Shell script to generate TLS certificates for local development (.test, .example, etc)

https-setup.md

Adapted from http://blog.herecura.eu/blog/2015/09/13/self-signed-multi-domain-certificate/

Create a file named cert.conf:

[ local_san ]
nsCertType              = server
keyUsage                = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
subjectAltName          = @local_san_subject

#Valid local addresses
DNS.1       = *.test
DNS.2       = *.example
DNS.3       = *.invalid
DNS.4       = localhost
DNS.5       = *.localhost
DNS.6       = 127.0.0.1
DNS.7       = ::1

#Don't use/migrate away from .dev, it is a real gTLD: icannwiki.com/.dev
#DNS.8      = dev
#DNS.9      = *.dev

Then run the following shell script:

#!/bin/sh

openssl genrsa 4096 > localCA.key #generate CA key
openssl req -x509 -new -nodes -key localCA.key -days 1000 > localCA.pem #generate CA cert
openssl genrsa 2048 > local.key #generate server key
openssl req -new -key local.key > local.csr #generate signing request
openssl x509 -req -days 1000 -CA localCA.pem -CAkey localCA.key -CAcreateserial -in local.csr -extfile cert.conf -extensions local_san > local.pem #sign request with local CA

#limit potential for fuckery
rm localCA.key
rm localCA.srl
rm local.csr
chmod 640 local.key

Thanks for putting me on the right track. I have three additions to this:

1. The cert.conf file is missing a [ local_san_subject ] section header just before the #Valid local addresses comment.
2. The script generated SHA1 certificates that will not be supported anymore soon by major browsers. Add the option -sha256 to the openssl req -x509 line and the openssl x509 -req line to generate SHA256 certificates instead.
3. Also, to conveniently skip over the questions for input, add -subj '/CN=YourCompany' to the openssl req -x509 and the openssl req -new -key lines.