#!/bin/bash set -euo pipefail # Generate a private CA + signed server cert for LAN HTTPS. # Gives crypto.subtle on mobile (requires secure context). # # Usage: # ./gen-lan-certs.sh # SMESH_SANS="DNS:smesh.local, IP:192.168.1.42" ./gen-lan-certs.sh # # Install CA on clients: # Linux: sudo cp certs/ca.crt /etc/ca-certificates/trust-source/anchors/smesh-dev-ca.crt && sudo update-ca-trust # LibreWolf: about:config → security.enterprise_roots.enabled = true (picks up system store) # GrapheneOS: adb push certs/ca.crt /sdcard/Download/smesh-ca.crt # then: Settings → Security & privacy → More security & privacy → Encryption & credentials # → Install a certificate → CA certificate → select from Downloads # Fennec: about:config → security.enterprise_roots.enabled = true → force-stop & relaunch # (reads the CA from the GrapheneOS user trust store installed above) OUTDIR="${SMESH_CERT_DIR:-certs}" CA_SUBJ="/CN=Smesh Dev CA" SRV_SUBJ="/CN=smesh-relay" DAYS_CA=3650 DAYS_SRV=825 # SANs — edit or override via SMESH_SANS env var SANS="${SMESH_SANS:-DNS:localhost, IP:127.0.0.1, IP:10.0.0.1, IP:192.168.1.1}" mkdir -p "$OUTDIR" # ── CA key + self-signed cert ────────────────────────────────────── if [ ! -f "$OUTDIR/ca.key" ]; then openssl ecparam -genkey -name prime256v1 -noout -out "$OUTDIR/ca.key" openssl req -new -x509 -key "$OUTDIR/ca.key" -sha256 \ -days "$DAYS_CA" -subj "$CA_SUBJ" \ -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \ -addext "keyUsage=critical,keyCertSign,cRLSign" \ -out "$OUTDIR/ca.crt" # DER copy for Android openssl x509 -in "$OUTDIR/ca.crt" -outform DER -out "$OUTDIR/ca.der.crt" echo "CA created: $OUTDIR/ca.crt" else echo "CA exists, reusing: $OUTDIR/ca.key" fi # ── Server key + CSR + signed cert ───────────────────────────────── openssl ecparam -genkey -name prime256v1 -noout -out "$OUTDIR/server.key" openssl req -new -key "$OUTDIR/server.key" -sha256 \ -subj "$SRV_SUBJ" -out "$OUTDIR/server.csr" openssl x509 -req -in "$OUTDIR/server.csr" \ -CA "$OUTDIR/ca.crt" -CAkey "$OUTDIR/ca.key" -CAcreateserial \ -sha256 -days "$DAYS_SRV" \ -extfile <(printf "subjectAltName=%s\nbasicConstraints=CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth" "$SANS") \ -out "$OUTDIR/server.crt" rm -f "$OUTDIR/server.csr" "$OUTDIR/ca.srl" echo "Server cert created: $OUTDIR/server.crt" echo "SANs: $SANS" openssl x509 -in "$OUTDIR/server.crt" -noout -text | grep -A1 "Subject Alternative Name"