scodx · January 26, 2018 16:57
diff --git a/generate-selfsigned-cert.sh b/generate-selfsigned-cert.sh
 #!/bin/bash

 #
 # Variables
 #
 export COMMON_NAME="John Doe"
 export ORGANIZATION="John Doe Organization"
 export EMAIL_ADDRESS="[email protected]"
 export DOMAIN_NAME="test-domain.dev"
 export SUBJECT_ALT_NAME="DNS:${DOMAIN_NAME},DNS:*.${DOMAIN_NAME}"
 export DOMAIN_CERT_LOCATION="$HOME/.local/share/ssl/${DOMAIN_NAME}"
 export CA_LOCATION="/usr/local/share/ca-certificates/rootCA"
 export ROOT_CA_LOCATION="$HOME/.local/share/ssl/rootCA"

 #
 # Generate root certificate: Once every ~16 years
 #
 mkdir -p "${ROOT_CA_LOCATION}"
 openssl genrsa -des3 -out "${ROOT_CA_LOCATION}/rootCA.key" 4096
 openssl req -new -batch -utf8 -days 5844 -extensions v3_ca \
    -key "${ROOT_CA_LOCATION}/rootCA.key" \
    -out "${ROOT_CA_LOCATION}/rootCA.csr" \
    -subj "/emailAddress=${EMAIL_ADDRESS}/CN=${COMMON_NAME}/O=${ORGANIZATION}/OU=Root Certificate/C=MX/ST=Federal District/L=Mexico City"
 openssl x509 -req -days 5844 -sha512 \
    -signkey "${ROOT_CA_LOCATION}/rootCA.key" \
    -in "${ROOT_CA_LOCATION}/rootCA.csr" \
    -out "${ROOT_CA_LOCATION}/rootCA.crt" \
    -extfile <(
        printf "%s\n%s\n%s\n%s" \
        "subjectKeyIdentifier=hash" \
        "authorityKeyIdentifier=keyid:always,issuer" \
        "basicConstraints=critical,CA:true" \
        "keyUsage=cRLSign,keyCertSign" \
    )

 #
 # Install root certificate
 #
 sudo mkdir -p "${CA_LOCATION}"
 sudo cp "${ROOT_CA_LOCATION}/rootCA.crt" "${CA_LOCATION}/rootCA.crt"
 sudo update-ca-certificates
 # Manually install in Firefox
 # Manually install in Chrome

 #
 # Generate website certificate: Once every ~4 years
 #
 mkdir -p "${DOMAIN_CERT_LOCATION}"
 openssl genrsa -out "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.key" 2048
 openssl req -new -batch -utf8 -days 1461 -extensions v3_ca \
    -key "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.key" \
    -out "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.csr" \
    -subj "/emailAddress=${EMAIL_ADDRESS}/CN=${DOMAIN_NAME}/O=${ORGANIZATION}/OU=Website/C=MX/ST=Federal District/L=Mexico City"
 openssl x509 -req -days 1461 -sha512 \
    -in "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.csr" \
    -out "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.crt" \
    -CAkey "${ROOT_CA_LOCATION}/rootCA.key" \
    -CA "${ROOT_CA_LOCATION}/rootCA.crt" \
    -CAcreateserial \
    -extfile <(
        printf "%s\n%s\n%s\n%s\n%s" \
        "subjectKeyIdentifier=hash" \
        "authorityKeyIdentifier=keyid:always,issuer" \
        "basicConstraints=CA:false" \
        "subjectAltName=${SUBJECT_ALT_NAME}" \
        "extendedKeyUsage=serverAuth" \
    )
 printf "%s\n%s\n%s" \
    "$(cat "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.crt")" \
    "$(cat "${CA_LOCATION}/rootCA.crt")" \
    > "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.bundle.crt"
	#!/bin/bash

	#
	# Variables
	#
	export COMMON_NAME="John Doe"
	export ORGANIZATION="John Doe Organization"
	export EMAIL_ADDRESS="[email protected]"
	export DOMAIN_NAME="test-domain.dev"
	export SUBJECT_ALT_NAME="DNS:${DOMAIN_NAME},DNS:*.${DOMAIN_NAME}"
	export DOMAIN_CERT_LOCATION="$HOME/.local/share/ssl/${DOMAIN_NAME}"
	export CA_LOCATION="/usr/local/share/ca-certificates/rootCA"
	export ROOT_CA_LOCATION="$HOME/.local/share/ssl/rootCA"

	#
	# Generate root certificate: Once every ~16 years
	#
	mkdir -p "${ROOT_CA_LOCATION}"
	openssl genrsa -des3 -out "${ROOT_CA_LOCATION}/rootCA.key" 4096
	openssl req -new -batch -utf8 -days 5844 -extensions v3_ca \
	-key "${ROOT_CA_LOCATION}/rootCA.key" \
	-out "${ROOT_CA_LOCATION}/rootCA.csr" \
	-subj "/emailAddress=${EMAIL_ADDRESS}/CN=${COMMON_NAME}/O=${ORGANIZATION}/OU=Root Certificate/C=MX/ST=Federal District/L=Mexico City"
	openssl x509 -req -days 5844 -sha512 \
	-signkey "${ROOT_CA_LOCATION}/rootCA.key" \
	-in "${ROOT_CA_LOCATION}/rootCA.csr" \
	-out "${ROOT_CA_LOCATION}/rootCA.crt" \
	-extfile <(
	printf "%s\n%s\n%s\n%s" \
	"subjectKeyIdentifier=hash" \
	"authorityKeyIdentifier=keyid:always,issuer" \
	"basicConstraints=critical,CA:true" \
	"keyUsage=cRLSign,keyCertSign" \
	)

	#
	# Install root certificate
	#
	sudo mkdir -p "${CA_LOCATION}"
	sudo cp "${ROOT_CA_LOCATION}/rootCA.crt" "${CA_LOCATION}/rootCA.crt"
	sudo update-ca-certificates
	# Manually install in Firefox
	# Manually install in Chrome

	#
	# Generate website certificate: Once every ~4 years
	#
	mkdir -p "${DOMAIN_CERT_LOCATION}"
	openssl genrsa -out "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.key" 2048
	openssl req -new -batch -utf8 -days 1461 -extensions v3_ca \
	-key "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.key" \
	-out "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.csr" \
	-subj "/emailAddress=${EMAIL_ADDRESS}/CN=${DOMAIN_NAME}/O=${ORGANIZATION}/OU=Website/C=MX/ST=Federal District/L=Mexico City"
	openssl x509 -req -days 1461 -sha512 \
	-in "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.csr" \
	-out "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.crt" \
	-CAkey "${ROOT_CA_LOCATION}/rootCA.key" \
	-CA "${ROOT_CA_LOCATION}/rootCA.crt" \
	-CAcreateserial \
	-extfile <(
	printf "%s\n%s\n%s\n%s\n%s" \
	"subjectKeyIdentifier=hash" \
	"authorityKeyIdentifier=keyid:always,issuer" \
	"basicConstraints=CA:false" \
	"subjectAltName=${SUBJECT_ALT_NAME}" \
	"extendedKeyUsage=serverAuth" \
	)
	printf "%s\n%s\n%s" \
	"$(cat "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.crt")" \
	"$(cat "${CA_LOCATION}/rootCA.crt")" \
	> "${DOMAIN_CERT_LOCATION}/${DOMAIN_NAME}.bundle.crt"