Generate self-signed certificates that actually work in Chrome on macOS

generate-self-signed-certificate.sh

#!/usr/bin/env bash

set -e -o pipefail

trap 'rm -rf ssl' INT

export CN="$1"
export C="${C-GB}"
export ST="${ST-England}"
export L="${L-London}"
export EMAIL="${EMAIL-contact@$CN}"

if [ -z "$1" ]; then
  echo "Please specify a hostname, e.g. example.com as the first parameter."
  exit 1
fi

echo "Generating self-signed certificate for $1."

rm -rf ssl
mkdir ssl && cd ssl

cat > cert.cnf << EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=$C
ST=$ST
L=$L
O=$CN
OU=$CN
emailAddress=$EMAIL
CN = $CN
EOF

cat > v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $CN
EOF

openssl genrsa -des3 -out rootCA.key -passout pass:foobar 2048↲
openssl req -x509 -new -passin pass:foobar -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/C=$C/ST=$ST/L=$L/CN=$CN"

openssl req -new -sha256 -passin pass:foobar -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat cert.cnf )
openssl x509 -req -passin pass:foobar -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext