Have your own CA and client/server certs in a jiffy for 10 years.
Usage:
## generate a CA and a couple of certs
$ make all EXTENSIONS=
## you can specify arbitrary crt or p12 targets
## file basename serves as CN
$ make laptop.p12 # if not prefixed with "server", enables -extension ssl_client
$ make server42.p12
## note that p12 exports have the password "123"
Contains sample Mikrotik RouterOS-compatible OpenVPN configs.
sudo openvpn openvpn-server1.conf
# use --redirect-gateway if you want default routes to be reset
sudo openvpn --config openvpn-client1.conf --redirect-gateway autolocal
make localhost.p12 ALT_NAMES=DNS:localhost,DNS:www.localhost,DNS:mx.localhost,DNS:xmpp.localhost CLIENT_EXTENSIONS=
~/openssl-make-ca% openssl x509 -in localhost.crt -text | grep -A1 Alternative
X509v3 Subject Alternative Name:
DNS:localhost, DNS:www.localhost, DNS:mx.localhost, DNS:xmpp.localhost
To test you can start a local https server (needs Erlang installed):
erl -boot start_sasl -eval 'compile:file(httpsd), code:load_file(httpsd), httpsd:start().' -certfile localhost.crt -keyfile localhost.key -cacertfile ca/ca.crt
curl -v --cacert ca/ca.crt https://localhost:8080/README.md
curl -v -4 --resolve www.localhost:8080:127.0.0.1 --cacert ca/ca.crt https://www.localhost:8080/README.md