#!/bin/sh

# передать параметром домен сайта, под который будет сгенерирован сертификат

CA="C=RU
ST=ST
O=TriumphTeam
localityName=Minsk
commonName=AleckseyHolubey
organizationalUnitName=TriumphTeam
emailAddress=azmandios@gmail.com"

CERT="commonName="$1"
organization=TriumphTeam
organizationalUnitName=TriumphTeam"

EXTS="
[req]
x509_extensions = v3_ca

[v3_ca]
nsCertType              = server
keyUsage                = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
subjectAltName          = @alt_names
[alt_names]
DNS.1   = localhost
DNS.2   = $1
DNS.3   = *.$1
IP.1   = 127.0.0.1
"

extfile="/tmp/openssl.conf.tmp"

# this creates a CA certificate, which should be added as trusted to operating system keychain / browser CA list

openssl genrsa -out "localhost-ca.key" 4096
openssl req -new -x509 -days 3650 -key "localhost-ca.key" -out "localhost-ca.crt" -subj "/$(echo "$CA" | tr "\n" "/")"

echo "$EXTS" > $extfile

openssl genrsa -out "$1.key" 4096
openssl req -new -key "$1.key" -out "$1.csr" -subj "/$(echo "$CERT" | tr "\n" "/")" -sha256
openssl x509 -req -in "$1.csr" -out "$1.crt" -sha256 -CA "localhost-ca.crt" -CAkey "localhost-ca.key" -CAcreateserial -days 3650 -extfile "$extfile" -extensions v3_ca

rm -f "$extfile"