BlackthornYugen/create_ca_and_ee.sh

## create_ca_and_ee.sh
#!/usr/bin/env bash
set -e
DEFAULT_SUBJECT_PREFIX=${DEFAULT_SUBJECT_PREFIX:-"/C=CA/ST=Ontario/L=Kitchener/O=jskw"}
DEFAULT_KEY_TYPE="${DEFAULT_KEY_TYPE:-ec:prime256v1.pem}"
openssl ecparam -name prime256v1 > prime256v1.pem

log() {
    # cowsay if available
    if which cowsay > /dev/null ; then
        echo ""
        cowsay "$1"
    else
        echo -e "\n----=| $1 |==----"
    fi
}

describe_files() {
    # Change to stat or something else for more verbosity
    # stat ${1}
    ls -l "$@"
    md5sum "$@"
}

# Usage: [common name] [key type]
create_certificate_authority() {
    common_name="${1:-RootCA}"
    key_type="${2:-$DEFAULT_KEY_TYPE}"

    key_file="${common_name}.key.pem"
    certificate_file="${common_name}.crt.pem"

    if [ -f "${key_file}" ] && [ -f "${certificate_file}" ]; then
        log "Found existing certificate authority"
    else
        log "Creating a new certificate authority"
        openssl req -x509 -nodes -new -sha256 -days 1024 \
            -subj   "${DEFAULT_SUBJECT_PREFIX}/CN=${common_name}" \
            -newkey "${key_type}" \
            -keyout "${key_file}" \
            -out    "${certificate_file}"
    fi
    describe_files "${key_file}" "${certificate_file}"
}

create_certificate_from_certificate_authority() {
    root_common_name="${1:-RootCA}"
    common_name="${2:-${EE_HOSTNAME}}"
    key_type="${3:-$DEFAULT_KEY_TYPE}"

    key_file="${common_name}.key.pem"
    certificate_request_file="${common_name}.csr.pem"
    certificate_file="${common_name}.crt.pem"

    if [ -f "${key_file}" ] && [ -f "${certificate_request_file}" ]; then
        log "Found existing key and certificate request"
    else
        log "Creating a new key and certificate request"
        openssl req -new -nodes \
            -subj   "${EE_DEFAULT_SUBJECT_PREFIX}/CN=${common_name}" \
            -newkey "${key_type}" \
            -keyout "${key_file}" \
            -out    "${certificate_request_file}"
    fi
    describe_files "${key_file}" "${certificate_request_file}"

    if [ -f "${certificate_file}" ]; then
        log "Found existing certificate"
    else
        log "Creating new certificate"
        openssl x509 -req -sha256 \
            -days 1024 \
            -in "${certificate_request_file}" \
            -CA "${root_common_name}.crt.pem" \
            -CAkey "${root_common_name}.key.pem" \
            -CAcreateserial \
            -ext "authorityKeyIdentifier=keyid,issuer" \
            -ext "basicConstraints=CA:FALSE" \
            -ext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \
            -ext "subjectAltName = DNS:${common_name}" \
            -out "${certificate_file}"
    fi
    describe_files "${certificate_file}"
}

create_certificate_authority "root"
certificates_to_verify=("root.crt.pem")

next_certificate_to_create="${1}"
while shift; do
    create_certificate_from_certificate_authority "root" "${next_certificate_to_create}"
    certificates_to_verify+=("${next_certificate_to_create}.crt.pem")

    # Make a pem file that openssl s_server or haproxy or whatever could use
    cat "${next_certificate_to_create}.crt.pem" "${next_certificate_to_create}.key.pem" > "${next_certificate_to_create}.pem"

    next_certificate_to_create=${1}
done

log "Verifying certificate chains"
openssl verify -verbose -CAfile "root.crt.pem" "${certificates_to_verify[@]}"
	#!/usr/bin/env bash
	set -e
	DEFAULT_SUBJECT_PREFIX=${DEFAULT_SUBJECT_PREFIX:-"/C=CA/ST=Ontario/L=Kitchener/O=jskw"}
	DEFAULT_KEY_TYPE="${DEFAULT_KEY_TYPE:-ec:prime256v1.pem}"
	openssl ecparam -name prime256v1 > prime256v1.pem

	log() {
	# cowsay if available
	if which cowsay > /dev/null ; then
	echo ""
	cowsay "$1"
	else
	echo -e "\n----=\| $1 \|==----"
	fi
	}

	describe_files() {
	# Change to stat or something else for more verbosity
	# stat ${1}
	ls -l "$@"
	md5sum "$@"
	}

	# Usage: [common name] [key type]
	create_certificate_authority() {
	common_name="${1:-RootCA}"
	key_type="${2:-$DEFAULT_KEY_TYPE}"

	key_file="${common_name}.key.pem"
	certificate_file="${common_name}.crt.pem"

	if [ -f "${key_file}" ] && [ -f "${certificate_file}" ]; then
	log "Found existing certificate authority"
	else
	log "Creating a new certificate authority"
	openssl req -x509 -nodes -new -sha256 -days 1024 \
	-subj "${DEFAULT_SUBJECT_PREFIX}/CN=${common_name}" \
	-newkey "${key_type}" \
	-keyout "${key_file}" \
	-out "${certificate_file}"
	fi
	describe_files "${key_file}" "${certificate_file}"
	}

	create_certificate_from_certificate_authority() {
	root_common_name="${1:-RootCA}"
	common_name="${2:-${EE_HOSTNAME}}"
	key_type="${3:-$DEFAULT_KEY_TYPE}"

	key_file="${common_name}.key.pem"
	certificate_request_file="${common_name}.csr.pem"
	certificate_file="${common_name}.crt.pem"

	if [ -f "${key_file}" ] && [ -f "${certificate_request_file}" ]; then
	log "Found existing key and certificate request"
	else
	log "Creating a new key and certificate request"
	openssl req -new -nodes \
	-subj "${EE_DEFAULT_SUBJECT_PREFIX}/CN=${common_name}" \
	-newkey "${key_type}" \
	-keyout "${key_file}" \
	-out "${certificate_request_file}"
	fi
	describe_files "${key_file}" "${certificate_request_file}"

	if [ -f "${certificate_file}" ]; then
	log "Found existing certificate"
	else
	log "Creating new certificate"
	openssl x509 -req -sha256 \
	-days 1024 \
	-in "${certificate_request_file}" \
	-CA "${root_common_name}.crt.pem" \
	-CAkey "${root_common_name}.key.pem" \
	-CAcreateserial \
	-ext "authorityKeyIdentifier=keyid,issuer" \
	-ext "basicConstraints=CA:FALSE" \
	-ext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \
	-ext "subjectAltName = DNS:${common_name}" \
	-out "${certificate_file}"
	fi
	describe_files "${certificate_file}"
	}

	create_certificate_authority "root"
	certificates_to_verify=("root.crt.pem")

	next_certificate_to_create="${1}"
	while shift; do
	create_certificate_from_certificate_authority "root" "${next_certificate_to_create}"
	certificates_to_verify+=("${next_certificate_to_create}.crt.pem")

	# Make a pem file that openssl s_server or haproxy or whatever could use
	cat "${next_certificate_to_create}.crt.pem" "${next_certificate_to_create}.key.pem" > "${next_certificate_to_create}.pem"

	next_certificate_to_create=${1}
	done

	log "Verifying certificate chains"
	openssl verify -verbose -CAfile "root.crt.pem" "${certificates_to_verify[@]}"