├── .github └── FUNDING.yml ├── .gitignore ├── LICENSE ├── README.md ├── create-local-certificates.sh ├── server.csr.cnf └── v3.ext /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: georgemandis 4 | patreon: georgemandis 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | certs/* -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 George Mandis 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SSLoca 2 | ## Generate trusted local SSL certificates for macOS 3 | 4 | This is a bash script that removes (some of) the headache when generating and trusting SSL certificates for localhost projects in macOS. Instead of jumping between ~5 different commands, 6+ prompts and manually opening Keychain Access to trust your locally generated certificates, you can simply run this script and be done with it. 5 | 6 | To do so, clone the project and run: 7 | 8 | `./create-local-certificates.sh` 9 | 10 | You will be prompted to enter your user password for the final steps that add the certificates to your keychain. When finished you will have these files in your `certs` folder ready to use: 11 | 12 | ``` 13 | rootCA.key 14 | rootCA.pem 15 | server.crt 16 | server.csr 17 | server.key 18 | ``` 19 | 20 | How and where you use these will depend on your project. 21 | 22 | If you're using [Express](http://expressjs.com/) it might look something like this: 23 | 24 | ``` 25 | const https = require('https'); 26 | const fs = require('fs'); 27 | 28 | const options = { 29 | key: fs.readFileSync('certs/server.key'), 30 | cert: fs.readFileSync('certs/server.crt'), 31 | }; 32 | 33 | https.createServer(options, (req, res) => { 34 | res.writeHead(200); 35 | res.end("hello world\n"); 36 | }).listen(8080); 37 | ``` 38 | 39 | ## Caveats 40 | 41 | **Do not use this in any kind of production!** The password generated for the root certificate is just `password`. 42 | 43 | 44 | ## Kudos 45 | 46 | - [https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec](https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec) 47 | - [https://www.jamf.com/jamf-nation/discussions/22294/adding-a-certificate-to-the-system-keychain-set-to-always-trust](https://www.jamf.com/jamf-nation/discussions/22294/adding-a-certificate-to-the-system-keychain-set-to-always-trust) 48 | - [https://stackoverflow.com/questions/38318102/how-to-specify-policy-constraint-for-certificates-using-os-xs-security-add-tru](https://stackoverflow.com/questions/38318102/how-to-specify-policy-constraint-for-certificates-using-os-xs-security-add-tru) 49 | -------------------------------------------------------------------------------- /create-local-certificates.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | mkdir ./certs/ 4 | 5 | # Generate the root certificate 6 | openssl genrsa -des3 -out ./certs/rootCA.key -passout pass:password 2048 7 | 8 | # Generate public certificate 9 | openssl req -x509 -new -nodes -key ./certs/rootCA.key -sha256 -passin pass:password -days 1024 -out ./certs/rootCA.pem -subj '/CN=localhost' -extensions EXT -config <( printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 10 | 11 | # Generate certificate signing request 12 | openssl req -new -sha256 -nodes -out ./certs/server.csr -newkey rsa:2048 -keyout ./certs/server.key -config <( cat server.csr.cnf ) 13 | 14 | # Generate server certificate 15 | openssl x509 -req -in ./certs/server.csr -CA ./certs/rootCA.pem -CAkey ./certs/rootCA.key -passin pass:password -CAcreateserial -out ./certs/server.crt -days 500 -sha256 -extfile v3.ext 16 | 17 | # Ask macOS Keychain Access to trust rootCA and localhost cert 18 | sudo security -v add-trusted-cert -d -r trustRoot -p ssl -k /Library/Keychains/System.keychain certs/rootCA.pem 19 | sudo security -v add-trusted-cert -d -r trustRoot -p ssl -k /Library/Keychains/System.keychain certs/server.crt -------------------------------------------------------------------------------- /server.csr.cnf: -------------------------------------------------------------------------------- 1 | [req] 2 | default_bits = 2048 3 | prompt = no 4 | default_md = sha256 5 | distinguished_name = dn 6 | 7 | [dn] 8 | C=US 9 | ST=RandomState 10 | L=RandomCity 11 | O=RandomOrganization 12 | OU=RandomOrganizationUnit 13 | emailAddress=hello@example.com 14 | CN = localhost -------------------------------------------------------------------------------- /v3.ext: -------------------------------------------------------------------------------- 1 | authorityKeyIdentifier=keyid,issuer 2 | basicConstraints=CA:FALSE 3 | keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 4 | subjectAltName = @alt_names 5 | 6 | [alt_names] 7 | DNS.1 = localhost --------------------------------------------------------------------------------