-
Notifications
You must be signed in to change notification settings - Fork 0
/
openssl-generate-certificates
executable file
·183 lines (152 loc) · 5.2 KB
/
openssl-generate-certificates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
#!/usr/bin/env bash
set -e
readonly ARGS="$@"
usage() {
local file=`basename "$0"`
cat <<-EOF
./${file} -h hostname [-i ip] [-j subject] [-p prefix] [-s password] [-v|--verbose]
Options:
-h hostname, specify hostname or ip of server
--host hostname
-i ip, specify an ip to bind to hostname
--ip ip
-j subject, specify the certificate subject string
--subject subject
-p prefix, specify a prefix for output files
--prefix prefix
-s password, specify the password to use for the ca certificate
--secret password
-v, print verbose output
--verbose
EOF
}
parseArgs() {
local arg
# translate --long-options into short options
for arg
do
case "$arg" in
--subject) args="${args}-j " ;;
--host) args="${args}-h " ;;
--ip) args="${args}-i " ;;
--prefix) args="${args}-p " ;;
--secret) args="${args}-s " ;;
--verbose) args="${args}-v " ;;
*) args="${args} ${arg} " ;;
esac
done
eval set -- $args
echo $args
local host
local prefix
local ips=()
local verbose=1
local secret
local subject
while getopts "c:h:i:j:p:s:v" OPTION;
do
case $OPTION in
h)
host="$OPTARG"
;;
i)
ips+=("$OPTARG")
;;
j)
subject="$OPTARG"
;;
p)
prefix="$OPTARG-"
;;
s)
secret="$OPTARG"
;;
v)
verbose=0
;;
*)
usage
exit 1
;;
esac
done
if [ -z ${host} ]; then
echo "Missing required parameter --host" >&2
usage
exit 2
fi
if [ ${#ips[@]} = 0 ]; then
ips=('127.0.0.1')
fi
readonly HOST=${host}
readonly IPS=${ips[@]}
readonly PREFIX=${prefix}
readonly VERBOSE=${verbose}
readonly PASSWORD=${secret}
readonly SUBJECT=${subject}
generateCertificates
}
generateCertificates() {
if [ ${VERBOSE} -eq 0 ]; then
echo "host: ${HOST}"
echo "ips: ${IPS[@]}"
echo "prefix: ${PREFIX}"
echo "password: ${PASSWORD}"
echo "subject: ${SUBJECT}"
echo 'Generating CA key'
fi
local ca_genrsa_opts="-aes256 -out ${PREFIX}ca-key.pem"
if [ -n ${PASSWORD} ]; then
ca_genrsa_opts="-passout pass:${PASSWORD} ${ca_genrsa_opts}"
fi
echo "${ca_genrsa_opts}"
openssl genrsa ${ca_genrsa_opts} 4096
[ ${VERBOSE} -eq 0 ] && echo 'Generating CA certificate'
local ca_req_opts="-new -x509 -days 365 -key ${PREFIX}ca-key.pem -sha256 -out ${PREFIX}ca-cert.pem"
if [ -n ${PASSWORD} ]; then
ca_req_opts="-passin pass:${PASSWORD} ${ca_req_opts}"
fi
if [ -n ${SUBJECT} ]; then
ca_req_opts="-subj ${SUBJECT} ${ca_req_opts}"
fi
openssl req ${ca_req_opts}
[ ${VERBOSE} -eq 0 ] && echo 'Generating server key'
openssl genrsa -out ${PREFIX}server-key.pem 4096
[ ${VERBOSE} -eq 0 ] && echo 'Generating server certificate signing request'
openssl req -subj "/CN=${host}" -sha256 -new -key ${PREFIX}server-key.pem -out ${PREFIX}server.csr
[ ${VERBOSE} -eq 0 ] && echo 'Generating server extension file'
local altNames="DNS:${HOST}"
for ip in ${ips[@]}; do
altNames="${altNames},IP:${ip}"
done
echo "subjectAltName = ${altNames}" >> ${PREFIX}server-extfile.cnf
echo 'extendedKeyUsage = serverAuth' >> ${PREFIX}server-extfile.cnf
[ ${VERBOSE} -eq 0 ] && echo 'Signing server certificate'
if [ -z ${PASSWORD} ]; then
openssl x509 -req -days 365 -sha256 -in ${PREFIX}server.csr -CA ${PREFIX}ca-cert.pem -CAkey ${PREFIX}ca-key.pem \
-CAcreateserial -out ${PREFIX}server-cert.pem -extfile ${PREFIX}server-extfile.cnf
else
openssl x509 -req -days 365 -sha256 -in ${PREFIX}server.csr -CA ${PREFIX}ca-cert.pem -CAkey ${PREFIX}ca-key.pem \
-CAcreateserial -out ${PREFIX}server-cert.pem -extfile ${PREFIX}server-extfile.cnf -passin pass:${PASSWORD}
fi
[ ${VERBOSE} -eq 0 ] && echo 'Generating client key'
openssl genrsa -out ${PREFIX}client-key.pem 4096
[ ${VERBOSE} -eq 0 ] && echo 'Generating client certificate signing request'
openssl req -subj '/CN=client' -new -key ${PREFIX}client-key.pem -out ${PREFIX}client.csr
[ ${VERBOSE} -eq 0 ] && echo 'Generating client extensions file'
echo 'extendedKeyUsage = clientAuth' >> ${PREFIX}client-extfile.cnf
[ ${VERBOSE} -eq 0 ] && echo 'Signing client certificate'
if [ -z ${PASSWORD} ]; then
openssl x509 -req -days 365 -sha256 -in ${PREFIX}client.csr -CA ${PREFIX}ca-cert.pem -CAkey ${PREFIX}ca-key.pem \
-CAcreateserial -out ${PREFIX}client-cert.pem -extfile ${PREFIX}client-extfile.cnf
else
openssl x509 -req -days 365 -sha256 -in ${PREFIX}client.csr -CA ${PREFIX}ca-cert.pem -CAkey ${PREFIX}ca-key.pem \
-CAcreateserial -out ${PREFIX}client-cert.pem -extfile ${PREFIX}client-extfile.cnf -passin pass:${PASSWORD}
fi
[ ${VERBOSE} -eq 0 ] && echo 'Removing signing requests'
rm ${PREFIX}server.csr ${PREFIX}client.csr
[ ${VERBOSE} -eq 0 ] && echo 'Fixing filemodes'
chmod -v 0400 ${PREFIX}ca-key.pem ${PREFIX}client-key.pem ${PREFIX}server-key.pem
chmod -v 0444 ${PREFIX}ca-cert.pem ${PREFIX}client-cert.pem ${PREFIX}server-cert.pem
}
parseArgs $ARGS