zeheater · December 13, 2025 20:08
diff --git a/01.sslgen.sh b/01.sslgen.sh
 #!/bin/bash

 ORG="ORGZ"
 SERVER="project"

 read -r -d '' CONFIG << EOM
 [SAN]
 subjectAltName=@alt_names

 [alt_names]
 DNS.1=laptop.local
 DNS.2=desktop.local
 DNS.3=*.laptop.local
 DNS.4=*.desktop.local
 IP.1=127.0.0.1
 EOM

 # Create certificate authority(ca) private key
 openssl genrsa -out rootCA.key 4096

 # Create ca certificate signed with private key
 openssl req \
  -x509 \
  -key rootCA.key \
  -subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=ROOT" \
  -new \
  -nodes \
  -sha256 \
  -days 3650 \
  -out rootCA.crt

 # Create server private key then convert it to PKSC8 format
 openssl genrsa -out "$SERVER.key" 2048 && \
  openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \
  rm "$SERVER.key"

 # Create Certificate Signing Request(CSR) signed with server private key
 openssl req \
  -new \
  -key "$SERVER.pem" \
  -subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
  -extensions v3_req \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
  -out "$SERVER.csr"

 # Create server certificate from CSR
 openssl x509 \
  -req \
  -in "$SERVER.csr" \
  -CA rootCA.crt \
  -CAkey rootCA.key \
  -CAcreateserial \
  -extensions SAN \
  -extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
  -days 1825 \
  -sha256 \
  -out "$SERVER.crt"

 # Cleanup
 rm -rf rootCA.srl "$SERVER.csr"
diff --git a/02.server_cert_gen.sh b/02.server_cert_gen.sh
 #!/bin/bash

 ORG="ORGZ"
 SERVER="project"

 read -r -d '' CONFIG << EOM
 [SAN]
 subjectAltName=@alt_names

 [alt_names]
 DNS.1=laptop.local
 DNS.2=desktop.local
 DNS.3=*.laptop.local
 DNS.4=*.desktop.local
 IP.1=127.0.0.1
 EOM

 # Create server private key then convert it to PKSC8 format
 openssl genrsa -out "$SERVER.key" 2048 && \
  openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \
  rm "$SERVER.key"

 # Create Certificate Signing Request(CSR) signed with server private key
 openssl req \
  -new \
  -key "$SERVER.pem" \
  -subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
  -extensions v3_req \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
  -out "$SERVER.csr"

 # Create server certificate from CSR
 openssl x509 \
  -req \
  -in "$SERVER.csr" \
  -CA rootCA.crt \
  -CAkey rootCA.key \
  -CAcreateserial \
  -extensions SAN \
  -extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
  -days 1825 \
  -sha256 \
  -out "$SERVER.crt"

 # Cleanup
 rm -rf rootCA.srl "$SERVER.csr"
diff --git a/03.cert_pinning_sha256.sh b/03.cert_pinning_sha256.sh
 #!/bin/bash
 # Usage: cert_pinning_sha256 <rootCA.crt>
 openssl x509 -in "$1" -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

 # openssl s_client -connect <hostname>:<port> | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
diff --git a/99.app.js b/99.app.js
 const express = require('express');

 const app = express()

 app.use('/', (req, res, next) => {
  return res.send(new Buffer('OK !', 'utf-8'));
 });

 const key = require('fs').readFileSync('./server.pem');
 const cert = require('fs').readFileSync('./server.crt');
 const server = require('https').createServer({ key: key, cert: cert }, app);

 server.listen(process.env.PORT || 443, '0.0.0.0', () => {
  console.log(`Listening on port ${process.env.PORT || 443}`)
 })
diff --git a/99.instant_tls.fish b/99.instant_tls.fish
 #!/usr/bin/fish

 set ORG project

 # openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "rootCA.pem"
 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out "rootCA.pem"
 openssl req \
  -x509 \
  -key rootCA.pem \
  -subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=ROOT" \
  -new \
  -nodes \
  -sha256 \
  -days 3650 \
  -out rootCA.crt \
  -addext "basicConstraints=critical,CA:TRUE" \
  -addext "keyUsage=critical,keyCertSign,cRLSign"

 # openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "server.pem"
 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out "server.pem"
 openssl req \
  -new \
  -key "server.pem" \
  -subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
  -extensions v3_req \
  -addext "subjectAltName=DNS:*.laptop.local,DNS:laptop.local,IP:127.0.0.1" \
  -out "server.csr"
 openssl x509 \
  -req \
  -in "server.csr" \
  -CA rootCA.crt \
  -CAkey rootCA.pem \
  -CAcreateserial \
  -copy_extensions copy \
  -days 1825 \
  -sha256 \
  -out "server.crt"
	#!/bin/bash

	ORG="ORGZ"
	SERVER="project"

	read -r -d '' CONFIG << EOM
	[SAN]
	subjectAltName=@alt_names

	[alt_names]
	DNS.1=laptop.local
	DNS.2=desktop.local
	DNS.3=*.laptop.local
	DNS.4=*.desktop.local
	IP.1=127.0.0.1
	EOM

	# Create certificate authority(ca) private key
	openssl genrsa -out rootCA.key 4096

	# Create ca certificate signed with private key
	openssl req \
	-x509 \
	-key rootCA.key \
	-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=ROOT" \
	-new \
	-nodes \
	-sha256 \
	-days 3650 \
	-out rootCA.crt

	# Create server private key then convert it to PKSC8 format
	openssl genrsa -out "$SERVER.key" 2048 && \
	openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$SERVER.key" -out "$SERVER.pem" && \
	rm "$SERVER.key"

	# Create Certificate Signing Request(CSR) signed with server private key
	openssl req \
	-new \
	-key "$SERVER.pem" \
	-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
	-extensions v3_req \
	-reqexts SAN \
	-config <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
	-out "$SERVER.csr"

	# Create server certificate from CSR
	openssl x509 \
	-req \
	-in "$SERVER.csr" \
	-CA rootCA.crt \
	-CAkey rootCA.key \
	-CAcreateserial \
	-extensions SAN \
	-extfile <(cat /etc/ssl/openssl.cnf <(printf "$CONFIG")) \
	-days 1825 \
	-sha256 \
	-out "$SERVER.crt"

	# Cleanup
	rm -rf rootCA.srl "$SERVER.csr"
	#!/bin/bash
	# Usage: cert_pinning_sha256 <rootCA.crt>
	openssl x509 -in "$1" -pubkey -noout \| openssl pkey -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64

	# openssl s_client -connect <hostname>:<port> \| openssl x509 -pubkey -noout \| openssl rsa -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64
	const express = require('express');

	const app = express()

	app.use('/', (req, res, next) => {
	return res.send(new Buffer('OK !', 'utf-8'));
	});

	const key = require('fs').readFileSync('./server.pem');
	const cert = require('fs').readFileSync('./server.crt');
	const server = require('https').createServer({ key: key, cert: cert }, app);

	server.listen(process.env.PORT \|\| 443, '0.0.0.0', () => {
	console.log(`Listening on port ${process.env.PORT \|\| 443}`)
	})
	#!/usr/bin/fish

	set ORG project

	# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "rootCA.pem"
	openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out "rootCA.pem"
	openssl req \
	-x509 \
	-key rootCA.pem \
	-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=ROOT" \
	-new \
	-nodes \
	-sha256 \
	-days 3650 \
	-out rootCA.crt \
	-addext "basicConstraints=critical,CA:TRUE" \
	-addext "keyUsage=critical,keyCertSign,cRLSign"

	# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "server.pem"
	openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out "server.pem"
	openssl req \
	-new \
	-key "server.pem" \
	-subj "/C=ID/ST=Indonesia/L=Jakarta/O=$ORG/OU=SERVER" \
	-extensions v3_req \
	-addext "subjectAltName=DNS:*.laptop.local,DNS:laptop.local,IP:127.0.0.1" \
	-out "server.csr"
	openssl x509 \
	-req \
	-in "server.csr" \
	-CA rootCA.crt \
	-CAkey rootCA.pem \
	-CAcreateserial \
	-copy_extensions copy \
	-days 1825 \
	-sha256 \
	-out "server.crt"