Skip to content

Instantly share code, notes, and snippets.

Last active August 22, 2024 08:13
Show Gist options
  • Save dobesv/13d4cb3cbd0fc4710fa55f89d1ef69be to your computer and use it in GitHub Desktop.
Save dobesv/13d4cb3cbd0fc4710fa55f89d1ef69be to your computer and use it in GitHub Desktop.
Script to create (1) a local certificate authority, (2) a host certificate signed by that authority for the hostname of your choice
#!/usr/bin/env bash
# Creates a CA cert and then generates an SSL certificate signed by that CA for the
# given hostname.
# After running this, add the generated dev_cert_ca.cert.pem to the trusted root
# authorities in your browser / client system.
set -x
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
[ -f $CA_KEY ] || openssl genrsa -des3 -out $CA_KEY 2048
[ -f $CA_CERT ] || openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 365 -out $CA_CERT
[ -f $HOST_KEY ] || openssl genrsa -out $HOST_KEY 2048
if ! [ -f $HOST_CERT ] ; then
[ -f $HOST_CSR ] || openssl req -new -key $HOST_KEY -out $HOST_CSR
echo >$HOST_EXT
echo >>$HOST_EXT authorityKeyIdentifier=keyid,issuer
echo >>$HOST_EXT basicConstraints=CA:FALSE
echo >>$HOST_EXT keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
echo >>$HOST_EXT subjectAltName = @alt_names
echo >>$HOST_EXT
echo >>$HOST_EXT [alt_names]
for ALT_NAME in "$@" ; do
NAME_N=$(( NAME_N + 1 ))
openssl x509 -req -in $HOST_CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial \
-out $HOST_CERT -days 365 -sha256 -extfile $HOST_EXT
Copy link

SubJunk commented Feb 26, 2020

I used this successfully today with one edit - I needed to lower the number of days in order to get the certificate trusted by Chrome. I used 600 days instead of 1825 and that made Chrome accept it.
Thanks for the script!

Copy link

dobesv commented Feb 26, 2020

I changed the script to use 365 days, hopefully that doesn't cause issues for anyone.

Copy link

Thanks, was very helpful

Copy link

meuter commented Oct 1, 2021

Thank you for putting this script together and sharing it 😃

Copy link

lokilust commented May 8, 2022

I am getting errors with the bash script ?

Error Loading extension section default
140168142116160:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:92:name=subjectAltName,section=@alt_names
140168142116160:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names

  • rm /home/user/localhost.ext

can anyone help me please.

Copy link

xbipin commented Nov 25, 2022

im also getting the below error

Error Loading extension section default
3069763648:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:../crypto/x509v3/v3_conf.c:93:name=subjectAltName,section=@alt_names
3069763648:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names

Copy link

For the people having the error above (@xbipin @lokilust): I think I fixed it by commenting out line 39 from the script: echo >>$HOST_EXT subjectAltName = @alt_names.

A bit late, but hope this helps someone!

Copy link

jakobwildrain-si commented Mar 3, 2023

Line 45 should say:

Otherwise it's a great script and helped me out a lot. Thank you for sharing!

Copy link

vladmikheyev commented Aug 22, 2024

Thanks for the script. It realy helped me. With one exemption: Nginx Proxy manager. Key files protected with a passphrase are not supported in NPM. I ommited '-des3' in string 19 - no more passphrase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment