Generate CA config so firefox doesn't complain

basic_configs/ssl/CA.cnf.base

@@ -0,0 +1,16 @@
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+C = ${CA_COUNTRYCODE}
+ST = ${CA_STATEORTERRITORY}
+L = ${CA_LOCATION}
+O = ${CA_ORGNAME}
+
+[v3_ca]
+subjectKeyIdentifier = hash
+basicConstraints = critical,CA:TRUE
+keyUsage = cRLSign, keyCertSign
+nameConstraints = permitted;DNS:272254864.xyz

basic_configs/ssl/gen.fish

@@ -1,9 +1,17 @@
 #!/usr/bin/fish
 
-openssl genrsa -out key.pem 2048
+# setup vars
+envsubst <CA.cnf.base >CA.cnf
 
-openssl req -new -out server.csr -key key.pem -config local_cert.cnf
+# gen CA Root
+openssl genpkey -algorithm RSA -out self_ca.key -pkeyopt rsa_keygen_bits:4096
+openssl req -new -key self_ca.key -out ca.csr -extensions v3_ca -config CA.cnf
+openssl x509 -req -sha256 -days 365 -in ca.csr -signkey self_ca.key -extfile CA.cnf -out self_ca.crt -extensions v3_ca
 
-openssl x509 -req -days 9999 -in server.csr -signkey key.pem -out cert.pem -extensions v3_req -extfile local_cert.cnf
+# gen cert
+openssl genpkey -algorithm RSA -out local.key -pkeyopt rsa_keygen_bits:2048
+openssl req -new -key local.key -extensions v3_ca -out local.csr -config local_cert.cnf
+openssl x509 -req -sha256 -days 365 -in local.csr -CAkey self_ca.key -CA self_ca.crt -out local.crt -extfile local_cert.cnf -extensions v3_ca
 
-rm server.csr
+# cleanup
+rm self_ca.key ca.csr local.csr CA.cnf