diff options
Diffstat (limited to 'gen.sh')
-rwxr-xr-x | gen.sh | 277 |
1 files changed, 277 insertions, 0 deletions
@@ -0,0 +1,277 @@ +#!/bin/bash + +# http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority + + +function create_ca() { + + cat > openssl-ca.cnf <<EOF +HOME = . +RANDFILE = .rnd + +#################################################################### + +[ ca ] + +default_ca = CA_default # The default ca section + +[ CA_default ] + +default_days = 3650 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +x509_extensions = ca_extensions # The extensions to add to the cert + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +certificate = cacert.pem # The CA certifcate +private_key = cakey.pem # The CA private key +new_certs_dir = . # Location for new certs after signing +database = index.txt # Database index file +serial = serial.txt # The current serial number + +unique_subject = no # Set to 'no' to allow creation of + # several certificates with same subject. + +#################################################################### + +[ req ] + +default_bits = 4096 +default_keyfile = cakey.pem +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only + +#################################################################### + +[ ca_distinguished_name ] + +countryName = Country Name (2 letter code) +countryName_default = FR + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = IDF + +localityName = Locality Name (eg, city) +localityName_default = Paris + +organizationName = Organization Name (eg, company) +organizationName_default = Fsociety + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = CA Research Department + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = Test CA + +emailAddress = Email Address +emailAddress_default = ca@example.com + +#################################################################### + +[ ca_extensions ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = keyCertSign, cRLSign + +[ signing_policy ] + +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ signing_req ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment + +EOF + + openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -keyout cakey.pem -out cacert.pem -outform PEM + + if [ -f cacert.pem ]; then + + ln -s cacert.pem `openssl x509 -hash -noout -in cacert.pem`.0 + + #openssl x509 -purpose -in cacert.pem -inform PEM | less + + touch index.txt + echo '01' > serial.txt + + fi + +} + + +function create_server() { + + cat > openssl-server.cnf <<EOF +HOME = . +RANDFILE = .rnd + +#################################################################### + +[ req ] + +default_bits = 2048 +default_keyfile = serverkey.pem +distinguished_name = server_distinguished_name +req_extensions = server_req_extensions +string_mask = utf8only + +#################################################################### + +[ server_distinguished_name ] + +countryName = Country Name (2 letter code) +countryName_default = FR + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = IDF + +localityName = Locality Name (eg, city) +localityName_default = Paris + +organizationName = Organization Name (eg, company) +organizationName_default = Server Organization + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Server Research Department + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = ServerSide Test + +emailAddress = Email Address +emailAddress_default = server@example.com + +#################################################################### + +[ server_req_extensions ] + +subjectKeyIdentifier = hash +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Certificate" + +EOF + + openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out serverkey.pem -outform PEM + + # openssl req -text -noout -verify -in serverkey.pem | less + + openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles serverkey.pem + +} + + +function create_client() { + + cat > openssl-client.cnf <<EOF +HOME = . +RANDFILE = .rnd + +#################################################################### + +[ req ] + +default_bits = 2048 +default_keyfile = clientkey.pem +distinguished_name = client_distinguished_name +req_extensions = client_req_extensions +string_mask = utf8only + +#################################################################### + +[ client_distinguished_name ] + +countryName = Country Name (2 letter code) +countryName_default = FR + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = IDF + +localityName = Locality Name (eg, city) +localityName_default = Paris + +organizationName = Organization Name (eg, company) +organizationName_default = Client Organization + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Client Research Department + +commonName = Common Name (e.g. client FQDN or YOUR name) +commonName_default = ClientSide Test + +emailAddress = Email Address +emailAddress_default = client@example.com + +#################################################################### + +[ client_req_extensions ] + +subjectKeyIdentifier = hash +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Certificate" + +EOF + + openssl req -config openssl-client.cnf -newkey rsa:2048 -sha256 -nodes -out clientkey.pem -outform PEM + + # openssl req -text -noout -verify -in clientkey.pem | less + + openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out clientcert.pem -infiles clientkey.pem + +} + + +function clean() { + + rm -f .rnd + + rm -f index.txt* serial.txt* + + rm -f *.pem *.cnf *.0 + +} + + +case $1 in + + ca) + create_ca + ;; + + server) + create_server + ;; + + client) + create_client + ;; + + clean) + clean + ;; + + *) + echo "Usage: $0 <ca|server|client|clean>" + exit 1 + ;; + +esac |