificate signed by that CA for the | |
# given hostname. | |
# | |
# After running this, add the generated dev_cert_ca.cert.pem to the trusted root | |
# authorities in your browser / client system. | |
# | |
set -x | |
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
NAME=${1:-localhost} | |
CA_KEY=$DIR/dev_cert_ca.key.pem | |
[ -f $CA_KEY ] || openssl genrsa -des3 -out $CA_KEY 2048 | |
CA_CERT=$DIR/dev_cert_ca.cert.pem | |
[ -f $CA_CERT ] || openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 365 -out $CA_CERT | |
HOST_KEY=$DIR/$NAME.key.pem | |
[ -f $HOST_KEY ] || openssl genrsa -out $HOST_KEY 2048 | |
HOST_CERT=$DIR/$NAME.cert.pem | |
if ! [ -f $HOST_CERT ] ; then | |
HOST_CSR=$DIR/$NAME.csr.pem | |
[ -f $HOST_CSR ] || openssl req -new -key $HOST_KEY -out $HOST_CSR | |
HOST_EXT=$DIR/$NAME.ext | |
echo >$HOST_EXT | |
echo >>$HOST_EXT authorityKeyIdentifier=keyid,issuer | |
echo >>$HOST_EXT basicConstraints=CA:FALSE | |
echo >>$HOST_EXT keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
echo >>$HOST_EXT subjectAltName = @alt_names | |
echo >>$HOST_EXT | |
echo >>$HOST_EXT [alt_names] | |
NAME_N=1 | |
for ALT_NAME in "$@" ; do | |
echo >>$HOST_EXT DNS.$NAME_N = $NAME | |
NAME_N=$(( NAME_N + 1 )) | |
done | |
openssl x509 -req -in $HOST_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial \ | |
-out $HOST_CERT -days 365 -sha256 -extfile $HOST_EXT | |
rm $HOST_EXT | |
fi | |
This comment has been minimized.
This comment has been minimized.
I changed the script to use 365 days, hopefully that doesn't cause issues for anyone. |
This comment has been minimized.
This comment has been minimized.
Thanks, was very helpful |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
I used this successfully today with one edit - I needed to lower the number of days in order to get the certificate trusted by Chrome. I used
600
days instead of1825
and that made Chrome accept it.Thanks for the script!