-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcerts_signed.sh
executable file
·74 lines (62 loc) · 2.74 KB
/
certs_signed.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
# Generate certificates signed by an existing CA
. "$(dirname "$0")"/read_var.sh
if [[ -z $CA_KEY || -z $CA_PEM ]]; then
. "$(dirname "$0")"/certs_ca.sh
fi
# Reading private key to use
DEFCRT=${1:-tls}
echo "- Generating or using existing private key to produce CSR and signed Certificates"
read_var CERT_KEY "Enter the Certificate private key file name" true "${DEFCRT}.key"
read_var CERT_KEY_PASS "Enter the Certificate private key password"
if [[ -f $CERT_KEY ]]; then
echo Certificate private key already exists, using it.
else
echo Generating new private key certificate
if [[ ${CERT_KEY_PASS} != "" ]]; then
openssl genrsa -aes128 -traditional -passout "pass:${CERT_KEY_PASS}" -out "$CERT_KEY" 3072
else
openssl genrsa -traditional -out "$CERT_KEY" 2048
fi
fi
echo
# Reading the CSR info
read_var CERT_CSR "Enter the CSR (certificate signing request) file name for the previous key" true "${CERT_KEY/.*/.csr}"
read_var CERT_CN "Enter the subject common name (CN) that will be used to identify this CSR" true ""
EXTRA_DNS=""
if [[ -f $CERT_CSR ]]; then
echo Certificate signing request already exists, using it.
else
while true; do
read_var DNS "Enter additional subject alternative name (or empty to ignore)" false ''
[[ -z "${DNS}" ]] && break
EXTRA_DNS+=", DNS:${DNS}"
done
while true; do
read_var IP "Enter additional IP addresses (or empty to ignore)" false ''
[[ -z "${IP}" ]] && break
EXTRA_DNS+=", IP:${IP}"
done
echo Generating certificate signing request...
openssl req -new -batch -subj "/CN=$CERT_CN" -addext "subjectAltName = DNS:${CERT_CN}${EXTRA_DNS}" -key "$CERT_KEY" -out "$CERT_CSR"
fi
echo
# Creating a signed ceritifcate based on CSR for the related Cert Key
valid_cert=false
while [[ $valid_cert == false ]]; do
read_var CERT_PEM "Enter the signed certificate pem file name" true "${CERT_KEY/.*/.crt}"
[[ -f $CERT_PEM ]] && echo "Public certificate already exists (press ENTER to try again)." || valid_cert=true
done
echo "- Generating new public certificate using $CERT_CSR and signed by $CA_PEM with $CA_KEY"
cat << EOF > cert.ext
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:${CERT_CN}${EXTRA_DNS}
issuerAltName = issuer:copy
EOF
openssl x509 -req -in "$CERT_CSR" -CA "$CA_PEM" -CAkey "$CA_KEY" -CAcreateserial -out "$CERT_PEM" -days 1825 -sha256 -extfile cert.ext
echo
echo "- Validating generated PEM ceriticate ($CERT_PEM) using CA PEM ($CA_PEM)"
openssl verify -CAfile "$CA_PEM" "$CERT_PEM"