Based off of this gist
I'm sick of typing the commands to self-sign these certs but I'm also way too lazy to setup proper PKI and ACME server. So instead I ssh into this server and do the needful each time, then rsync the key and crt LOL. All this crap is behind a VPN and the ssl is really just there so firefox will remember my passwords...
Why do we need faketime (apt install faketime)? Because Apple.
And same with the fancy extendedKeyUsage nonsense.
| #!/bin/bash | |
| set -e | |
| if [ $# -ne 1 ]; then | |
| echo "Usage: $0 example.local" | |
| exit | |
| fi | |
| SERVERNAME=$1 | |
| if [ ! -f $SERVERNAME.key ]; then | |
| echo "Missing keyfile $SERVERNAME.key" | |
| while true; do | |
| read -p "Would you like to create it now? (y/n) " yn | |
| case $yn in | |
| [Yy]* ) openssl genrsa -out "$SERVERNAME.key" 4096; break;; | |
| [Nn]* ) echo "Aborted"; exit;; | |
| * ) echo "Please answer yes or no.";; | |
| esac | |
| done | |
| fi | |
| openssl req -new -subj "/C=US/ST=Some-State/O=Your-Organization-Here/CN=$SERVERNAME" -key "$SERVERNAME.key" -out "$SERVERNAME.csr" | |
| faketime '2019-06-30 00:00:00' openssl x509 -req -days 9999 -in "$SERVERNAME.csr" -CA /etc/ssl/certs/rootCA.crt -CAkey /etc/ssl/private/rootCA.key -out "$SERVERNAME.crt" -CAcreateserial -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=DNS:$SERVERNAME") | |
| rm "$SERVERNAME.csr" | |
| echo "Certificate saved to $SERVERNAME.crt" |