Wildcard SSL Certs

# Manual steps for root CA creation, and signing of application certificates

# apt-get install libnss3-tools

CERT_NAME=ldi.lan

CA_NAME=LDI

MY_CN='*.ldi.lan'    # Common name

MY_O=ldi    # Organization

MY_C=US    # Country

MY_ST=Some    # State

MY_L=Where    # Locale

# create root ca keys, and cert
openssl req \
    -new \
    -newkey rsa:4096 \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=${MY_C}/ST=${MY_ST}/L=${MY_L}/O=${MY_O}/CN=${MY_CN}" \

    -keyout ${CA_NAME}.key \

    -out ${CA_NAME}.crt

# provide user signing request key, to create signing request
openssl genrsa -out ${CERT_NAME}.key 2048

openssl req \
    -new \
    -nodes \
    -subj "/C=${MY_C}/ST=${MY_ST}/L=${MY_L}/O=${MY_O}/CN=${MY_CN}" \
    -addext "subjectAltName = DNS:${MY_CN}" \

    -key ${CERT_NAME}.key \
    -out ${CERT_NAME}.csr

# create app cert from cs, root ca, and ca key
openssl x509 -req -in ${CERT_NAME}.csr -CA ${CA_NAME}.crt -CAkey ${CA_NAME}.key -CAcreateserial \

-req -extfile <(printf "subjectAltName=DNS:${MY_CN}") \
-out ${CERT_NAME}.crt -days 1825 -sha256 

# import root CA cert to OS host, or through browser

sudo cp ${CA_NAME}.pem /usr/local/share/ca-certificates/${CA_NAME}.crt

sudo update-ca-certificates 

# import root CA  to chrome:
certutil -d sql:$HOME/.pki/nssdb -A -n 'name' -i ./${CA_NAME}.crt -t TCP,TCP,TCP 

# import app cert to chrome, when not using root CA:
certutil -d sql:$HOME/.pki/nssdb -A -n 'name' -i ./${CERT_NAME} -t P,P,P