[Script] Self-signed HTTPS certificate generation/installation

Hi :wave:

This script will allow you to generate/install self-signed certificates without HTTPS errors in browser.

Project’s GitHub page

Important information:

  • You must execute this script on client device, not directly on router
  • You should not use windows for this script as in my testing it failed
  • It can be run on Termux, but it is strongly recommended to use it in native Linux
Manual generation
#!/bin/bash

create_archives() {
    zip to_device.zip ca.crt
    zip to_server.zip server.crt server.key
    if [ -n "$PASSPHRASE" ]; then
        echo "$PASSPHRASE" > passphrase.txt
        zip to_server.zip passphrase.txt
    fi
}

display_info() {
    echo "Additional Information:"
    echo "1. Import 'ca.crt' from 'to_device.zip' to your device to trust the CA."
    echo "2. Use 'server.crt' and 'server.key' from 'to_server.zip' for server configuration."
    echo "3. If a passphrase was set, use 'passphrase.txt' from 'to_server.zip' for the server key."
}

while true; do
    read -p "Do you want to set up passphrase protection (y/n)? " passphrase_protect
    if [ "$passphrase_protect" = "y" ]; then
        read -s -p "Enter passphrase: " PASSPHRASE
        echo
        read -s -p "Confirm passphrase: " PASSPHRASE_CONFIRM
        echo
        if [ "$PASSPHRASE" = "$PASSPHRASE_CONFIRM" ]; then
            openssl genrsa -aes256 -passout pass:"$PASSPHRASE" -out ca.key 2048
            openssl genrsa -aes256 -passout pass:"$PASSPHRASE" -out server.key 2048
            break
        else
            echo "Passphrases do not match. Try again."
        fi
    elif [ "$passphrase_protect" = "n" ]; then
        openssl genrsa -out ca.key 2048
        openssl genrsa -out server.key 2048
        break
    else
        echo "Invalid option. Try again."
    fi
done

while true; do
    read -p "Set certificate expiry days (default (d) or custom (c))? " expiry_option
    if [ "$expiry_option" = "d" ]; then
        CERT_VALIDITY=3650
        break
    elif [ "$expiry_option" = "c" ]; then
        read -p "Enter custom expiry days: " CERT_VALIDITY
        break
    else
        echo "Invalid option. Try again."
    fi
done

openssl req -x509 -new -nodes -key ca.key -sha256 -days $CERT_VALIDITY -out ca.crt

openssl req -new -key server.key -out server.csr

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days $CERT_VALIDITY -sha256

openssl x509 -in server.crt -text -noout

echo "Self-signed certificate created successfully!"

create_archives

while true; do
    read -p "Do you want to know additional information (y/n)? " info_option
    if [ "$info_option" = "y" ]; then
        display_info
        break
    elif [ "$info_option" = "n" ]; then
        break
    else
        echo "Invalid option. Try again."
    fi
done

Automated installation
#!/bin/bash

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
openssl req -new -key ca.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256

read -sp "Enter the router's SSH password: " ROUTER_PASSWORD
echo

read -p "Default IP is 192.168.8.1. Press 'd' if you want to use the default IP, or 'c' if you have a custom one." USER_CHOICE

case $USER_CHOICE in
    d) ROUTER_IP=192.168.8.1;;
    c) read -p "Enter custom IP for the router: " CUSTOM_IP; ROUTER_IP=$CUSTOM_IP;;
    *) echo "Invalid option. Exiting..."; exit 1;;
esac

sshpass -p "$ROUTER_PASSWORD" ssh root@$ROUTER_IP "if [ -d /etc/nginx ]; then rm /etc/nginx/nginx.*; fi && mkdir -p /etc/nginx && mv nginx.* /etc/nginx/"

echo "Generated CA certificate located at./ca.crt. Remember to install it on devices."
echo "You should remove CA file from device after installation for your safety (not mandatory, but recommended)"

read -p "If installation with this option did not work, try 'y'. For most cases, not recommended. (y/n)" UTIL_OPTION

if [ "$UTIL_OPTION" == "y" ]; then
    sshpass -p "$ROUTER_PASSWORD" ssh root@$ROUTER_IP "nginx-util add_ssl _lan --cert=/etc/nginx/nginx.crt --key=/etc/nginx/nginx.key"
else
    echo "Skipping 'nginx-util' step."
fi

echo "Certificates have been installed and configured on the OpenWRT router."

Hope this will help!

Copyright
I allow copying/modifying of this script. I also allow to include it to any guides/manuals/tutorials. But please, don’t forget to post link to this thread.

1 Like