# Kudos to https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
# Create the Root Key (the Certificate Authority Key)
# Trust this key on your devices and browsers to avoid the security warning when using the signed certificates.
# The first step is to create the private root key which only takes one step.
# In the example below, I’m creating a 2048 bit key:
openssl genrsa -out rootCA-key.pem 2048
# The next step is to self-sign this certificate.
openssl req -x509 -new -nodes -key rootCA-key.pem -sha256 -days 1024 -out rootCA-crt.pem
# Create and sign certificates to use on your servers.
# Save the domain name to use on a variable
export CERT_DOMAIN="*.fomfus.com"
# Just like with the root CA step, you’ll need to create a private key (different from the root CA).
openssl genrsa -out device-key.pem 2048
# Once the key is created, you’ll generate the certificate signing request.
openssl req -new -key device-key.pem -out device-crt.pem -subj /CN="$CERT_DOMAIN"
# Once that’s done, you’ll sign the CSR with your CA root key.
openssl x509 -req -in device-crt.pem -CA rootCA-crt.pem -CAkey rootCA-key.pem -CAcreateserial -out device-crt.pem -days 500 -sha256 \
-extensions SAN \
-extfile <(cat /private/etc/ssl/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:%s' "$CERT_DOMAIN"))