steve-chavez · June 26, 2017 23:01
diff --git a/self-sign-with-ca.sh b/self-sign-with-ca.sh
 # Procedure is for Archlinux.

 # Using these guides:
 # http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
 # https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
 # https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

 # Generate the root (GIVE IT A PASSWORD IF YOU'RE NOT AUTOMATING SIGNING!):
 openssl genrsa -aes256 -out ca.key 2048
 openssl req -new -x509 -days 7300 -key ca.key -sha256 -extensions v3_ca -out ca.crt

 # Generate the domain key:
 openssl genrsa -out yoursite.org.key 2048

 # Generate the certificate signing request
 openssl req -sha256 -new -key yoursite.org.key -out yoursite.org.csr

 # Sign the request with your root key
 # The extfile v3.ext is needed to generate a .crt with x509 v3 version
 # source https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr
 openssl x509 -sha256 -req -in yoursite.org.csr -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -out yoursite.org.crt -days 7300

 # Check your homework:
 openssl verify -CAfile ca.crt yoursite.org.crt

 # Add the trusted certificate to the system:(from https://www.archlinux.org/news/ca-certificates-update/)
 sudo cp yoursite.org.crt /etc/ca-certificates/trust-source/anchors/
 # Additionally I had to copy the ca.crt too
 sudo cp ca.crt /etc/ca-certificates/trust-source/anchors/
 sudo trust extract-compat

 # That's it, add the certificate for your site to the SSL config or whatever and the machine you added the root certificate to will verify correctly.

 # If you need PEM extension you can just rename .crt and .key to .pem
 # source: https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files

 # Follow this tutorial for some ways to check certs versions
 # https://gist.github.com/Soarez/9688998
diff --git a/v3.ext b/v3.ext
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	# Procedure is for Archlinux.

	# Using these guides:
	# http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
	# https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
	# https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

	# Generate the root (GIVE IT A PASSWORD IF YOU'RE NOT AUTOMATING SIGNING!):
	openssl genrsa -aes256 -out ca.key 2048
	openssl req -new -x509 -days 7300 -key ca.key -sha256 -extensions v3_ca -out ca.crt

	# Generate the domain key:
	openssl genrsa -out yoursite.org.key 2048

	# Generate the certificate signing request
	openssl req -sha256 -new -key yoursite.org.key -out yoursite.org.csr

	# Sign the request with your root key
	# The extfile v3.ext is needed to generate a .crt with x509 v3 version
	# source https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr
	openssl x509 -sha256 -req -in yoursite.org.csr -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -out yoursite.org.crt -days 7300

	# Check your homework:
	openssl verify -CAfile ca.crt yoursite.org.crt

	# Add the trusted certificate to the system:(from https://www.archlinux.org/news/ca-certificates-update/)
	sudo cp yoursite.org.crt /etc/ca-certificates/trust-source/anchors/
	# Additionally I had to copy the ca.crt too
	sudo cp ca.crt /etc/ca-certificates/trust-source/anchors/
	sudo trust extract-compat

	# That's it, add the certificate for your site to the SSL config or whatever and the machine you added the root certificate to will verify correctly.

	# If you need PEM extension you can just rename .crt and .key to .pem
	# source: https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files

	# Follow this tutorial for some ways to check certs versions
	# https://gist.github.com/Soarez/9688998
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment