Skip to content

Bitpainter75/generate-certs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

generate-certs.sh

A simple interactive Bash script to generate a local Root CA and a wildcard TLS certificate for internal/homelab use.

What it does

  1. Prompts you for organisation, domain, email address, and any number of IP addresses
  2. Generates a Root CA (4096-bit RSA, 10 years)
  3. Generates a wildcard certificate (*.yourdomain, 4096-bit RSA, 5 years) signed by that CA, including all provided IPs as Subject Alternative Names
  4. Bundles the certificate and CA into a wildcard-fullchain.pem for easy deployment
  5. Cleans up temporary files (CSR, config, serial)

All output files are written to a certs/ subdirectory.

Requirements

  • openssl (available on most Linux/macOS systems)
  • Bash 4+

Usage

bash generate-certs.sh

You will be prompted for:

Prompt Example
Organisation Bitpainter
Domain bitpainter.lan
E-mail address admin@bitpainter.lan
IP addresses (one per line, empty to finish) 10.0.0.1
Label per IP (optional) Proxmox

Example session

╔══════════════════════════════════════════╗
║        Internal CA Generator             ║
╚══════════════════════════════════════════╝

Organisation (z.B. Bitpainter):  Acme Corp
Domain      (z.B. example.lan):  acme.lan
E-Mail-Adresse:                  admin@acme.lan

IP-Adressen ins Zertifikat aufnehmen (leer lassen zum Beenden):
  IP-Adresse:              192.168.1.10
  Bezeichnung (optional):  NAS
  IP-Adresse:              192.168.1.20
  Bezeichnung (optional):  Proxmox
  IP-Adresse:

Output files

File Description
certs/ca.pem Root CA certificate — import this on all clients/devices
certs/ca-key.pem Root CA private key — keep this safe
certs/wildcard-cert.pem Wildcard certificate
certs/wildcard-key.pem Wildcard private key
certs/wildcard-fullchain.pem Certificate + CA chain (use this in most servers)

Trusting the CA

Linux (Debian/Ubuntu)

sudo cp certs/ca.pem /usr/local/share/ca-certificates/my-internal-ca.crt
sudo update-ca-certificates

Linux (Arch/RHEL/Fedora)

sudo cp certs/ca.pem /etc/ca-certificates/trust-source/anchors/my-internal-ca.crt
sudo update-ca-trust

macOS

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/ca.pem

Windows

Import-Certificate -FilePath "certs\ca.pem" -CertStoreLocation Cert:\LocalMachine\Root

Security notes

  • The Root CA key (ca-key.pem) is encrypted with AES-256 — you will be prompted for a passphrase during generation.
  • After generating the certificates, store ca-key.pem somewhere safe (e.g. encrypted USB, password manager) and remove it from the machine.
  • This setup is intended for internal/private networks only and is not a substitute for a publicly trusted CA.

About

A simple interactive Bash script to generate a local Root CA and a wildcard TLS certificate for internal/homelab use.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages