Master HTTPS Certificate Creation: From CA Basics to Automated Shell Scripts

Chapter 1: HTTPS Certificate Core Processes

The HTTPS certificate lifecycle consists of four stages: (1) CA certificate distribution, (2) domain certificate request, (3) certificate validation, and (4) communication data encryption.

Stage 1 – CA Certificate Distribution

Typical steps performed by a CA vendor:

Generate a private key (e.g., ca.key) using RSA.

Create a certificate signing request ( ca.csr) that contains organization information and the public key.

Issue a self‑signed CA certificate ( ca.crt) with the private key and CSR.

Pass compliance audits (WebTrust, ETSI, CPS, etc.).

Submit the root and intermediate certificates to software vendors.

Vendors embed the CA certificate into operating systems or browsers.

Trusted store locations:

# Linux system trust store paths
/etc/ssl/certs/ca-certificates.crt
/etc/pki/tls/certs/ca-bundle.crt
# Windows root certificate store
certlm.msc
# macOS keychain
/System/Library/Keychains/SystemRootCertificates.keychain

Stage 2 – Domain Certificate Request

Operations staff create a private key for the domain ( company.key), generate a CSR ( domain.csr), submit it to the CA, receive the signed domain certificate ( domain.crt), and configure both files on the web server (e.g., Nginx):

server {
    listen 443 ssl;
    server_name www.test.com;
    ssl_certificate /data/pki/domain.crt;
    ssl_certificate_key /data/pki/company.key;
}

Stage 3 – Certificate Validation

When a client connects, the browser validates the received domain.crt against the trusted CA root:

Verify the certificate chain up to a trusted root.

Check the digital signature using the issuer’s public key.

Confirm certificate fields (domain name, validity period, usage).

Query revocation status via CRL or OCSP.

Stage 4 – Communication Data Encryption

The TLS handshake creates a shared symmetric key:

The browser generates a random pre‑master secret, encrypts it with the server’s public key, and sends it to the server.

The server decrypts the pre‑master secret with its private key.

Both sides derive the same symmetric key (e.g., AES) from the pre‑master secret and exchanged random values.

All subsequent traffic is encrypted with this symmetric key.

Chapter 2: Building a Self‑Signed CA with OpenSSL

Generate the CA private key:

openssl genrsa -out ca/ca.key 2048

Create the CA CSR:

openssl req -new -key ca/ca.key \
    -subj "/C=CN/ST=ZJ/L=HZ/O=testca.com/OU=testca/CN=testca.com/[email protected]" \
    -out ca/ca.csr

Self‑sign the CA certificate (valid for 100 years):

openssl x509 -req -in ca/ca.csr -signkey ca/ca.key -out ca/ca.crt -days 36500

Note: Protect the CA private key; a leak would compromise the entire trust chain.

Chapter 3: Issuing a Wildcard Domain Certificate

Create a domain private key and optional public key:

openssl genrsa -out ${DOMAIN}/${DOMAIN}.key 2048
openssl rsa -in ${DOMAIN}/${DOMAIN}.key -pubout -out ${DOMAIN}/${DOMAIN}.pem

Generate a CSR that includes a wildcard Subject Alternative Name:

openssl req -new -key ${DOMAIN}/${DOMAIN}.key \
    -subj "/C=CN/ST=ZJ/L=HZ/O=test.com/OU=test/CN=*.${DOMAIN}/[email protected]" \
    -addext "subjectAltName = DNS:*.${DOMAIN}, DNS:${DOMAIN}" \
    -out ${DOMAIN}/${DOMAIN}.csr

Sign the CSR with the previously created CA:

openssl x509 -req -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
    -in ${DOMAIN}/${DOMAIN}.csr -out ${DOMAIN}/${DOMAIN}.crt -days 36500

Inspect the resulting certificate:

openssl x509 -in ${DOMAIN}/${DOMAIN}.crt -noout -text

Chapter 4: Automated Certificate Generation Shell Script

The following make_https_crt.sh script automates the entire process. Save it as make_https_crt.sh, make it executable, and run ./make_https_crt.sh example.com:

#!/bin/bash
set -e

echo "Usage: $0 [domain]"

echo "1. Create CA certificate, then domain certificate"

echo "2. Files are created under the script directory"

echo "3. Certificates are valid for 100 years"

cd "$(dirname $0)"

DOMAIN=$1
if [ -z "$DOMAIN" ]; then
    read -p "Enter domain name: " DOMAIN
fi

echo "Domain: $DOMAIN (wildcard *.$DOMAIN will be issued)"

if ! command -v openssl >/dev/null 2>&1; then
    echo "OpenSSL not found, please install it"
    exit 1
fi

make_ca() {
    if [ -f ca/ca.crt ]; then
        echo "CA certificate already exists, skipping"
        return
    fi
    mkdir -p ca
    echo "(1/3) Generating CA private key"
    openssl genrsa -out ca/ca.key 2048
    echo "(2/3) Generating CA CSR"
    openssl req -new -key ca/ca.key \
        -subj "/C=CN/ST=ZJ/L=HZ/O=testca.com/OU=testca/CN=testca.com/[email protected]" \
        -out ca/ca.csr
    echo "(3/3) Self‑signing CA certificate"
    openssl x509 -req -in ca/ca.csr -signkey ca/ca.key -out ca/ca.crt -days 36500
    echo "CA created: $(pwd)/ca/ca.crt"
}

make_crt() {
    if [ -d "$DOMAIN" ]; then
        echo "Certificate directory already exists, aborting"
        return
    fi
    mkdir -p "$DOMAIN"
    echo "(1/3) Generating domain private key"
    openssl genrsa -out ${DOMAIN}/${DOMAIN}.key 2048
    openssl rsa -in ${DOMAIN}/${DOMAIN}.key -pubout -out ${DOMAIN}/${DOMAIN}.pem
    echo "(2/3) Generating domain CSR with wildcard SAN"
    openssl req -new -key ${DOMAIN}/${DOMAIN}.key \
        -subj "/C=CN/ST=ZJ/L=HZ/O=test.com/OU=test/CN=*.${DOMAIN}/[email protected]" \
        -addext "subjectAltName = DNS:*.${DOMAIN}, DNS:${DOMAIN}" \
        -out ${DOMAIN}/${DOMAIN}.csr
    echo "(3/3) Signing domain certificate with CA"
    openssl x509 -req -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
        -in ${DOMAIN}/${DOMAIN}.csr -out ${DOMAIN}/${DOMAIN}.crt -days 36500
    echo "Domain certificate created: $(pwd)/${DOMAIN}/${DOMAIN}.crt"
}

show_crt() {
    echo "--- Certificate Details ---"
    openssl x509 -in ${DOMAIN}/${DOMAIN}.crt -noout -text
}

make_ca
make_crt
show_crt

This script mirrors the manual steps described in the previous chapters, automatically handling CA creation, domain key/CSR generation, signing, and displaying the final certificate.