Skip to content

Instantly share code, notes, and snippets.

@mcharytoniuk

mcharytoniuk/Makefile

Last active December 22, 2023 17:43
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mcharytoniuk/a3770d71bc05acfe8d2aa8664f38e17b to your computer and use it in GitHub Desktop.
Save mcharytoniuk/a3770d71bc05acfe8d2aa8664f38e17b to your computer and use it in GitHub Desktop.
Download ZIP
Create self-signed certificate for local development.
Raw
README.md

self-signed cert for local development (Ubuntu)

This script produces self-signed certificate authority and one self-signed certificate. This should be enough for local development (https://localhost). If you update system-wide ca-certificates it should work with CLI apps.

Setup

Using those five simple steps (optionally seven) you should be able to have a usable self-signed certificate.

  1. Copy localhost.ext and Makefile anywhere and put them in the same directory.
  2. Adjust SUBJ and PASSWD variables in Makefile to suit your needs.
  3. Invoke make install as root (sudo make install).
  4. Now it should be possible to import /etc/ssl/certs/localhostCA.crt into your browser as an Authority certificate (use your browser GUI).
  5. You can use /etc/ssl/certs/localhost.crt and /etc/ssl/private/localhost.key in Nginx or any other web server.

Nginx:

ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
  1. (optional) If you need a Diffie-Hellman group in the Nginx, you can call make /etc/nginx/dhparam.pem
  2. (optional) If you want to remove the self-signed cert, run sudo make uninstall and remove authority certificate from your browser.

See also

Raw
localhost.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Raw
Makefile
PASS=yourcertificatemasterpassword
SUBJ=/C=PL/ST=MyState/L=MyLocation/O=MyOrganization/OU=MyOrganisationUnit/CN=localhost/emailAddress=admin@localhost
# Targets
localhostCA.crt: localhostCA.pem
openssl x509 \
-in localhostCA.pem \
-inform PEM \
-out localhostCA.crt
localhostCA.key:
openssl genrsa \
-des3 \
-out localhostCA.key \
-passout pass:$(PASS) \
2048
localhostCA.pem: localhostCA.key
openssl req \
-x509 \
-new \
-nodes \
-key localhostCA.key \
-sha256 \
-days 825 \
-out localhostCA.pem \
-passin pass:$(PASS) \
-subj "$(SUBJ)"
localhost.key:
openssl genrsa -out localhost.key 2048
localhost.csr: localhost.key
openssl req \
-new \
-key localhost.key \
-out localhost.csr \
-subj "$(SUBJ)"
localhost.crt localhostCA.srl: localhost.csr localhost.ext localhostCA.pem localhostCA.key
openssl x509 \
-req \
-in localhost.csr \
-CA localhostCA.pem \
-CAkey localhostCA.key \
-CAcreateserial \
-out localhost.crt \
-days 825 \
-sha256 \
-passin pass:$(PASS) \
-extfile localhost.ext
/etc/ssl/certs/localhost.crt: localhost.crt
install localhost.crt /etc/ssl/certs/localhost.crt
/etc/ssl/certs/localhostCA.crt: localhostCA.crt
install localhostCA.crt /etc/ssl/certs/localhostCA.crt
/etc/ssl/private/localhostCA.key: localhostCA.key
install localhostCA.key /etc/ssl/private/localhostCA.key
/etc/ssl/private/localhost.key: localhost.key
install localhost.key /etc/ssl/private/localhost.key
/etc/nginx/dhparam.pem: /etc/ssl/certs/localhost.crt /etc/ssl/private/localhost.key /etc/ssl/certs/localhostCA.crt /etc/ssl/private/localhostCA.key
openssl dhparam -out /etc/nginx/dhparam.pem 4096
/usr/local/share/ca-certificates/localhostCA.crt: localhostCA.crt
install localhostCA.crt /usr/local/share/ca-certificates/localhostCA.crt
/usr/local/share/ca-certificates/localhost.crt: localhost.crt
install localhost.crt /usr/local/share/ca-certificates/localhost.crt
# PHONY targets
.PHONY: clean
clean:
rm -f localhost.crt
rm -f localhost.csr
rm -f localhost.key
rm -f localhostCA.crt
rm -f localhostCA.key
rm -f localhostCA.pem
rm -f localhostCA.srl
.PHONY: install
install: /etc/ssl/certs/localhost.crt /etc/ssl/certs/localhostCA.crt /etc/ssl/private/localhost.key /etc/ssl/private/localhostCA.key
.PHONY: uninstall
uninstall:
rm -f /etc/ssl/certs/localhost.crt
rm -f /etc/ssl/certs/localhostCA.crt
rm -f /etc/ssl/private/localhost.key
rm -f /etc/ssl/private/localhostCA.key
rm -f /usr/local/share/ca-certificates/localhost.crt
rm -f /usr/local/share/ca-certificates/localhostCA.crt
.PHONY: update-ca-certificates
update-ca-certificates: /usr/local/share/ca-certificates/localhost.crt /usr/local/share/ca-certificates/localhostCA.crt
/usr/sbin/update-ca-certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment