gen-lan-certs.sh raw

   1  #!/bin/bash
   2  set -euo pipefail
   3  
   4  # Generate a private CA + signed server cert for LAN HTTPS.
   5  # Gives crypto.subtle on mobile (requires secure context).
   6  #
   7  # Usage:
   8  #   ./gen-lan-certs.sh
   9  #   SMESH_SANS="DNS:smesh.local, IP:192.168.1.42" ./gen-lan-certs.sh
  10  #
  11  # Install CA on clients:
  12  #   Linux:       sudo cp certs/ca.crt /etc/ca-certificates/trust-source/anchors/smesh-dev-ca.crt && sudo update-ca-trust
  13  #   LibreWolf:   about:config → security.enterprise_roots.enabled = true (picks up system store)
  14  #   GrapheneOS:  adb push certs/ca.crt /sdcard/Download/smesh-ca.crt
  15  #                then: Settings → Security & privacy → More security & privacy → Encryption & credentials
  16  #                      → Install a certificate → CA certificate → select from Downloads
  17  #   Fennec:      about:config → security.enterprise_roots.enabled = true → force-stop & relaunch
  18  #                (reads the CA from the GrapheneOS user trust store installed above)
  19  
  20  OUTDIR="${SMESH_CERT_DIR:-certs}"
  21  CA_SUBJ="/CN=Smesh Dev CA"
  22  SRV_SUBJ="/CN=smesh-relay"
  23  DAYS_CA=3650
  24  DAYS_SRV=825
  25  
  26  # SANs — edit or override via SMESH_SANS env var
  27  SANS="${SMESH_SANS:-DNS:localhost, IP:127.0.0.1, IP:10.0.0.1, IP:192.168.1.1}"
  28  
  29  mkdir -p "$OUTDIR"
  30  
  31  # ── CA key + self-signed cert ──────────────────────────────────────
  32  if [ ! -f "$OUTDIR/ca.key" ]; then
  33    openssl ecparam -genkey -name prime256v1 -noout -out "$OUTDIR/ca.key"
  34    openssl req -new -x509 -key "$OUTDIR/ca.key" -sha256 \
  35      -days "$DAYS_CA" -subj "$CA_SUBJ" \
  36      -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
  37      -addext "keyUsage=critical,keyCertSign,cRLSign" \
  38      -out "$OUTDIR/ca.crt"
  39    # DER copy for Android
  40    openssl x509 -in "$OUTDIR/ca.crt" -outform DER -out "$OUTDIR/ca.der.crt"
  41    echo "CA created: $OUTDIR/ca.crt"
  42  else
  43    echo "CA exists, reusing: $OUTDIR/ca.key"
  44  fi
  45  
  46  # ── Server key + CSR + signed cert ─────────────────────────────────
  47  openssl ecparam -genkey -name prime256v1 -noout -out "$OUTDIR/server.key"
  48  
  49  openssl req -new -key "$OUTDIR/server.key" -sha256 \
  50    -subj "$SRV_SUBJ" -out "$OUTDIR/server.csr"
  51  
  52  openssl x509 -req -in "$OUTDIR/server.csr" \
  53    -CA "$OUTDIR/ca.crt" -CAkey "$OUTDIR/ca.key" -CAcreateserial \
  54    -sha256 -days "$DAYS_SRV" \
  55    -extfile <(printf "subjectAltName=%s\nbasicConstraints=CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth" "$SANS") \
  56    -out "$OUTDIR/server.crt"
  57  
  58  rm -f "$OUTDIR/server.csr" "$OUTDIR/ca.srl"
  59  
  60  echo "Server cert created: $OUTDIR/server.crt"
  61  echo "SANs: $SANS"
  62  openssl x509 -in "$OUTDIR/server.crt" -noout -text | grep -A1 "Subject Alternative Name"
  63