Last active
June 22, 2018 04:40
-
-
Save kennwhite/a0a6f645ab199837ea9c2d562f7afc92 to your computer and use it in GitHub Desktop.
Self-signed localhost ("linuxhost") CA cert w/ SAN attributes to make Chrome & FF happy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Gen CA root key | |
openssl genrsa -out server_rootCA.key 4096 | |
# Gen self-signed root CA cert | |
openssl req -x509 -new -key server_rootCA.key -sha256 -days 3650 \ | |
-subj '/O=Cert-O-Matic/OU=You get a cert and YOU get a cert/C=US/CN=Certs R Us' \ | |
-out server_rootCA.pem | |
# Create server cert signing request (crucially, with SAN) | |
cat << EOF > domain.csr.cnf | |
[req] | |
default_bits = 4086 | |
prompt = no | |
default_md = sha256 | |
distinguished_name = dn | |
[dn] | |
C=US | |
ST=CA | |
L=Local | |
O=Local Org | |
OU=Local Dept | |
emailAddress=mail@example.com | |
CN = linuxhost | |
EOF | |
#Create v3.ext configuration file | |
cat << EOF > v3.ext | |
# v3.ext | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = linuxhost | |
EOF | |
# Create server key and domain/server signing request | |
openssl req -new -sha256 -nodes -out linuxhost.csr -newkey rsa:4096 -keyout linuxhost.key \ | |
-config <( cat domain.csr.cnf ) | |
# Generate server cert | |
openssl x509 -req -in linuxhost.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial \ | |
-out linuxhost.crt -days 3650 -sha256 -extfile v3.ext |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment