# TLS/SSL cert recipes.

I guess I'll put this into Makefile format.
partially stolen from my letsencrypt repo.
=> //git.thebackupbox.net/letsencrypt

you'll want to replace my domain with your own domain.
and if you use the acme-tiny part, you'll want to change the acme-dir to your own.

## to make a new key
```
keys/%.key.pem:
	openssl req -x509 -newkey rsa:4096 -keyout $@ -nodes
```

## to make self-signed certs with pre-existing keys
```
self-signed/%.crt: keys/%.key.pem
	openssl req -x509 -key $< -out $@ -sha256 -days 365
```

these first two things should be all that you need for gemini.
if you are interested in also getting your cert signed...

## to make new cert signing request
this line has a bit of extra stuff that goes with it...
the config file contains sections where I put subjectAltName like:
```
[_https]
subjectAltName=DNS:git.thebackupbox.net,DNS:www.thebackupbox.net
```

```
csr/%.csr: keys/%.key.pem
	openssl req -new -sha256 -key $< -subj "/CN=thebackupbox.net" -reqexts _$* -config openssl.cnf > $@
```

## to get acme-tiny to get our csr signed.
```
LE-signed/%.crt: csr/%.csr
	./acme-tiny/acme_tiny.py --account-key keys/.account.key.pem --csr $< --acme-dir /var/www/sites/hacking/.well-known/acme-challenge > $@.tmp && mv -f $@.tmp $@ || rm $@.tmp

```