Skip to content

Instantly share code, notes, and snippets.

@rcx
Last active December 24, 2019 10:06
Show Gist options
  • Save rcx/19a3da5bd34563d5ea3e7f16bd0cc091 to your computer and use it in GitHub Desktop.
Save rcx/19a3da5bd34563d5ea3e7f16bd0cc091 to your computer and use it in GitHub Desktop.
Generate self-signed certificate with openssl

Based off of this gist

I'm sick of typing the commands to self-sign these certs but I'm also way too lazy to setup proper PKI and ACME server. So instead I ssh into this server and do the needful each time, then rsync the key and crt LOL. All this crap is behind a VPN and the ssl is really just there so firefox will remember my passwords...

Why do we need faketime (apt install faketime)? Because Apple.

And same with the fancy extendedKeyUsage nonsense.

#!/bin/bash
set -e
if [ $# -ne 1 ]; then
echo "Usage: $0 example.local"
exit
fi
SERVERNAME=$1
if [ ! -f $SERVERNAME.key ]; then
echo "Missing keyfile $SERVERNAME.key"
while true; do
read -p "Would you like to create it now? (y/n) " yn
case $yn in
[Yy]* ) openssl genrsa -out "$SERVERNAME.key" 4096; break;;
[Nn]* ) echo "Aborted"; exit;;
* ) echo "Please answer yes or no.";;
esac
done
fi
openssl req -new -subj "/C=US/ST=Some-State/O=Your-Organization-Here/CN=$SERVERNAME" -key "$SERVERNAME.key" -out "$SERVERNAME.csr"
faketime '2019-06-30 00:00:00' openssl x509 -req -days 9999 -in "$SERVERNAME.csr" -CA /etc/ssl/certs/rootCA.crt -CAkey /etc/ssl/private/rootCA.key -out "$SERVERNAME.crt" -CAcreateserial -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=DNS:$SERVERNAME")
rm "$SERVERNAME.csr"
echo "Certificate saved to $SERVERNAME.crt"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment