Last active
April 3, 2021 14:04
-
-
Save BlackthornYugen/0ed06f5f15a5a412b39360d7e195c36a to your computer and use it in GitHub Desktop.
Certificate Chain Generator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -e | |
DEFAULT_SUBJECT_PREFIX=${DEFAULT_SUBJECT_PREFIX:-"/C=CA/ST=Ontario/L=Kitchener/O=jskw"} | |
DEFAULT_KEY_TYPE="${DEFAULT_KEY_TYPE:-ec:prime256v1.pem}" | |
openssl ecparam -name prime256v1 > prime256v1.pem | |
log() { | |
# cowsay if available | |
if which cowsay > /dev/null ; then | |
echo "" | |
cowsay "$1" | |
else | |
echo -e "\n----=| $1 |==----" | |
fi | |
} | |
describe_files() { | |
# Change to stat or something else for more verbosity | |
# stat ${1} | |
ls -l "$@" | |
md5sum "$@" | |
} | |
# Usage: [common name] [key type] | |
create_certificate_authority() { | |
common_name="${1:-RootCA}" | |
key_type="${2:-$DEFAULT_KEY_TYPE}" | |
key_file="${common_name}.key.pem" | |
certificate_file="${common_name}.crt.pem" | |
if [ -f "${key_file}" ] && [ -f "${certificate_file}" ]; then | |
log "Found existing certificate authority" | |
else | |
log "Creating a new certificate authority" | |
openssl req -x509 -nodes -new -sha256 -days 1024 \ | |
-subj "${DEFAULT_SUBJECT_PREFIX}/CN=${common_name}" \ | |
-newkey "${key_type}" \ | |
-keyout "${key_file}" \ | |
-out "${certificate_file}" | |
fi | |
describe_files "${key_file}" "${certificate_file}" | |
} | |
create_certificate_from_certificate_authority() { | |
root_common_name="${1:-RootCA}" | |
common_name="${2:-${EE_HOSTNAME}}" | |
key_type="${3:-$DEFAULT_KEY_TYPE}" | |
key_file="${common_name}.key.pem" | |
certificate_request_file="${common_name}.csr.pem" | |
certificate_file="${common_name}.crt.pem" | |
if [ -f "${key_file}" ] && [ -f "${certificate_request_file}" ]; then | |
log "Found existing key and certificate request" | |
else | |
log "Creating a new key and certificate request" | |
openssl req -new -nodes \ | |
-subj "${EE_DEFAULT_SUBJECT_PREFIX}/CN=${common_name}" \ | |
-newkey "${key_type}" \ | |
-keyout "${key_file}" \ | |
-out "${certificate_request_file}" | |
fi | |
describe_files "${key_file}" "${certificate_request_file}" | |
if [ -f "${certificate_file}" ]; then | |
log "Found existing certificate" | |
else | |
log "Creating new certificate" | |
openssl x509 -req -sha256 \ | |
-days 1024 \ | |
-in "${certificate_request_file}" \ | |
-CA "${root_common_name}.crt.pem" \ | |
-CAkey "${root_common_name}.key.pem" \ | |
-CAcreateserial \ | |
-ext "authorityKeyIdentifier=keyid,issuer" \ | |
-ext "basicConstraints=CA:FALSE" \ | |
-ext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \ | |
-ext "subjectAltName = DNS:${common_name}" \ | |
-out "${certificate_file}" | |
fi | |
describe_files "${certificate_file}" | |
} | |
create_certificate_authority "root" | |
certificates_to_verify=("root.crt.pem") | |
next_certificate_to_create="${1}" | |
while shift; do | |
create_certificate_from_certificate_authority "root" "${next_certificate_to_create}" | |
certificates_to_verify+=("${next_certificate_to_create}.crt.pem") | |
# Make a pem file that openssl s_server or haproxy or whatever could use | |
cat "${next_certificate_to_create}.crt.pem" "${next_certificate_to_create}.key.pem" > "${next_certificate_to_create}.pem" | |
next_certificate_to_create=${1} | |
done | |
log "Verifying certificate chains" | |
openssl verify -verbose -CAfile "root.crt.pem" "${certificates_to_verify[@]}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment