Skip to content

Instantly share code, notes, and snippets.

@PowerKiKi

PowerKiKi/generate-wildcard-certificate.sh

Created December 4, 2015 07:31
Show Gist options
  • Save PowerKiKi/02a90c765d7b79e7f64d to your computer and use it in GitHub Desktop.
Save PowerKiKi/02a90c765d7b79e7f64d to your computer and use it in GitHub Desktop.
Download ZIP
Generate self-signed wildcard SSL certificate for development environment
Raw
generate-wildcard-certificate.sh
#!/usr/bin/env bash
# print usage
DOMAIN=$1
if [ -z "$1" ]; then
echo "USAGE: $0 domain.lan"
echo ""
echo "This will generate a non-secure self-signed wildcard certificate for given domain."
echo "This should only be used in a development environment."
exit
fi
# Add wildcard
WILDCARD="*.$DOMAIN"
# Set our CSR variables
SUBJ="
C=US
ST=NY
O=Local Developement
localityName=Local Developement
commonName=$WILDCARD
organizationalUnitName=Local Developement
emailAddress=
"
# Generate our Private Key, CSR and Certificate
openssl genrsa -out "$DOMAIN.key" 2048
openssl req -new -subj "$(echo -n "$SUBJ" | tr "\n" "/")" -key "$DOMAIN.key" -out "$DOMAIN.csr"
openssl x509 -req -days 3650 -in "$DOMAIN.csr" -signkey "$DOMAIN.key" -out "$DOMAIN.crt"
rm "$DOMAIN.csr"
echo ""
echo "Next manual steps:"
echo "- Use $DOMAIN.crt and $DOMAIN.key to configure Apache/nginx"
echo "- Import $DOMAIN.crt into Chrome settings: chrome://settings/certificates > tab 'Authorities'"
@123BLiN
Copy link

123BLiN commented Apr 26, 2020

emailAddress should not be empty - in my case this was giving an error

problems making Certificate Request
140596301967808:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:../crypto/asn1/a_mbstr.c:100:minsize=1

@BenMorel
Copy link

BenMorel commented Oct 14, 2020
edited
Loading

Unfortunately the issued certificate is not accepted by recent versions of browsers anymore. Error message on Chrome:

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is example.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

It looks like CN (Common Name) is not used anymore, at least by Chrome & Firefox (I haven't tested others); they require you to provide subjectAltName. I didn't have success providing alternate names inline (with -addext) however this StackOverflow answer worked perfectly for me.

Edit: I actually made a couple scripts from the above answer.

@dmadisetti
Copy link

For one off generation without a CA, see the fork: https://gist.github.com/dmadisetti/16006751fd6e1526fa9c2f2e1660e8e3

Otherwise just use Ben's scripts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment