{"id":19621432,"url":"https://github.com/commenthol/self-signed-certs","last_synced_at":"2025-08-15T18:36:42.265Z","repository":{"id":66111690,"uuid":"115248735","full_name":"commenthol/self-signed-certs","owner":"commenthol","description":"Generate self signed ssl certificates with your own root CA certificate","archived":false,"fork":false,"pushed_at":"2023-10-15T11:55:01.000Z","size":37,"stargazers_count":28,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-05T06:11:09.787Z","etag":null,"topics":["certificate","intermediate-certificate","localhost","multi-domain","openssl","pfx","root-ca","root-certificate","self-signed","signed-ssl-certificates","ssl","wildcard"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/commenthol.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-24T08:03:02.000Z","updated_at":"2024-12-18T00:51:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"77877c20-683c-49a7-886d-23b64471c297","html_url":"https://github.com/commenthol/self-signed-certs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fself-signed-certs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fself-signed-certs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fself-signed-certs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fself-signed-certs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/commenthol","download_url":"https://codeload.github.com/commenthol/self-signed-certs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251246273,"owners_count":21558762,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","intermediate-certificate","localhost","multi-domain","openssl","pfx","root-ca","root-certificate","self-signed","signed-ssl-certificates","ssl","wildcard"],"created_at":"2024-11-11T11:22:54.186Z","updated_at":"2025-04-28T03:32:18.416Z","avatar_url":"https://github.com/commenthol.png","language":"Shell","readme":"# Self Signed Certificates\n\n\u003e Generate self signed ssl certificates with your own root CA / intermediate certificate\n\nThis project provides some scripts to setup a root CA (and intermediate cert) to sign single domain or multi-domain (wildcard) certificates.\n\n- `root_ca.sh` : creates root CA certificate\n- `intermediate.sh` : creates intermediate certificate\n- `site.sh` : creates single-domain certificate\n- `star.sh` : creates multi-domain certificate\n- `crl.sh` : updates the certificate revocation lists\n\n## Table of Contents\n\n\u003c!-- !toc (minlevel=2 omit=\"Table of Contents\") --\u003e\n\n* [Requires](#requires)\n* [Howto](#howto)\n * [root CA](#root-ca)\n * [intermediate certificate](#intermediate-certificate)\n * [single domain](#single-domain)\n * [multi domain (wildcard)](#multi-domain-wildcard)\n* [Folders](#folders)\n* [Testing](#testing)\n* [Security Considerations](#security-considerations)\n* [Known Issues](#known-issues)\n* [License](#license)\n\n\u003c!-- toc! --\u003e\n\n## Requires\n\n- OpenSSL 1.0.2g 1 Mar 2016\n- OpenSSL 1.1.1f 31 Mar 2020 (Last used)\n\n## Howto\n\n1. Download scripts as [zip file](https://github.com/commenthol/self-signed-certs/archive/refs/heads/master.zip) \n2. unzip master.zip\n\n### root CA\n\n1. Edit `[req_distinguished_name]` in `root_ca.sh` to match your needs. Check `man req` for information on fields.\n2. Run `./root_ca.sh`\n\n### intermediate certificate\n\nIf an intermediate certificate is desired:\n\n1. `[req_distinguished_name]` in `root_ca.sh` to match your needs. Check `man req` for information on fields.\n2. Run `./intermediate.sh`\n\nIn case that the intermediate certificate is not present then single sites or wildcard certs are signed with the root certificate.\n\n### single domain\n\n1. Edit `[req_distinguished_name]` in `site.sh` to match your needs. Check `man req` for information on fields.\n2. Change domain in `site.ini`. You need to change `CN = \u003chost\u003e` as well as entry in `subjectAltName = DNS:\u003chost\u003e`\n3. Run `./site.sh` \u003cbr\u003e\n For a different domain run `./site.sh \u003cdomain\u003e` \u003cbr\u003e\n e.g. `./site.sh www.aa.aa`\n\n### multi domain (wildcard)\n\n1. Edit `[req_distinguished_name]` in `star.sh` to match your needs. Check `man req` for information on fields.\n2. Change domain in `star.sh`. You need to change `CN = \u003chost\u003e` as well as entries in `[alt_names]` to match your sub-domains.\n3. Run `./star.sh`\n For a different altnames run `./star.sh \u003cstardomain\u003e \u003cdomain\u003e` \u003cbr\u003e\n e.g. `./star.sh *.aa.aa aa.aa localhost`\n\n## Folders\n\n```sh\n├── certs # the generated certificates\n│ ├── intermediate.crt # intermediate\n│ ├── root_ca.crt # root\n│ ├── site.crt # site certificate\n│ ├── site.key # site private key\n│ ├── site.crt.key # combined certificate \u0026 key e.g. for HaProxy\n│ ├── site.pfx # PKCS12\n│ ├── site.pfx.pass # Password for PKCS12\n│ └── site.tgz # all site certificate files compressed\n├── crl\n│ ├── intermediate.crl # certifcate revocation list for intermediate cert\n│ ├── intermediate.index.txt # intermediate revocation database\n│ ├── root_ca.crl # certificate revocation list for root crt\n│ └── root_ca.index.txt # root revocation database\n├── csr # directory for signing requests\n├── private # directory for all private files\n│ ├── intermediate.ini # config for intermediate CA\n│ ├── intermediate.key \n│ ├── intermediate.pass\n│ ├── root_ca.ini # config for root CA\n│ ├── root_ca.key\n│ └── root_ca.pass\n├── root_ca.sh # the scripts to run the CA\n├── intermediate.sh\n├── site.sh\n├── star.sh\n└── crl.sh\n```\n\n\n## Testing\n\n1. Import `root_ca.crt` in Browser and/or OS:\n - _Chrome_ : Type in Url \"chrome://settings/certificates\" \u003e Tab:Authorities \u003e Button:Import \u003e Select `root_ca.crt` \u003e Trust this cert for indent. websites\n Use \"chrome://flags/#show-cert-link\" to see certificate details from Url-Pane.\n - _Firefox_ : Type in Url \"about:preferences#privacy\" \u003e Section:Certificates \u003e Button:View Certificates \u003e Tab:Authorities \u003e Button:Import... \u003e Select `root_ca.crt` \u003e Trust this cert for indent. websites\n - _macOS_ : Double click on `root_ca.crt` \u003e Keychain opens \u003e Choose Keychain: **System** \u003e Button:Add\n Select in Tab:Keychains **System** and double-click on `AA Certification` cert. Fold:Trust \u003e Change:When using this certificate:**Always Trust**.\n - _Ubunutu_ :\n ```\n sudo cp root_ca.crt /usr/local/share/ca-certificates\n sudo update-ca-certificates\n ```\n\n2. Add some entries in your `/etc/hosts` file. E.g.:\n ````\n 127.0.0.1 aa.aa\n 127.0.0.2 one.aa.aa\n 127.0.0.3 two.test.aa\n ````\n\n3. Get [`node`](https://nodejs.org).\n4. Start HTTPS server with:\n 1. `node test/https.js site` for single site\n 2. Browse \u003chttps://aa.aa:8443\u003e\n 3. `node test/https.js star` for multi domain\n 4. Browse \u003chttps://aa.aa:8443\u003e\n 5. Browse \u003chttps://one.aa.aa:8443\u003e\n 6. Browse \u003chttps://two.test.aa:8443\u003e\n 7. Browse \u003chttps://localhost:8443\u003e\n\n\n## Security Considerations\n\nMake sure to never ever commit your root_ca key and password within your code.\nOtherwise don't feel frightened if someone provides you with certificates from any domain, even those from the big five.\n\nRead more about [Root Certs and MITM Attacks here](https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/).\n\n\n## Known Issues\n\nOn macOS, `openssl` does not seam to be compatible with Google Chrome or MS Edge Browsers. \nIf you experience problems with these browser showing a page with:\n\n\u003e This site can’t provide a secure connection \n\u003e \n\u003e aa.aa.de doesn't adhere to security standards. \n\u003e ERR_SSL_SERVER_CERT_BAD_FORMAT \n\nit is recommended to use Linux to generate some accepted certificates:\n\n```sh\n# brew install colima docker\ncolima start \n# or with docker desktop\nopen /Application/Docker.app\n\nsh docker/alpine.sh\n# inside the container change to the `/work` directory. Then generate the cert(s) as describe above\ncd /work\n```\n\nThen open Keychain Access app\n```\nopen /System/Applications/Utilities/Keychain\\ Access.app\n```\nSelect Tab \"System\" and drag-n-drop the `root_ca.crt` \nDouble-click on the \"untrusted\" Certificate, \nthen set \"Trust\" to \"Always Trust\" and confirm with your password.\n\n\n\n## License\n\n- Unlicense https://unlicense.org\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommenthol%2Fself-signed-certs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcommenthol%2Fself-signed-certs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommenthol%2Fself-signed-certs/lists"}