Use two-tier CA signing for browser-trustable certificates

devin-ai-integration[bot] · ryoluo · devin-ai-integration[bot] · commit 372c030eca25 · 2026-02-21T10:24:18.000Z
Co-Authored-By: Ryo Kobayashi &lt;cuba6vst@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -31,6 +31,28 @@ php artisan sail-ssl:install
 
 After containers started, you can access https://localhost.
 
+## Trust the certificate (optional)
+
+The plugin generates a local Root CA certificate to sign the server certificate.
+You can import the Root CA into your browser to remove the security warning.
+
+### 1. Copy the Root CA certificate to your host machine:
+
+```sh
+./vendor/bin/sail cp nginx:/etc/nginx/certs/root-ca.crt .
+```
+
+### 2. Import the certificate:
+
+-   **Chrome**: Settings > Privacy and Security > Security > Manage certificates > Authorities > Import
+-   **Firefox**: Settings > Privacy & Security > Security > View Certificates > Authorities > Import
+-   **macOS**: Double-click the `root-ca.crt` file to open Keychain Access, then set "Always Trust"
+
+> **Note:** If you change `SSL_DOMAIN` or `SSL_ALT_NAME`, remove the Docker volume `sail-nginx` to regenerate certificates:
+> ```sh
+> docker volume rm sail-nginx
+> ```
+
 ## Environment variables
 
 -   `SERVER_NAME`
diff --git a/nginx/generate-ssl-cert.sh b/nginx/generate-ssl-cert.sh
@@ -1,20 +1,38 @@
 #!/bin/sh
 
 ME=$(basename $0)
-KEY=/etc/nginx/certs/server.key
-CERT=/etc/nginx/certs/server.pem
+CERTS_DIR=/etc/nginx/certs
+ROOT_KEY=$CERTS_DIR/root-ca.key
+ROOT_CERT=$CERTS_DIR/root-ca.crt
+KEY=$CERTS_DIR/server.key
+CERT=$CERTS_DIR/server.pem
+CSR=$CERTS_DIR/server.csr
+EXT_FILE=$CERTS_DIR/server-ext.cnf
 CN=$SSL_DOMAIN
 SAN=$SSL_ALT_NAME
 
 if [ -f $KEY ] && [ -f $CERT ]; then
     echo "$ME: Server certificate already exists, do nothing."
 else
-    if [ -n "$SAN" ]; then
-        openssl req -x509 -newkey rsa:2048 -keyout $KEY \
-            -out $CERT -sha256 -days 3650 -nodes -subj "/CN=$CN" -addext "subjectAltName = $SAN"
-    else
-        openssl req -x509 -newkey rsa:2048 -keyout $KEY \
-            -out $CERT -sha256 -days 3650 -nodes -subj "/CN=$CN"
-    fi
-    echo "$ME: Server certificate has been generated."
+    openssl req -x509 -newkey rsa:2048 -keyout $ROOT_KEY -out $ROOT_CERT \
+        -sha256 -days 3650 -nodes -subj "/CN=$CN Root CA"
+
+    openssl req -newkey rsa:2048 -keyout $KEY -out $CSR \
+        -nodes -subj "/CN=$CN"
+
+    {
+        echo "basicConstraints = CA:FALSE"
+        echo "keyUsage = digitalSignature, keyEncipherment"
+        echo "extendedKeyUsage = serverAuth"
+        if [ -n "$SAN" ]; then
+            echo "subjectAltName = $SAN"
+        fi
+    } > $EXT_FILE
+
+    openssl x509 -req -in $CSR -CA $ROOT_CERT -CAkey $ROOT_KEY \
+        -CAcreateserial -out $CERT -sha256 -days 3650 -extfile $EXT_FILE
+
+    rm -f $CSR $EXT_FILE $CERTS_DIR/root-ca.srl
+    echo "$ME: Root CA and server certificate have been generated."
+    echo "$ME: Import $ROOT_CERT into your browser to trust the certificate."
 fi
