-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathcreate-certs.sh
executable file
·132 lines (111 loc) · 3.89 KB
/
create-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
#see https://docs.docker.com/engine/security/https/
EXPIRATIONDAYS=700
CASUBJSTRING="/C=GB/ST=London/L=London/O=ExampleCompany/OU=IT/CN=example.com/[email protected]"
while [[ $# -gt 1 ]]
do
key="$1"
case $key in
-m|--mode)
MODE="$2"
shift
;;
-h|--hostname)
NAME="$2"
shift
;;
-hip|--hostip)
SERVERIP="$2"
shift
;;
-pw|--password)
PASSWORD="$2"
shift
;;
-t|--targetdir)
TARGETDIR="$2"
shift
;;
-e|--expirationdays)
EXPIRATIONDAYS="$2"
shift
;;
--ca-subj)
CASUBJSTRING="$2"
shift
;;
*)
# unknown option
;;
esac
shift
done
echo "Mode $MODE"
echo "Host/Clientname $NAME"
echo "Host IP $SERVERIP"
echo "Targetdir $TARGETDIR"
echo "Expiration $EXPIRATIONDAYS"
programname=$0
function usage {
echo "usage: $programname -m ca -h example.de [-hip 1.2.3.4] -pw my-secret -t /target/dir [-e 365]"
echo " -m|--mode 'ca' to create CA, 'server' to create server cert, 'client' to create client cert"
echo " -h|--hostname|-n|--name DNS hostname for the server or name of client"
echo " -hip|--hostip host's IP - default: none"
echo " -pw|--password Password for CA Key generation"
echo " -t|--targetdir Targetdir for certfiles and keys"
echo " -e|--expirationdays certificate expiration in day - default: 700 days"
echo " --ca-subj subj string for ca cert - default: Example String..."
exit 1
}
function createCA {
openssl genrsa -aes256 -passout pass:$PASSWORD -out $TARGETDIR/ca-key.pem 4096
openssl req -passin pass:$PASSWORD -new -x509 -days $EXPIRATIONDAYS -key $TARGETDIR/ca-key.pem -sha256 -out $TARGETDIR/ca.pem -subj $CASUBJSTRING
chmod 0400 $TARGETDIR/ca-key.pem
chmod 0444 $TARGETDIR/ca.pem
}
function checkCAFilesExist {
if [[ ! -f "$TARGETDIR/ca.pem" || ! -f "$TARGETDIR/ca-key.pem" ]]; then
echo "$TARGETDIR/ca.pem or $TARGETDIR/ca-key.pem not found. Create CA first with '-m ca'"
exit 1
fi
}
function createServerCert {
checkCAFilesExist
if [[ -z $SERVERIP ]]; then
IPSTRING=""
else
IPSTRING=",IP:$SERVERIP"
fi
openssl genrsa -out $TARGETDIR/server-key.pem 4096
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/server-key.pem -out $TARGETDIR/server.csr
echo "subjectAltName = DNS:$NAME$IPSTRING" > $TARGETDIR/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/server.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/server-cert.pem -extfile $TARGETDIR/extfile.cnf
rm $TARGETDIR/server.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
chmod 0400 $TARGETDIR/server-key.pem
chmod 0444 $TARGETDIR/server-cert.pem
}
function createClientCert {
checkCAFilesExist
openssl genrsa -out $TARGETDIR/client-key.pem 4096
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/client-key.pem -out $TARGETDIR/client.csr
echo "extendedKeyUsage = clientAuth" > $TARGETDIR/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/client.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/client-cert.pem -extfile $TARGETDIR/extfile.cnf
rm $TARGETDIR/client.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
chmod 0400 $TARGETDIR/client-key.pem
chmod 0444 $TARGETDIR/client-cert.pem
mv $TARGETDIR/client-key.pem $TARGETDIR/client-$NAME-key.pem
mv $TARGETDIR/client-cert.pem $TARGETDIR/client-$NAME-cert.pem
}
if [[ -z $MODE || ($MODE != "ca" && -z $NAME) || -z $PASSWORD || -z $TARGETDIR ]]; then
usage
fi
mkdir -p $TARGETDIR
if [[ $MODE = "ca" ]]; then
createCA
elif [[ $MODE = "server" ]]; then
createServerCert
elif [[ $MODE = "client" ]]; then
createClientCert
else
usage
fi