gen-ca.sh

#!/usr/bin/env bash
set -o errexit -o pipefail -o nounset

ROOT="root"

if [[ -f "$ROOT.key" || -f "$ROOT.crt" ]]; then
    echo "Root certificate already exist"
    exit 1
fi

# generate a CA in 
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -x509 -extensions v3_ca -keyout "$ROOT.key" -out "$ROOT.crt"

gen-cert.sh

#!/usr/bin/env bash
set -o errexit -o pipefail -o nounset

if [[ "$#" -ne 1 ]]; then
    echo "Usage: $0 <domain>"
    exit 1
fi

DOMAIN="$1"
NAME="$DOMAIN"
ROOT="root"

# generate private key
openssl genrsa -out "$NAME.key" 2048

# generate signing request
openssl req -new -sha256 -key "$NAME.key" -out "$NAME.csr"

# generate public certificate
openssl x509 -req -days 3650 -in "$NAME.csr" -CA "$ROOT.crt" -CAkey "$ROOT.key" -CAcreateserial -out "$NAME.crt"

# remove signing request
rm "$NAME.csr"

# generate packed pem file for Caddy (it contains the certificate and
# private key)
cat "$NAME.crt" "$NAME.key" > "$NAME.packed.pem"

# generate a bundle file for StorReduce and most webservers (it
# contains the certificate and the CA certificate)
cat "$NAME.crt" "$ROOT.crt" > "$NAME.bundle.pem"

Adapted from https://gist.github.com/JanTvrdik/d22f53604f3bfd78df3863cf1ad87b8a