create_ca_based_cert

This script will create a private key key.pem and a certificate cert.pem based on a certificate authority.

The following parameters are optional:

c

the common name (localhost if not given) of the certificate

d

the directory ($PWD if not given) the key and certificate will be created in; will be created if it does not exit

v

the lifetime of the certificate in days (range: [1, 24855]; 30 if not given)

Certificates with a lifetime exceeding 180 days will not be accepted by the Apple platform or Safari.

As of March 15, 2029, the maximum lifetime for a certificate will be 47 days.

The certificate created by this script is useful if

  • you want to use mutual TLS

  • the server’s certificate verifier does not support using a trust anchor as both a CA certificate and an end-entity certificate, (e.g., rusttls)

Chrome, Docker, Firefox, and Safari need no further configuration.

Safari
ca cert safari
Chrome
ca cert chrome
Firefox
ca cert firefox

Ensure that the certificate authority has been created before executing this script.

Ensure that the common name (-c) of the generated certificate has an entry in /etc/hosts.

WARNING: /etc/hosts does not have an entry for '127.0.0.1 https.internal'
/etc/hosts
127.0.0.1 localhost

/etc/hosts
127.0.0.1 localhost https.internal

Both key.pem and cert.pem should not be checked into version control!

If the given directory is inside a Git working tree, the script will offer to modify the .gitignore file:

WARNING: key.pem and/or cert.pem is not ignored in '/Users/example/tmp/.gitignore'

Do you want me to modify your .gitignore file (Y/N)?

Related Script: git-cleanup

Copy this script (and its related create_ca, delete_ca, copy_ca_root_cert, copy, delete, renew, and verify scripts) into your Node.js project and add it as a custom script to your package.json file:

package.json
{
...
  "scripts": {
    "cert:ca:copy-root": "scripts/copy_ca_root_cert.sh -d certs",
    "cert:ca:create": "scripts/create_ca.sh",
    "cert:ca:delete": "scripts/delete_ca.sh",
    "cert:copy": "scripts/copy_ca_based_cert.sh -d certs",
    "cert:create": "scripts/create_ca_based_cert.sh -d certs",
    "cert:delete": "scripts/delete_ca_based_cert.sh -d certs",
    "cert:renew": "scripts/renew_ca_based_cert.sh -d certs",
    "cert:verify": "scripts/verify_ca_based_cert.sh -d certs",
...
  }
}
$ node --run cert:ca:create
$ node --run cert:ca:copy-root
$ node --run cert:create
$ node --run cert:copy
$ node --run cert:renew
$ node --run cert:verify
$ node --run cert:delete
$ node --run cert:ca:delete

Usage

$ scripts/cert/create_ca_based_cert.sh
$ date -Idate
2024-08-05
$ stat -f '%A %N' *.pem
600 cert.pem
600 key.pem
$ openssl x509 -ext subjectAltName -noout -in cert.pem
X509v3 Subject Alternative Name:
    DNS:localhost
$ openssl x509 -startdate -noout -in cert.pem
notBefore=Aug  5 14:48:36 2024 GMT
$ openssl x509 -enddate -noout -in cert.pem
notAfter=Sep  4 14:48:36 2024 GMT

$ scripts/cert/create_ca_based_cert.sh -d certs
$ scripts/cert/create_ca_based_cert.sh -d . -v 10
$ scripts/cert/create_ca_based_cert.sh -d ~/.local/secrets/certs/https.internal -v 30 -c https.internal

macOS

  1. Check the trust settings of the CA root certificate in Keychain Access.

  2. Check that the security.enterprise_roots.enabled preference is set to true on the about:config page.

Firefox (SEC_ERROR_UNKNOWN_ISSUER)

ca firefox

Restart Firefox to refresh its CA root certificates from the system’s trust store.

Examples

Apache HTTP Server

$ scripts/cert/create_ca.sh
$ scripts/cert/create_ca_based_cert.sh -d ~/.local/secrets/certs/localhost

$ docker run --rm httpd:2.4.63-alpine3.21 cat /usr/local/apache2/conf/httpd.conf >httpd.conf.orig
$ sed -e 's/^#\(Include .*httpd-ssl.conf\)/\1/' \
      -e 's/^#\(LoadModule .*mod_ssl.so\)/\1/' \
      -e 's/^#\(LoadModule .*mod_socache_shmcb.so\)/\1/' \
      httpd.conf.orig >httpd.conf
$ mkdir -p htdocs
$ printf '<!doctype html><title>Test</title><h1>Test</h1>' >htdocs/index.html

$ docker run -i -t --rm -p 3000:443 \
  -v "$PWD/htdocs:/usr/local/apache2/htdocs:ro" \
  -v "$PWD/httpd.conf:/usr/local/apache2/conf/httpd.conf:ro" \
  -v "$HOME/.local/secrets/certs/localhost/cert.pem:/usr/local/apache2/conf/server.crt:ro" \
  -v "$HOME/.local/secrets/certs/localhost/key.pem:/usr/local/apache2/conf/server.key:ro" \
  httpd:2.4.63-alpine3.21

https://localhost:3000

nginx

$ scripts/cert/create_ca.sh
$ scripts/cert/create_ca_based_cert.sh -d ~/.local/secrets/certs/localhost

$ printf 'server {
  listen 443 ssl;
  listen [::]:443 ssl;
  ssl_certificate /etc/ssl/certs/server.crt;
  ssl_certificate_key /etc/ssl/private/server.key;
  location / {
    root   /usr/share/nginx/html;
    index  index.html;
  }
}' >nginx.conf
$ mkdir -p html
$ printf '<!doctype html><title>Test</title><h1>Test</h1>' >html/index.html

$ docker run -i -t --rm -p 3000:443 \
  -v "$PWD/html:/usr/share/nginx/html:ro" \
  -v "$PWD/nginx.conf:/etc/nginx/conf.d/default.conf:ro" \
  -v "$HOME/.local/secrets/certs/localhost/cert.pem:/etc/ssl/certs/server.crt:ro" \
  -v "$HOME/.local/secrets/certs/localhost/key.pem:/etc/ssl/private/server.key:ro" \
  nginx:1.27.5-alpine3.21-slim

https://localhost:3000

Go

server.go

$ cd scripts/cert/go/stdlib
$ ../../create_ca.sh
$ ../../create_ca_based_cert.sh
$ go run server.go

https://localhost:3000

More Information

NodeJS

server.mjs

$ cd scripts/cert/js/nodejs
$ ../../create_ca.sh
$ ../../create_ca_based_cert.sh
$ node server.mjs

https://localhost:3000

More Information

Java

Server.java

$ cd scripts/cert/java/stdlib
$ ../../create_ca.sh
$ ../../create_ca_based_cert.sh
$ openssl pkcs12 -export -in cert.pem -inkey key.pem -out certificate.p12 -name localhost -password pass:changeit
$ keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore keystore.jks -deststorepass changeit
$ KEYSTORE_PATH=keystore.jks KEYSTORE_PASS=changeit java Server.java

https://localhost:3000

More Information

Spring Boot

Server.java

application.properties

$ cd scripts/cert/java/spring-boot
$ ../../create_ca.sh
$ ../../create_ca_based_cert.sh
$ ./gradlew bootRun

https://localhost:3000

More Information

Quarkus

Instead of using this script, you might want to use Quarkus' own certificate tooling.

Server.java

application.properties

$ cd scripts/cert/java/quarkus
$ ../../create_ca.sh
$ ../../create_ca_based_cert.sh
$ ./gradlew quarkusDev

https://localhost:3000

More Information

Prerequisites

More Information