A script to create a local CA for you zrepl installation. Uses elliptic curves and SANs to be compatible with latest go.

zrepl_cert_gen.sh

#!/bin/sh
if [ $# -ne 1 ]; then
  echo "Usage: $0 FQDN"
  exit 1
fi
cd `dirname "$0"`
if [ ! -f ca.crt ]; then
  openssl ecparam -genkey -name prime256v1 -out ca.key
  openssl req -x509 -new -SHA256 -nodes -days 3652 -subj "/CN=Root CA/OU=zrepl/O=YourName/C=IT" -key ca.key -out ca.crt
fi
if [ ! -f "$1.key" ]; then
  openssl ecparam -genkey -name prime256v1 -out "$1.key"
fi
printf "[SAN]\nsubjectAltName=DNS:$1\n" > "$1.san"
openssl req -new -SHA256 -nodes -subj "/CN=$1/OU=zrepl/O=YourName/C=IT" -key "$1.key" -out "$1.csr"
openssl x509 -req -SHA256 -days 3652 -extfile "$1.san" -extensions SAN -in "$1.csr" -CA ca.crt -CAkey ca.key -CAcreateserial -out "$1.crt"
rm ca.srl "$1.csr" "$1.san"