Show HN: I made a script to generate self-signed SSL certs for local development

See <a href="https:&#x2F;&#x2F;shellcheck.net" rel="nofollow">https:&#x2F;&#x2F;shellcheck.net</a> to fix your script and follow good guidelines. Top of my head:<p>* &#x2F;bin&#x2F;bash -&gt; &#x2F;usr&#x2F;bin&#x2F;env bash<p>* You probably don&#x27;t need bash anyway, so switch to &#x2F;bin&#x2F;sh<p>* errors go to stderr (&gt;&amp;2), not stdout<p>* exits because of errors should return non-zero codes. (e.g.: `exit 1`)<p>* Full caps variables are bad practise (might conflict with real, global env variables)<p>* rather than running everything as root (using sudo), I&#x27;d call sudo for the only few commands that actually require root privileges (I found none, so I suppose &quot;security&quot; is the only command that needs root perms).

Although these will &quot;work&quot; today in popular browsers and with most tools, this is NOT the right way to scribble a DNS name into a certificate this century.<p>Write SANs. Subject Alternative Names. These aren&#x27;t aliases, the &quot;alternative&quot; means in the sense that this is an &quot;alternative&quot; to writing human readable X.500 series Common Names. Unlike those human names, SANs are defined in a machine readable way, e.g. the dnsNAme SAN spells exactly DNS A-labels, the ipAddress SAN is just an IPv4 or IPv6 address written out as raw bytes, not a dotted decimal or whatever else someone thought might be fun today.<p>You should also write one of the SANs you choose as the Common Name in some plausible text format, but by having SANs all vaguely modern tools can just match those rather than trying to make sense of the Common Name.<p>In a very new OpenSSL you can actually do this from the command line sort-of sensibly. In most installs you will need to modify that configuration file instead, you&#x27;re already using a configuration file so that&#x27;s no big deal.

Good ideas are rarely unique, as they usually solve a common problem. I recently built something similar:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;FiloSottile&#x2F;mkcert" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;FiloSottile&#x2F;mkcert</a><p>It&#x27;s in pure Go instead of using OpenSSL, and it works with Windows, macOS and Firefox, too.

Also see &quot;Certificates for localhost&quot; from Certbot&#x2F;Let&#x27;s Encrypt documentation:<p><a href="https:&#x2F;&#x2F;letsencrypt.org&#x2F;docs&#x2F;certificates-for-localhost&#x2F;" rel="nofollow">https:&#x2F;&#x2F;letsencrypt.org&#x2F;docs&#x2F;certificates-for-localhost&#x2F;</a>

Your solution generates a certificate and leaves it up to the user to setup https.<p>There are other steps involved, like adding the cert to the trust store (so you don&#x27;t get invalid SSL warnings). And also changing your application code to use these certificates.<p>Even if you do that, you are still exposed to a serious security threat: if a bad actor gets hold of your certificate file, they can pose as a legitimate website and steal sensitive data. This security flaw is present with all other script solutions mentioned in this thread.<p>To overcome these issues, I have built a mac application called HTTPSLocalhost (<a href="https:&#x2F;&#x2F;httpslocalhost.com" rel="nofollow">https:&#x2F;&#x2F;httpslocalhost.com</a>).<p>- It offers a user interface to add remove local https domains<p>- Has an inbuilt proxy so you don&#x27;t need to change your application code<p>- Is much safer because it deletes the certificate and private keys as soon as the proxy server starts<p>- It creates a new certificate each time you start the app, to enhance security.<p>- And of course, like all good things, is free (there is a video demo on the website, the app will be ready soon).<p>Wanted to do a proper Show HN next week, but I guess it&#x27;s the right time to bring it up :)<p>Thanks

<i>&quot;Generating the certs is a complicated hassle.&quot;</i><p>Not really... I will grant that the openssl commands are a bit non-obvious.<p>Step 1: Generate private key<p>openssl ecparam -genkey -name secp384r1 -out key.pem<p>Step 2: Create and sign cert<p>openssl req -x509 -sha512 -nodes -days 365 -key key.pem -subj &quot;&#x2F;CN=example.com&quot; -reqexts SAN -extensions SAN -config &lt;(cat &#x2F;etc&#x2F;ssl&#x2F;openssl.cnf &lt;(printf &#x27;[SAN]\nsubjectAltName=DNS:example.com,DNS:*.example.com&#x27;)) -out cert.pem

I built something similar (though probably a lot less sophisticated) as an alpine based docker image. I had some issues with openssl on a Mac in the past, and this approach circumvents those.<p><a href="https:&#x2F;&#x2F;hub.docker.com&#x2F;r&#x2F;qubyte&#x2F;cert-creator&#x2F;" rel="nofollow">https:&#x2F;&#x2F;hub.docker.com&#x2F;r&#x2F;qubyte&#x2F;cert-creator&#x2F;</a>

I would use it if I could do so with PHP&#x27;s internal webserver.<p>I often hack together quick experiments using PHP&#x27;s internal webserver. It only serves via http though, not https. Is there a way to make it serve over https?

If you have OpenSSL installed, you may also have a copy of the two decades old shell script, &quot;CA&quot;, that still works wonderfully today.

&gt; openssl genrsa -des3 ...<p>It&#x27;s really time to lay DES to rest.

<a href="https:&#x2F;&#x2F;github.com&#x2F;square&#x2F;certstrap" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;square&#x2F;certstrap</a>

If you prefer using macOS itself, making a trusted self signed cert only requires a few clicks and one command <a href="https:&#x2F;&#x2F;certsimple.com&#x2F;blog&#x2F;localhost-ssl-fix" rel="nofollow">https:&#x2F;&#x2F;certsimple.com&#x2F;blog&#x2F;localhost-ssl-fix</a>

check out the mkcert project, it&#x27;s awesome and can be automated so everyone in the team gets their own certs and CA

I have been using a Let&#x27;s Encrypt wildcard certificate.