certificate_generator.sh

#!/bin/sh

# Genera una CA y crea un certificado firmado por la CA generada
# Fuente: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

# if [ "$#" -ne 2 ]
# then
#   echo "Usage: Must supply a domain and passphrase"
#   exit 1
# fi

CERTS_PATH=certs/
mkdir -p ${CERTS_PATH}

# DOMAIN: el que corresponda a vuestro caso
# PASSPHRASE: lo cadena que queráis usar. se usa para firmas los certificados
# DOMAIN=$1
# PASSPHRASE=$2
DOMAIN=example.com
PASSPHRASE=any_passphrase
CA_KEY_FILE=${CERTS_PATH}${DOMAIN}-CA.key
CA_PEM_FILE=${CERTS_PATH}${DOMAIN}-CA.pem
KEY_FILE=${CERTS_PATH}${DOMAIN}.key
CSR_FILE=${CERTS_PATH}${DOMAIN}.csr
CRT_FILE=${CERTS_PATH}${DOMAIN}.crt
EXT_FILE=${CERTS_PATH}${DOMAIN}.ext

## Crear KEY de la CA
openssl genrsa -des3 -passout pass:${PASSPHRASE} -out ${CA_KEY_FILE} 2048

## Crear PEM de la CA
openssl req \
  -x509 \
  -nodes \
  -new \
  -sha256 \
  -passin pass:${PASSPHRASE} \
  -subj "/CN=${DOMAIN}/O=${DOMAIN}" \
  -key ${CA_KEY_FILE} \
  -out ${CA_PEM_FILE}

# Crear certificado firmado por la CA
# Crea el archivo de extensión de la configuración, podéis añadir más de un DNS si lo necesitais
cat > ${EXT_FILE} << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF

## Crear KEY

openssl genrsa -out ${KEY_FILE} 2048

## Crear CSR
openssl req \
  -new \
  -subj "/CN=${DOMAIN}/O=${DOMAIN}" \
  -key ${KEY_FILE} \
  -out ${CSR_FILE}

## Crear CRT
openssl x509 \
  -req \
  -passin pass:${PASSPHRASE} \
  -CAkey ${CA_KEY_FILE} \
  -CA ${CA_PEM_FILE} \
  -CAcreateserial \
  -in ${CSR_FILE} \
  -out ${CRT_FILE} \
  -sha256 \
  -extfile ${EXT_FILE}