Make Self Signed Certificate

makecerts.sh

#!/bin/bash
# https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server
FQDN=$1
KEYDIR=keys

# make directories to work from
#mkdir -p server/ client/ all/
mkdir -p $KEYDIR

# Create your very own Root Certificate Authority
openssl genrsa \
  -out ${KEYDIR}/my-private-root-ca.privkey.pem \
  2048

# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req \
  -x509 \
  -new \
  -nodes \
  -key ${KEYDIR}/my-private-root-ca.privkey.pem \
  -days 1024 \
  -out ${KEYDIR}/my-private-root-ca.cert.pem \
  -subj "/C=US/ST=Washington/L=Seattle/O=nworks/CN=seattle.avkana.com"

# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
  -out ${KEYDIR}/privkey.pem \
  2048

# Create a request from your Device, which your Root CA will sign
openssl req -new \
  -key ${KEYDIR}/privkey.pem \
  -out ${KEYDIR}/csr.pem \
  -subj "/C=US/ST=Washington/L=Seattle/O=nworks/CN=seattle.avkana.com"

# Sign the request from Device with your Root CA
openssl x509 \
  -req -in ${KEYDIR}/csr.pem \
  -CA ${KEYDIR}/my-private-root-ca.cert.pem \
  -CAkey ${KEYDIR}/my-private-root-ca.privkey.pem \
  -CAcreateserial \
  -out ${KEYDIR}/cert.pem \
  -days 500

openssl pkcs12 -export -out ${KEYDIR}/certificate.pfx -inkey my-private-root-ca.privkey.pem -in my-private-root-ca.cert.pem -certfile cert.pem

# Put things in their proper place
#rsync -a ${KEYDIR}/{privkey,cert}.pem server/
#cat ${KEYDIR}/cert.pem > server/fullchain.pem         # we have no intermediates in this case
cat ${KEYDIR}/cert.pem > ${KEYDIR}/fullchain.pem         # we have no intermediates in this case
#rsync -a ${KEYDIR}/my-private-root-ca.cert.pem server/
#rsync -a ${KEYDIR}/my-private-root-ca.cert.pem client/