#! /bin/bash ###################################################################### # # This script generates an SSL certficate for local development. To # execute the script, run `bash create-dev-ssl-cert.sh`. Sudo is # needed to save the certificate to your Mac KeyChain. After the cert # is generated, you can use `HTTPS=true yarn start` to run the web # server. # # Author: Andi Wilson # Created: 03/23/2020 # ###################################################################### CWD=$(pwd) LOCAL_CERT_PATH=$CWD/.cert CERT_NAME='localhost (PTV Dev SSL Cert)' ORG_NAME='Promethean TV, Inc.' DNS_1='dev.embed.promethean.tv' DNS_2='dev.broadcast.promethean.tv' # Ask user permission to run the script CONTINUE="n/a" printf "⚠️ This script will create/modify the folder $LOCAL_CERT_PATH\n" printf "⚠️ This script will alert you when it must run in sudo mode\n" printf "" while [[ ! "$CONTINUE" =~ ^[yYnN]$ ]] do read -ep ' Do you want to continue? [y/N] ' -n 1 -r CONTINUE if [[ "$CONTINUE" == "" ]]; then CONTINUE="N" fi done if [[ "$CONTINUE" =~ ^[nN]$ ]]; then printf 'Script aborted by used\n' exit 0 fi printf '\n' # -- ./.cert -- printf "⚙️ $LOCAL_CERT_PATH... " mkdir -p $LOCAL_CERT_PATH cd $LOCAL_CERT_PATH printf '✅\n' # -- rootCA.key -- printf '🔑 Generating rootCA.key... ' FILE=rootCA.key if [[ -f "$FILE" ]]; then printf 'already exists ✅ \n' else printf '🆕\n' openssl genrsa -des3 -out rootCA.key 2048 fi # -- rootCA.pem -- printf '🔒 Generating rootCA.pem... ' FILE=rootCA.pem if [[ -f "$FILE" ]]; then printf 'already exists ✅\n' else printf '🆕\n' openssl req -x509 -new -nodes -key rootCA.key -subj "/C=US/ST=CA/O=$ORG_NAME/CN=$CERT_NAME" -sha256 -days 1024 -out rootCA.pem fi # -- Ask user permission to trust certificate -- printf '\n'; CONTINUE="n/a" printf "⚠️ The following command requires sudo privileges\n" while [[ ! "$CONTINUE" =~ ^[yYnN]$ ]] do read -ep " Trust and add $CERT_NAME rootCA.pem to Keychain Access? [y/N] " -n 1 -r CONTINUE if [[ "$CONTINUE" == "" ]]; then CONTINUE="N" fi done if [[ "$CONTINUE" =~ ^[yY]$ ]]; then sudo security -v add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem fi printf '\n' # -- server.csr.cnf -- printf '⚙️ Creating server.csr.cnf... ' cat > server.csr.cnf <<- EOM [req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=US ST=CA O=$ORG_NAME CN=$CERT_NAME EOM printf '✅\n' # -- v3.ext -- printf '⚙️ Creating v3.ext... ' cat > v3.ext <<- EOM authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = $DNS_1 DNS.3 = $DNS_2 EOM printf '✅\n' # -- server.csr & server.key -- printf '🔐 Generating server.csr and server.key... ' FILE1=server.csr FILE2=server.key if [[ -f "$FILE1" && -f "$FILE2" ]]; then printf 'already exist ✅\n' else printf '🆕\n' openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf ) fi # -- server.crt & rootCA.srl -- printf '🔏 Generating server.crt and rootCA.srl... ' FILE1=server.crt FILE2=rootCA.srl if [[ -f "$FILE1" && -f "$FILE2" ]]; then printf 'already exist ✅\n' else printf '🆕\n' openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext fi printf '✅\n'