quells/tiny-ca.sh

## tiny-ca.sh
#!/bin/bash

# Based on https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

if [ "$#" -ne 1 ]; then
        echo "Usage: tiny-ca.sh <domain>"
        exit 1
fi

DOMAIN=$1
DOMAIN_KEY=$DOMAIN.key
DOMAIN_CSR=$DOMAIN.csr
DOMAIN_EXT=$DOMAIN.ext
DOMAIN_CRT=$DOMAIN.crt
DOMAIN_CERT_LENGTH=90    # days
DOMAIN_KEY_STRENGTH=2048 # bits

ROOT_KEY=/path/to/root.key
ROOT_CERT=/path/to/root.pem
ROOT_CERT_LENGTH=1825    # days, ~5 years
ROOT_KEY_STRENGTH=2048   # bits

if [ ! -f "$ROOT_KEY" ]; then
        echo "Generating root CA private key"
        openssl genrsa -des3 -out $ROOT_KEY $ROOT_KEY_STRENGTH
fi

if [ ! -f "$ROOT_CERT" ]; then
        echo "Generating root CA certificate"
        openssl req -x509 -new -nodes -key $ROOT_KEY -sha256 -days $ROOT_CERT_LENGTH -out $ROOT_CERT
fi

if [ ! -f "$DOMAIN_KEY" ]; then
        openssl genrsa -out $DOMAIN_KEY $DOMAIN_KEY_STRENGTH
fi

if [ ! -f "$DOMAIN_CSR" ]; then
        openssl req -new -key $DOMAIN_KEY -out $DOMAIN_CSR
fi

if [ ! -f "$DOMAIN_EXT" ]; then
        cat > $DOMAIN_EXT << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF
fi

openssl x509 -req -in $DOMAIN_CSR -CA $ROOT_CERT -CAkey $ROOT_KEY -CAcreateserial -out $DOMAIN_CRT -days $DOMAIN_CERT_LENGTH -sha256 -extfile $DOMAIN_EXT
	#!/bin/bash

	# Based on https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

	if [ "$#" -ne 1 ]; then
	echo "Usage: tiny-ca.sh <domain>"
	exit 1
	fi

	DOMAIN=$1
	DOMAIN_KEY=$DOMAIN.key
	DOMAIN_CSR=$DOMAIN.csr
	DOMAIN_EXT=$DOMAIN.ext
	DOMAIN_CRT=$DOMAIN.crt
	DOMAIN_CERT_LENGTH=90 # days
	DOMAIN_KEY_STRENGTH=2048 # bits

	ROOT_KEY=/path/to/root.key
	ROOT_CERT=/path/to/root.pem
	ROOT_CERT_LENGTH=1825 # days, ~5 years
	ROOT_KEY_STRENGTH=2048 # bits

	if [ ! -f "$ROOT_KEY" ]; then
	echo "Generating root CA private key"
	openssl genrsa -des3 -out $ROOT_KEY $ROOT_KEY_STRENGTH
	fi

	if [ ! -f "$ROOT_CERT" ]; then
	echo "Generating root CA certificate"
	openssl req -x509 -new -nodes -key $ROOT_KEY -sha256 -days $ROOT_CERT_LENGTH -out $ROOT_CERT
	fi

	if [ ! -f "$DOMAIN_KEY" ]; then
	openssl genrsa -out $DOMAIN_KEY $DOMAIN_KEY_STRENGTH
	fi

	if [ ! -f "$DOMAIN_CSR" ]; then
	openssl req -new -key $DOMAIN_KEY -out $DOMAIN_CSR
	fi

	if [ ! -f "$DOMAIN_EXT" ]; then
	cat > $DOMAIN_EXT << EOF
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = $DOMAIN
	EOF
	fi

	openssl x509 -req -in $DOMAIN_CSR -CA $ROOT_CERT -CAkey $ROOT_KEY -CAcreateserial -out $DOMAIN_CRT -days $DOMAIN_CERT_LENGTH -sha256 -extfile $DOMAIN_EXT