-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgenerate-certs
executable file
·101 lines (83 loc) · 2.52 KB
/
generate-certs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/bin/bash
echo "----------------------------"
echo "| SSL Cert Generator |"
echo "----------------------------"
echo
export CA_KEY=${CA_KEY-"ca-key.pem"}
export CA_CERT=${CA_CERT-"ca.pem"}
export CA_SUBJECT=${CA_SUBJECT:-"test-ca"}
export CA_EXPIRE=${CA_EXPIRE:-"60"}
export SSL_CONFIG=${SSL_CONFIG:-"openssl.cnf"}
export SSL_KEY=${SSL_KEY:-"key.pem"}
export SSL_CSR=${SSL_CSR:-"key.csr"}
export SSL_CERT=${SSL_CERT:-"cert.pem"}
export SSL_SIZE=${SSL_SIZE:-"2048"}
export SSL_EXPIRE=${SSL_EXPIRE:-"60"}
export SSL_SUBJECT=${SSL_SUBJECT:-"example.com"}
export SSL_DNS=${SSL_DNS}
export SSL_IP=${SSL_IP}
export DEBUG=${DEBUG:=1}
echo "--> Certificate Authority"
if [[ -e ./${CA_KEY} ]]; then
echo "====> Using existing CA Key ${CA_KEY}"
else
echo "====> Generating new CA key ${CA_KEY}"
openssl genrsa -out ${CA_KEY} 2048
fi
if [[ -e ./${CA_CERT} ]]; then
echo "====> Using existing CA Certificate ${CA_CERT}"
else
echo "====> Generating new CA Certificate ${CA_CERT}"
openssl req -x509 -new -nodes -key ${CA_KEY} -days ${CA_EXPIRE} -out ${CA_CERT} -subj "/CN=${CA_SUBJECT}" || exit 1
fi
[[ -n $DEBUG ]] && cat $CA_CERT
echo "====> Generating new config file ${SSL_CONFIG}"
cat > ${SSL_CONFIG} <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
if [[ -n ${SSL_DNS} || -n ${SSL_IP} ]]; then
cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
IFS=","
dns=(${SSL_DNS})
dns+=(${SSL_SUBJECT})
for i in "${!dns[@]}"; do
echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
done
if [[ -n ${SSL_IP} ]]; then
ip=(${SSL_IP})
for i in "${!ip[@]}"; do
echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
done
fi
fi
echo "====> Generating new SSL KEY ${SSL_KEY}"
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} || exit 1
echo "====> Generating new SSL CSR ${SSL_CSR}"
openssl req -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/CN=${SSL_SUBJECT}" -config ${SSL_CONFIG} || exit 1
echo "====> Generating new SSL CERT ${SSL_CERT}"
openssl x509 -req -in ${SSL_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
-days ${SSL_EXPIRE} -extensions v3_req -extfile ${SSL_CONFIG} || exit 1
echo -n
echo -n
echo "***** CA CERT"
cat $CA_CERT
echo -n
echo -n
echo "***** SSL_KEY"
cat $SSL_KEY
echo -n
echo -n
echo "***** SSL CERT"
cat $SSL_CERT
echo -n
echo -n