Shell script to create and sign certificates
============================================
Modern web browsers lament the absence of encryption when they access
local web services on the home network. Adding certificates
to these services gain sigificance.
Mkcert
------
Mkcert creates signed locally trusted certificates. It makes managing
and operating a local CA much easier.
Mkcert is written in Go and available for Linux, Mac OS and Windows.
My home network's systems are running FreeBSD. I had some dependency
issues when compiling Mkcert, so I installed Mkcert it in a Linux
virtual machine. It is excessive to start a virtual machine (VM)
merely to generate few certificates.
Shell script
------------
After some trial and error, I created a shell script to generate
signed certificates. The script signs using the rootCA key generated
by Mkcert, which is already trusted on my systems.
Mkcert creates certificates with the parameter:
subjectAltName=DNS:<FQDN of the subdomain>,IP:<ip-address of the server>
I also set out to accomplish this with the script.
Structure
---------
* The script asumes that the rootCA.key and the rootCA.crt are
in the directory ~/certs/rootcert.
* For every subdomain a subdirectory is created under
~/certs/keys/
The idea is that you can either put ~/certs or the subdirectory
~/certs/keys into a versioning system like Git.
Choose any versioning system, the key and certificate are text files.
Not a security solution
-----------------------
Always evaluate your thread model before selecting a security
solution.
The purpose of the certificates is to prevent browsers from
complaining about the lack of encryption. Perhaps in the future,
browsers will not allow users to log in to sites that do not use
encryption. It's best to have things ready before that happens.
The traffic is now encrypted, providing some protection against
eavesdropping; nonetheless, do not use this method when security is
critical.
Where to install the certificates
---------------------------------
Your FreeBSD workstation trust the certificates when you place the
rootCA certificate in: