I found myself having to generate certificates for a Localstack instance, several times (because I forgot the syntax and they got overwritten); eventually I gave up and wrote this shell script to do it.

The script uses the excellent mkcert, by Filippo Valsorda.

#!/bin/sh
# Depends on mkcert, https://mkcert.dev
LOCAL_CERT=local-cert-only.pem
LOCAL_KEY=local-cert-only.key
ROOTCA_CERT="$(mkcert -CAROOT)/rootCA.pem"

if [ $# -eq 0 -o "$1" == "-h" ] ; then
  echo "Usage: $0 [extra hosts]"
  echo
  echo "LOCALSTACK_ROOT (if set) says where the mkcert root CA cert is"
  echo "HOST_IP (if set) says the main IP to generate for."
  exit 0
fi

if [ "$LOCALSTACK_ROOT" == "" ] ; then
  export LOCALSTACK_ROOT=/private/var/folders/0w/y07kv5w15wb02d7jfwrz8zrm0000gn/T/localstack/
fi
echo "Localstack root: $LOCALSTACK_ROOT"
if [ "$HOST_IP" == "" ] ; then
  HOST_IP=192.168.0.200
  echo "Defaulting to host IP $HOST_IP"
fi
CERT_HOSTS="$HOST_IP localhost $*"
echo "Making cert for $CERT_HOSTS"

mkcert -cert-file $LOCAL_CERT -key-file $LOCAL_KEY $CERT_HOSTS

echo "Making $LOCALSTACK_ROOT/server.test.pem"
cat $LOCAL_KEY $LOCAL_CERT "$ROOTCA_CERT" > $LOCALSTACK_ROOT/server.test.pem
echo "Making $LOCALSTACK_ROOT/server.test.crt"
cat $LOCAL_CERT "$ROOTCA_CERT" > $LOCALSTACK_ROOT/server.test.pem.crt
echo "Making $LOCALSTACK_ROOT/server.test.pem.key"
cat $LOCAL_KEY > $LOCALSTACK_ROOT/server.test.pem.key
echo "Done."