Skip to content
/ ca-generator Public

This repository provides a simple setup for generating a local Certificate Authority (CA) and issuing self-signed certificates using OpenSSL

License

AGPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

elyerr/ca-generator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.gitignore
.gitignore
 
 
AUTHORS.md
AUTHORS.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ca-generator.sh
ca-generator.sh
 
 

Repository files navigation

Local Certificate Authority & SSL Certificate Generator

This repository provides a simple setup for generating a local Certificate Authority (CA) and issuing self-signed certificates using OpenSSL. It's useful for local development environments, internal enterprise networks, or self-hosted tools like Nextcloud, APIs, or internal dashboards.

Structure

  • ca-generator.sh: Initializes a local CA in a CA/ directory and generates a helper script to issue certificates.
  • issue-cert.sh: Generated by ca-generator.sh, used to create domain certificates signed by your local CA.
  • CA/: Contains all CA-related files and keys.

⚙️ Usage

1. (Optional) Set Custom Domains for ALT Names

Before generating the CA, you can define the Subject Alternative Names (SANs) that will be included in the certificates. By default, the following DNS names are used:

elyerr.xyz, *.elyerr.xyz

To set custom domains (comma-separated):

export ALT_NAMES="*.elyerr.org,elyerr.org"

2. Generate the Local CA

chmod +x ca-generator.sh
./ca-generator.sh
  • After generating the CA, you can unset the variable:
unset ALT_NAMES

This will:

  • Create a CA/ folder with all necessary files and structure
  • Generate a ca.key and ca.crt inside CA/
  • Automatically generate an issue-cert.sh helper script in the same directory

3. Issue a Domain Certificate

Once the CA is initialized, use the generated script to issue certificates:

./issue-cert.sh your.domain.local

This will generate:

  • Private key: CA/private/your.domain.local.key
  • CSR: CA/csr/your.domain.local.csr
  • Signed certificate: CA/certs/your.domain.local.crt

🧹 Trust the CA

To avoid browser warnings, import the CA certificate into your system or browser.

Debian / Ubuntu

sudo cp CA/certs/ca.crt /usr/local/share/ca-certificates/local-ca.crt
sudo update-ca-certificates

Arch Linux

sudo cp CA/certs/ca.crt /etc/ca-certificates/trust-source/anchors/
sudo trust extract-compat

🖥️ Example with NGINX

server {
    listen 443 ssl;
    server_name your.domain.local;

    ssl_certificate     /absolute/path/to/CA/certs/your.domain.local.crt;
    ssl_certificate_key /absolute/path/to/CA/private/your.domain.local.key;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        root /var/www/html;
        index index.html;
    }
}

📌 Notes

  • Certificates are valid for 825 days by default.
  • Intended for local or internal use only — not for production use on public servers.
  • You can reuse the same CA for multiple domains by using ./issue-cert.sh <domain> again.

📤 Export CA for Reuse

You can distribute the CA certificate (CA/certs/ca.crt) to other machines or developers to establish trust with certificates issued by your CA.

📢 Contact

Maintained by Elyerr Feel free to fork, share, or contribute. Telegram: @elyerr

About

This repository provides a simple setup for generating a local Certificate Authority (CA) and issuing self-signed certificates using OpenSSL

Topics

openssl certificate-authority ssl-certificates certs

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages