1 files changed, 277 insertions, 0 deletions

diff --git a/gen.sh b/gen.sh
new file mode 100755
index 0000000..877eca3
--- /dev/null
+++ b/gen.sh
@@ -0,0 +1,277 @@
+#!/bin/bash
+
+# http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority
+
+
+function create_ca() {
+
+    cat > openssl-ca.cnf <<EOF
+HOME            = .
+RANDFILE        = .rnd
+
+####################################################################
+
+[ ca ]
+
+default_ca = CA_default      # The default ca section
+
+[ CA_default ]
+
+default_days     = 3650      # how long to certify for
+default_crl_days = 30        # how long before next CRL
+default_md       = sha256    # use public key default MD
+preserve         = no        # keep passed DN ordering
+
+x509_extensions  = ca_extensions    # The extensions to add to the cert
+
+email_in_dn     = no         # Don't concat the email in the DN
+copy_extensions = copy       # Required to copy SANs from CSR to cert
+
+certificate   = cacert.pem   # The CA certifcate
+private_key   = cakey.pem    # The CA private key
+new_certs_dir = .            # Location for new certs after signing
+database      = index.txt    # Database index file
+serial        = serial.txt   # The current serial number
+
+unique_subject = no          # Set to 'no' to allow creation of
+                             # several certificates with same subject.
+
+####################################################################
+
+[ req ]
+
+default_bits       = 4096
+default_keyfile    = cakey.pem
+distinguished_name = ca_distinguished_name
+x509_extensions    = ca_extensions
+string_mask        = utf8only
+
+####################################################################
+
+[ ca_distinguished_name ]
+
+countryName                    = Country Name (2 letter code)
+countryName_default            = FR
+
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = IDF
+
+localityName                   = Locality Name (eg, city)
+localityName_default           = Paris
+
+organizationName               = Organization Name (eg, company)
+organizationName_default       = Fsociety
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = CA Research Department
+
+commonName                     = Common Name (e.g. server FQDN or YOUR name)
+commonName_default             = Test CA
+
+emailAddress                   = Email Address
+emailAddress_default           = ca@example.com
+
+####################################################################
+
+[ ca_extensions ]
+
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer
+basicConstraints       = critical, CA:true
+keyUsage               = keyCertSign, cRLSign
+
+[ signing_policy ]
+
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+####################################################################
+
+[ signing_req ]
+
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid, issuer
+
+basicConstraints = CA:FALSE
+keyUsage         = digitalSignature, keyEncipherment
+
+EOF
+
+    openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -keyout cakey.pem -out cacert.pem -outform PEM
+
+    if [ -f cacert.pem ]; then
+
+        ln -s cacert.pem `openssl x509 -hash -noout -in cacert.pem`.0
+
+        #openssl x509 -purpose -in cacert.pem -inform PEM | less
+
+        touch index.txt
+        echo '01' > serial.txt
+
+    fi
+
+}
+
+
+function create_server() {
+
+    cat > openssl-server.cnf <<EOF
+HOME            = .
+RANDFILE        = .rnd
+
+####################################################################
+
+[ req ]
+
+default_bits       = 2048
+default_keyfile    = serverkey.pem
+distinguished_name = server_distinguished_name
+req_extensions     = server_req_extensions
+string_mask        = utf8only
+
+####################################################################
+
+[ server_distinguished_name ]
+
+countryName                    = Country Name (2 letter code)
+countryName_default            = FR
+
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = IDF
+
+localityName                   = Locality Name (eg, city)
+localityName_default           = Paris
+
+organizationName               = Organization Name (eg, company)
+organizationName_default       = Server Organization
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = Server Research Department
+
+commonName                     = Common Name (e.g. server FQDN or YOUR name)
+commonName_default             = ServerSide Test
+
+emailAddress                   = Email Address
+emailAddress_default           = server@example.com
+
+####################################################################
+
+[ server_req_extensions ]
+
+subjectKeyIdentifier = hash
+basicConstraints     = CA:FALSE
+keyUsage             = digitalSignature, keyEncipherment
+nsComment            = "OpenSSL Generated Certificate"
+
+EOF
+
+    openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out serverkey.pem -outform PEM
+
+    # openssl req -text -noout -verify -in serverkey.pem | less
+
+    openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles serverkey.pem
+
+}
+
+
+function create_client() {
+
+    cat > openssl-client.cnf <<EOF
+HOME            = .
+RANDFILE        = .rnd
+
+####################################################################
+
+[ req ]
+
+default_bits       = 2048
+default_keyfile    = clientkey.pem
+distinguished_name = client_distinguished_name
+req_extensions     = client_req_extensions
+string_mask        = utf8only
+
+####################################################################
+
+[ client_distinguished_name ]
+
+countryName                    = Country Name (2 letter code)
+countryName_default            = FR
+
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = IDF
+
+localityName                   = Locality Name (eg, city)
+localityName_default           = Paris
+
+organizationName               = Organization Name (eg, company)
+organizationName_default       = Client Organization
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = Client Research Department
+
+commonName                     = Common Name (e.g. client FQDN or YOUR name)
+commonName_default             = ClientSide Test
+
+emailAddress                   = Email Address
+emailAddress_default           = client@example.com
+
+####################################################################
+
+[ client_req_extensions ]
+
+subjectKeyIdentifier = hash
+basicConstraints     = CA:FALSE
+keyUsage             = digitalSignature, keyEncipherment
+nsComment            = "OpenSSL Generated Certificate"
+
+EOF
+
+    openssl req -config openssl-client.cnf -newkey rsa:2048 -sha256 -nodes -out clientkey.pem -outform PEM
+
+    # openssl req -text -noout -verify -in clientkey.pem | less
+
+    openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out clientcert.pem -infiles clientkey.pem
+
+}
+
+
+function clean() {
+
+    rm -f .rnd
+
+    rm -f index.txt* serial.txt*
+
+    rm -f *.pem *.cnf *.0
+
+}
+
+
+case $1 in
+
+    ca)
+        create_ca
+        ;;
+
+    server)
+        create_server
+        ;;
+
+    client)
+        create_client
+        ;;
+
+    clean)
+        clean
+        ;;
+
+    *)
+        echo "Usage: $0 <ca|server|client|clean>"
+        exit 1
+        ;;
+
+esac