Created
March 24, 2024 23:56
-
-
Save redneck-f25/cfb409fd8937920c8fe124d009fb5909 to your computer and use it in GitHub Desktop.
Make trusted X.509-certificate chain for local development (i.e. Apache HTTPd w/ OpenSSL on Windows).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off & setlocal enableextensions enabledelayedexpansion & set "_bang=^!" | |
| for /f "usebackq tokens=2 delims==" %%T in (`wmic os get LocalDateTime /value`) do ( | |
| for /f "usebackq tokens=* delims=" %%T in ('%%T') do ( | |
| set "_t=%%T" | |
| set "_n=!_bang!localhost [!_t:+=\+!]" | |
| ) | |
| ) | |
| pushd "%~dp0" | |
| pushd .. | |
| set "_HTTPD_BIN=%CD%\bin" | |
| path "%_HTTPD_BIN%";%PATH% | |
| popd | |
| > server-%_t%.cnf ( | |
| echo authorityKeyIdentifier=keyid,issuer | |
| echo basicConstraints=CA:FALSE | |
| echo keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
| echo extendedKeyUsage = serverAuth, clientAuth, codeSigning | |
| echo subjectAltName = @alt_names | |
| echo [alt_names] | |
| echo DNS.001 = localhost | |
| echo DNS.002 = *.localhost | |
| echo DNS.003 = BigKahuna | |
| echo DNS.004 = LittleKahuna | |
| echo DNS.005 = TinyKahuna | |
| echo DNS.006 = *.localhost.dyndns.example.org | |
| echo DNS.007 = *.v4.dyndns.example.org | |
| echo DNS.008 = *.127-8.v4.dyndns.example.org | |
| echo DNS.009 = *.192-0-2-24.v4.dyndns.example.org | |
| echo DNS.010 = *.198-51-100-24.v4.dyndns.example.org | |
| echo DNS.011 = *.203-0-113-24.v4.dyndns.example.org | |
| echo IP.1 = 127.0.0.1 | |
| echo IP.2 = 127.0.0.2 | |
| echo IP.3 = 192.0.2.1 | |
| echo IP.4 = 198.51.100.1 | |
| echo IP.5 = 203.0.113.24 | |
| ) | |
| > ca-issue-%_t%.cnf ( | |
| echo authorityKeyIdentifier=keyid,issuer | |
| echo basicConstraints=CA:TRUE | |
| ) | |
| openssl req -new -newkey rsa:4096 -keyout server.key -out server-%_t%.csr -nodes ^ -subj "/CN=!_n! Leaf" | |
| openssl req -new -newkey rsa:4096 -keyout ca-issue-%_t%.key -out ca-issue-%_t%.csr -nodes ^ -subj "/CN=!_n! Issue CA" | |
| openssl req -x509 -newkey rsa:4096 -keyout ca-root-%_t%.key -out ca-root.crt -sha256 -days 365242 -nodes -subj "/CN=!_n! Root CA" | |
| openssl x509 -req -in ca-issue-%_t%.csr -CA ca-root.crt -CAkey ca-root-%_t%.key -out ca-issue.crt -sha256 -days 365242 -extfile ca-issue-%_t%.cnf | |
| del ca-root-%_t%.key ca-issue-%_t%.csr ca-issue-%_t%.cnf | |
| openssl x509 -req -in server-%_t%.csr -CA ca-issue.crt -CAkey ca-issue-%_t%.key -out server.crt -sha256 -days 365242 -extfile server-%_t%.cnf | |
| del ca-issue-%_t%.key server-%_t%.csr server-%_t%.cnf | |
| copy /b ca-issue.crt + ca-root.crt server-ca.crt | |
| openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -passout "pass:sEcret" | |
| surun /wait cmd /d /c ^ | |
| certutil -addstore root "%CD%\ca-root.crt" ^&^& ^ | |
| certutil -addstore CA "%CD%\ca-issue.crt" ^&^& ^ | |
| certutil -p "sEcret" -importPFX my "%CD%\server.pfx" ^&^& ^ | |
| ^( for %%X in ^( Big Little Tiny ^) do "%_HTTPD_BIN%\httpd.exe" -k restart -n Apache2.4-%%XKahuna ^) ^& ^ | |
| pause | |
| del ca-root.crt ca-issue.crt | |
| popd |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment