Create Self-signed Certs

self-signed.sh

#!/bin/sh
# one-liner to quickly generate certs
# props to StackOverflow (as always) 
# https://stackoverflow.com/a/51417561
# and 
# https://www.shellhacks.com/create-csr-openssl-without-prompt-non-interactive/
# (note use of * for wildcard)
# https://github.com/wekan/wekan/wiki/Traefik-and-self-signed-SSL-certs
# https://crypto.stackexchange.com/questions/26591/tls-encryption-with-a-self-signed-pki-and-python-s-asyncio-module
# https://jimfrenette.com/2018/03/ssl-certificate-authority-for-docker-and-traefik/
KEY_SIZE=2048

# Cleanup
mkdir -p $MY_DOMAIN
rm -rf $MY_DOMAIN/*

# Generate key and self-signed certificate for RootCA
openssl req -x509 -newkey rsa:$KEY_SIZE -keyout $MY_DOMAIN/ca-key.key \
    -out $MY_DOMAIN/ca-cert.pem -days 3650 -sha256 -nodes \
    -subj "/CN=*.$MY_DOMAIN"

function gen_cert() {
    host=$1
    # Create directory
    fqdn="$host.$MY_DOMAIN"
    dir="$MY_DOMAIN/$fqdn"
    mkdir -p $dir && rm -rf $dir/*
    # Generate key and CSR for host
    openssl genrsa -out $dir/privkey.pem $KEY_SIZE
    openssl req -new -key $dir/privkey.pem -out $dir/$host.csr \
        -subj "/CN=$fqdn"
    # Sign it and remove CSR
    openssl x509 -CA $MY_DOMAIN/ca-cert.pem -CAkey $MY_DOMAIN/ca-key.key -CAcreateserial \
        -req -in $dir/$host.csr -out $dir/cert.pem -days 365
    rm $dir/$host.csr
    # Create bundle
    cat $dir/cert.pem $MY_DOMAIN/ca-cert.pem > $dir/fullchain.pem
    # Verify
    openssl verify -CAfile $MY_DOMAIN/ca-cert.pem $dir/fullchain.pem
}

# Generate certs for subdomains
gen_cert "auth"
gen_cert "broker"