Document generating & trusting a root cert on OS/X

Mahoney · Mahoney · commit 396e4c870775 · 2020-06-15T17:51:20.000+01:00
diff --git a/docs-v2/_docs/proxying.md b/docs-v2/_docs/proxying.md
@@ -169,9 +169,14 @@ A few caveats:
   add it to your trusted certs then anyone getting hold of it could potentially
   get access to any service you use on the web.
 
-TODO: Document how to generate such a keystore, and how to trust its
-certificate, on Linux, OS/X & Windows.
-
+> See [this script](https://github.com/tomakehurst/wiremock/blob/master/scripts/create-ca-cert.sh)
+> for an example of how to build a valid self-signed root certificate called
+> ca-cert.crt already imported into a keystore called ca-cert.jks.
+> 
+> On OS/X it can be trusted by dragging ca-cert.crt onto Keychain Access,
+> double clicking on the certificate and setting SSL to "always trust".
+>
+> Please raise PRs to add documentation for other platforms.
 
 Proxying of HTTPS traffic when the proxy endpoint is also HTTPS is problematic;
 Postman seems not to cope with an HTTPS proxy even to proxy HTTP traffic. Older
diff --git a/scripts/ca-cert.conf b/scripts/ca-cert.conf
@@ -0,0 +1,19 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+default_days = 36525
+
+[req_distinguished_name]
+C = GB
+ST = London
+O = WireMock
+CN = WireMock Local Self Signed Root Certificate
+
+[v3_ca]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+basicConstraints            = critical, CA:TRUE
+keyUsage = critical, keyCertSign, cRLSign
diff --git a/scripts/create-ca-keystore.sh b/scripts/create-ca-keystore.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+read -r -s -p "Please enter a password for the key & keystore (default: password):" PASSWORD
+PASSWORD=${PASSWORD:=password}
+openssl req -x509 -newkey rsa:2048 -utf8 -days 3650 -nodes -config ca-cert.conf -keyout ca-cert.key -out ca-cert.crt
+openssl pkcs12 -export -inkey ca-cert.key -in ca-cert.crt -out ca-cert.p12 -password "pass:$PASSWORD"
+keytool -importkeystore -deststorepass "$PASSWORD" -destkeypass "$PASSWORD" -srckeystore ca-cert.p12 -srcstorepass "$PASSWORD" -deststoretype jks -destkeystore ca-cert.jks
+rm ca-cert.key ca-cert.p12
