3 # see https://gist.github.com/Soarez/9688998
5 # note that the CSR contains X509 extensions, particularly the SAN which
6 # is mandatory for getting Google Chrome to accept the certificate, but
7 # unfortunately "openssl x509" will strip extensions -- this can be fixed
8 # by using the "openssl ca" command with "extensions = copyall" (or in
9 # the normal case filters would be specified on what extensions to copy),
10 # but the "openssl ca" command is very complicated and requires a directory
11 # structure to be set up, so we fake it with the "localhost_ext.conf" file
13 # generate a key for the subject
14 #openssl genrsa -out localhost_key.pem 2048
17 openssl req -new -key localhost_key.pem -out localhost_csr.pem -config localhost.conf
19 # generate a key for the CA
20 #openssl genrsa -out ca_key.pem 2048
22 # generate a self signed certificate for the CA
23 openssl req -new -x509 -key ca_key.pem -out ca_cert.pem
25 # sign the certificate
26 #openssl x509 -req -in localhost_csr.pem -extfile localhost_ext.conf -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out localhost_cert.pem
27 openssl x509 -req -in localhost_csr.pem -extfile localhost_ext.conf -CA ca_cert.pem -CAkey ca_key.pem -CAserial ca_cert.srl -out localhost_cert.pem
29 # resolve problems with not including the signing chain (can improve this?)
30 cat localhost_cert.pem ca_cert.pem > localhost_cert_bundle.pem