Last active
February 7, 2018 17:18
-
-
Save jacerider/63c55bd2159f51b56bf471f03aaf0b66 to your computer and use it in GitHub Desktop.
Wildcard SSL generator for local dev
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| #Set fonts for Help. | |
| NORM=`tput sgr0` | |
| BOLD=`tput bold` | |
| REV=`tput smso` | |
| SSL_PATH="${HOME}/Sites/ssl" | |
| usage() { | |
| cat <<EOF | |
| Generate a self-signed SSL cert | |
| ${REV} Usage: ${NORM} ${BOLD}$0 <NAME>${NORM} | |
| Where NAME is the domain to be deployed. The extension .ash will be automatically appended. | |
| ${REV} Prerequisites: ${NORM} | |
| ${BOLD}openssl${NORM} | |
| Requires openssl is installed and available on \$PATH. | |
| ${BOLD}Become a (tiny) certificate authority${NORM} | |
| 1. Run the following commands: | |
| openssl genrsa -out ${SSL_PATH}/rootCA.key 2048 | |
| openssl req -x509 -new -nodes -key ${SSL_PATH}/rootCA.key -sha256 -days 1024 -out ${SSL_PATH}/rootCA.pem | |
| 2. Open Keychain Access | |
| 3. Choose "System" in the "Keychains" list | |
| 4. Choose "Certificates" in the "Category" list | |
| 5. Choose "File | Import Items..." | |
| 6. Browse to the file created above, "rootCA.pem", select it, and click "Open" | |
| 7. Select your newly imported certificate in the "Certificates" list. | |
| 8. Click the "i" button, or right click on your certificate, and choose "Get Info" | |
| 9. Expand the "Trust" option | |
| 10. Change "When using this certificate" to "Always Trust" | |
| 11. Close the dialog, and you'll be prompted for your password. | |
| 12. Close and reopen any tabs that are using your target domain, and it'll be loaded securely! | |
| EOF | |
| exit 1 | |
| } | |
| main() { | |
| local NAME="$1" | |
| if ! which openssl > /dev/null; then | |
| echo | |
| echo "${REV} Error: ${NORM} The openssl executable was not found. This script requires openssl." | |
| echo | |
| usage | |
| fi | |
| if [[ -z "$NAME" ]]; then | |
| echo | |
| echo "${REV} Error: ${NORM} Specify base domain as the first argument, e.g. mycompany.com" | |
| echo | |
| usage | |
| fi | |
| # CAN REMOVE FROM KEYCHAIN AUTOMATICALLY | |
| # RESULT="0" | |
| # while read ENTRY; do | |
| # RESULT="1" | |
| # done < <(security find-certificate -a -c "${NAME}.ash" ~/Library/Keychains/login.keychain) | |
| # if [[ "$RESULT" = "1" ]] | |
| # then | |
| # sudo security \ | |
| # delete-certificate \ | |
| # -c "${NAME}.ash" \ | |
| # $HOME/Library/Keychains/login.keychain | |
| # fi | |
| cat > "${SSL_PATH}/${NAME}.cnf" <<EOF | |
| [ req ] | |
| default_bits = 2048 | |
| default_keyfile = server-key.pem | |
| distinguished_name = subject | |
| req_extensions = req_ext | |
| x509_extensions = x509_ext | |
| string_mask = utf8only | |
| prompt = no | |
| [ subject ] | |
| countryName = US | |
| stateOrProvinceName = MN | |
| localityName = Minnesota | |
| organizationName = Ashen Rayne | |
| commonName = ${NAME}.ash | |
| emailAddress = info@ashenrayne.com | |
| [ x509_ext ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid,issuer | |
| basicConstraints = CA:FALSE | |
| keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
| subjectAltName = @alternate_names | |
| nsComment = "OpenSSL Generated Certificate" | |
| [ req_ext ] | |
| subjectKeyIdentifier = hash | |
| basicConstraints = CA:FALSE | |
| keyUsage = digitalSignature, keyEncipherment | |
| subjectAltName = @alternate_names | |
| nsComment = "OpenSSL Generated Certificate" | |
| [alternate_names] | |
| DNS.1 = ${NAME}.ash | |
| DNS.2 = *.${NAME}.ash | |
| # IP = 127.0.0.1 | |
| # DNS.1 = *.${NAME}.ash | |
| # DNS.5 = localhost | |
| # DNS.6 = localhost.localdomain | |
| # DNS.7 = 127.0.0.1 | |
| EOF | |
| # openssl req \ | |
| # -newkey rsa:2048 \ | |
| # -x509 \ | |
| # -nodes \ | |
| # -keyout ssl.key \ | |
| # -new \ | |
| # -out ssl.crt \ | |
| # -subj /CN=*.${NAME}.ash \ | |
| # -sha256 \ | |
| # -days 3650 \ | |
| # -config openssl.cnf | |
| openssl genrsa -out "${SSL_PATH}/${NAME}-ssl.key" 2048 | |
| openssl req -new -key "${SSL_PATH}/${NAME}-ssl.key" \ | |
| -out "${SSL_PATH}/${NAME}-ssl.csr" -config "${SSL_PATH}/${NAME}.cnf" | |
| openssl x509 -req -in "${SSL_PATH}/${NAME}-ssl.csr" -CA "${SSL_PATH}/rootCA.pem" -CAkey "${SSL_PATH}/rootCA.key" -CAcreateserial \ | |
| -out "${SSL_PATH}/${NAME}-ssl.crt" -days 1825 -sha256 -extensions req_ext -extfile "${SSL_PATH}/${NAME}.cnf" | |
| # ONE LINER WITHOUT CA | |
| # openssl req -config "${SSL_PATH}/openssl.cnf" -new -sha256 -newkey rsa:2048 \ | |
| # -nodes -keyout "${SSL_PATH}/${NAME}-ssl.key" -x509 -days 3650 \ | |
| # -out "${SSL_PATH}/${NAME}-ssl.crt" | |
| rm "${SSL_PATH}/${NAME}.cnf" | |
| # CAN ADD TO KEYCHAIN AUTOMATICALLY | |
| # sudo security \ | |
| # add-trusted-cert \ | |
| # -d \ | |
| # -k ~/Library/Keychains/login.keychain \ | |
| # ssl.crt | |
| # CAN OPEN KEYCHAIN | |
| # open /Applications/Utilities/Keychain\ Access.app ssl.crt | |
| echo | |
| echo "###########################################################################" | |
| echo Done! | |
| echo "###########################################################################" | |
| echo "To use these files on your server, simply copy both $DOMAIN.csr and" | |
| echo "device.key to your webserver, and use like so (if nginx, for example)" | |
| echo | |
| echo " listen 443 ssl;" | |
| echo " ${BOLD}ssl_certificate ${SSL_PATH}/${NAME}-ssl.crt;${NORM}" | |
| echo " ${BOLD}ssl_certificate_key ${SSL_PATH}/${NAME}-ssl.key;${NORM}" | |
| } | |
| main "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment