Last active
November 19, 2021 03:28
-
-
Save xenogenesi/1b2137f769aa80b6c99d573071f5d086 to your computer and use it in GitHub Desktop.
create self signed certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DOMAIN ?= mydomain.com | |
| COUNTRY := IT | |
| STATE := IT | |
| COMPANY := Evil Corp. | |
| # credits to: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 | |
| # usage: | |
| # make rootCA.crt # (rootCA.key implicitly created) | |
| # make DOMAIN=somedomain.dev somedomain.dev.csr somedomain.dev.crt or make DOMAIN=somedomain.dev | |
| # make DOMAIN=somedomain.dev verify-csr | |
| # make DOMAIN=somedomain.dev verify-crt | |
| # import rootCA.crt to the client (chrome) | |
| # upload somedomain.dev.crt and somedomain.dev.key to the host | |
| all: $(DOMAIN).csr $(DOMAIN).crt | |
| rootCA.key: | |
| openssl genrsa -out rootCA.key 4096 | |
| # create and self sign root certificate | |
| rootCA.crt: rootCA.key | |
| echo "$(COUNTRY)\n$(STATE)\n\n$(COMPANY)\n\n\n\n" | openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out $@ | |
| $(DOMAIN).key: | |
| openssl genrsa -out $@ 2048 | |
| $(DOMAIN).conf: | |
| sh mkconf.sh $(DOMAIN) >$@ | |
| $(DOMAIN).csr: $(DOMAIN).key $(DOMAIN).conf | |
| openssl req -new -sha256 -key $(DOMAIN).key -subj "/C=$(COUNTRY)/ST=$(STATE)/O=$(COMPANY)/CN=$(DOMAIN)" \ | |
| -reqexts SAN \ | |
| -config $(DOMAIN).conf \ | |
| -out $@ | |
| # verify .csr content | |
| .PHONY: verify-csr | |
| verify-csr: | |
| openssl req -in $(DOMAIN).csr -noout -text | |
| $(DOMAIN).san.conf: | |
| sh mksan.sh $(DOMAIN) $(COUNTRY) $(STATE) "$(COMPANY)" >$@ | |
| $(DOMAIN).crt: rootCA.key rootCA.crt $(DOMAIN).csr $(DOMAIN).san.conf | |
| openssl x509 -req -in $(DOMAIN).csr -CA ./rootCA.crt -CAkey ./rootCA.key \ | |
| -CAcreateserial -out $@ -days 500 -sha256 \ | |
| -extfile $(DOMAIN).san.conf -extensions req_ext | |
| # verify the certificate | |
| .PHONY: verify-crt | |
| verify-crt: | |
| openssl x509 -in $(DOMAIN).crt -text -noout | |
| .PHONY: clean | |
| clean: | |
| -rm -f $(DOMAIN).key $(DOMAIN).csr $(DOMAIN).conf $(DOMAIN).san.conf $(DOMAIN).crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| cat <<EOF | |
| $(cat /etc/ssl/openssl.cnf) | |
| [SAN] | |
| subjectAltName=DNS:$1,DNS:www.$1 | |
| EOF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| cat <<EOF | |
| [req] | |
| default_bits = 2048 | |
| distinguished_name = req_distinguished_name | |
| req_extensions = req_ext | |
| [req_distinguished_name] | |
| countryName = $2 | |
| stateOrProvinceName = $3 | |
| organizationName = $4 | |
| commonName = $1 | |
| [req_ext] | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = $1 | |
| DNS.2 = www.$1 | |
| EOF |
Hi @klockeph, sorry I seen the comment only today, you're right (I'm using zsh and echo escape the sequence correctly but...), I would/will replace it with printf, should be more posix if I recall correctly. Thanks for letting me know
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for the nice gist!
Your Makefile has a slight bug though:
In the recipe for
rootCA.crtyou either have to useecho -neorprintf, otherwise the escape sequences won't be treated correctly.