Skip to content

Instantly share code, notes, and snippets.

@polevaultweb

polevaultweb/ssl.sh

Created January 31, 2018 07:16
Show Gist options
  • Save polevaultweb/c83ac276f51a523a80d8e7f9a61afad0 to your computer and use it in GitHub Desktop.
Save polevaultweb/c83ac276f51a523a80d8e7f9a61afad0 to your computer and use it in GitHub Desktop.
Download ZIP
Easily create local SSL certificates for development sites that work with you own Certificate Authority https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Raw
ssl.sh
#!/bin/sh
if [ "$#" -ne 1 ]
then
echo "Usage: Must supply a domain"
exit 1
fi
DOMAIN=$1
cd ~/certs
openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
DNS.2 = $DOMAIN.192.168.1.19.xip.io
EOF
openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 1825 -sha256 -extfile $DOMAIN.ext
@kristos80
Copy link

Thanks for this -- definitely made the process of issuing signed certificates smooth. Do you happen to have a recommendation for how to adapt the $DOMAIN.ext config file if you're not using xip.io for wildcard DNS? I tried using just the internal IP of the host machine that I need to hit on my network, but that doesn't seem to be working and Chrome is still throwing a ERR_SSL_PROTOCOL_ERROR response. I confirmed that I have added myCA.pem (and adjusted trust level to 'always') to my system Keychain. I know there's no issue with the signed certificate itself because I can validate it against the CA I created...

Probably the error is not due to the internal IP mismatch but rather on how the certificate is issued. After a long search there are two things that need to change in order for the certificate to work:

  1. Add this [ req_ext ] before subjectAltName = @alt_names, ending up with the .ext file looking like this:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = $DOMAIN.127.0.0.1
  1. Change the last openssl command to:
openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 1825 -sha256 -extfile $DOMAIN.ext -extensions req_ext

@floq-design
Copy link

floq-design commented Feb 6, 2020
edited
Loading

As mtz_federico mentions on the Delicious Brain article recently (Dec 19) macOS Catalina rejects certs valid for more than 825 days
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/#post-4728028116

@polevaultweb thanks for the script

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment