A simple interactive Bash script to generate a local Root CA and a wildcard TLS certificate for internal/homelab use.
- Prompts you for organisation, domain, email address, and any number of IP addresses
- Generates a Root CA (4096-bit RSA, 10 years)
- Generates a wildcard certificate (
*.yourdomain, 4096-bit RSA, 5 years) signed by that CA, including all provided IPs as Subject Alternative Names - Bundles the certificate and CA into a
wildcard-fullchain.pemfor easy deployment - Cleans up temporary files (CSR, config, serial)
All output files are written to a certs/ subdirectory.
openssl(available on most Linux/macOS systems)- Bash 4+
bash generate-certs.shYou will be prompted for:
| Prompt | Example |
|---|---|
| Organisation | Bitpainter |
| Domain | bitpainter.lan |
| E-mail address | admin@bitpainter.lan |
| IP addresses (one per line, empty to finish) | 10.0.0.1 |
| Label per IP (optional) | Proxmox |
╔══════════════════════════════════════════╗
║ Internal CA Generator ║
╚══════════════════════════════════════════╝
Organisation (z.B. Bitpainter): Acme Corp
Domain (z.B. example.lan): acme.lan
E-Mail-Adresse: admin@acme.lan
IP-Adressen ins Zertifikat aufnehmen (leer lassen zum Beenden):
IP-Adresse: 192.168.1.10
Bezeichnung (optional): NAS
IP-Adresse: 192.168.1.20
Bezeichnung (optional): Proxmox
IP-Adresse:
| File | Description |
|---|---|
certs/ca.pem |
Root CA certificate — import this on all clients/devices |
certs/ca-key.pem |
Root CA private key — keep this safe |
certs/wildcard-cert.pem |
Wildcard certificate |
certs/wildcard-key.pem |
Wildcard private key |
certs/wildcard-fullchain.pem |
Certificate + CA chain (use this in most servers) |
sudo cp certs/ca.pem /usr/local/share/ca-certificates/my-internal-ca.crt
sudo update-ca-certificatessudo cp certs/ca.pem /etc/ca-certificates/trust-source/anchors/my-internal-ca.crt
sudo update-ca-trustsudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/ca.pemImport-Certificate -FilePath "certs\ca.pem" -CertStoreLocation Cert:\LocalMachine\Root- The Root CA key (
ca-key.pem) is encrypted with AES-256 — you will be prompted for a passphrase during generation. - After generating the certificates, store
ca-key.pemsomewhere safe (e.g. encrypted USB, password manager) and remove it from the machine. - This setup is intended for internal/private networks only and is not a substitute for a publicly trusted CA.