Last active
December 18, 2020 17:38
-
-
Save L-P/2bde530cb868f3a7d1733f8791a98962 to your computer and use it in GitHub Desktop.
Create CA and TLS certificate for local development (.test TLD)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env sh | |
| # Usage: ./certgen DOMAIN.TLD CA_CERT_PATH SERVER_CERT_PATH | |
| # Server key will be written to SERVER_CERT_PATH with its extension replaced | |
| # with '.key'. | |
| set -eu | |
| domain="$1" | |
| caCert="$2" | |
| caKey="$(mktemp --suffix .key)" | |
| caName="Local $domain CA" | |
| serverCert="$3" | |
| serverKey="${serverCert%.*}.key" | |
| serverCSR="$(mktemp --suffix .csr)" | |
| # Create CA key and cert | |
| openssl req -x509 -newkey rsa:4096 -days 365 -nodes \ | |
| -keyout "$caKey" \ | |
| -out "$caCert" \ | |
| -subj "/CN=$caName" \ | |
| -addext "nameConstraints=critical,permitted;DNS:.test" \ | |
| -addext "subjectAltName=DNS:$caName" | |
| # Create server key | |
| openssl genrsa -out "$serverKey" 4096 | |
| # Create server certificate request | |
| openssl req -new -key "$serverKey" -out "$serverCSR" \ | |
| -subj "/CN=$domain" \ | |
| -addext "subjectAltName=DNS:$domain" | |
| conf="$(mktemp)" | |
| printf "[v3_ext]\\nsubjectAltName=DNS:%s" "$domain" > "$conf" | |
| # Sign server certificate request | |
| openssl x509 -req -in "$serverCSR" -CA "$caCert" -CAkey "$caKey" \ | |
| -CAcreateserial -out "$serverCert" -days 365 \ | |
| -extensions v3_ext -extfile "$conf" | |
| # Delete key to ensure it can't be reused, also do some cleanup. | |
| rm -f "$caKey" "${caCert%.*}.srl" "$conf" "$serverCSR" | |
| printf "\\e[1;34mPlease add %s to your browser Certificate Manager as a Certificate Authority\\e[0m\\n" "$caCert" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment