Created
March 25, 2022 21:58
-
-
Save PetrMc/0c7437d08e59d19761c4f40cbd060431 to your computer and use it in GitHub Desktop.
cert chain generation script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# the script started as a copy from getcert.sh located on docs.tetrate.com some variables are reporposed | |
APP="orders" | |
DNS="local" | |
# Creating openssl config file for the leaf cert | |
cat <<EOF | envsubst > ${APP}.cnf | |
[req] | |
default_bits = 2048 | |
prompt = no | |
distinguished_name = req_distinguished_name | |
req_extensions = san_reqext | |
[ req_distinguished_name ] | |
countryName = US | |
stateOrProvinceName = CA | |
organizationName = Tetrateio | |
commonName = orders.fin.service.local Intermidiate CA | |
[ san_reqext ] | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.0 = orders.fin.service.${DNS} | |
EOF | |
cat <<EOF | envsubst > auto-intermediate1.cnf | |
[req] | |
default_bits = 2048 | |
prompt = no | |
distinguished_name = req_distinguished_name | |
req_extensions = san_reqext | |
x509_extensions = v3_intermediate_ca | |
[ ca ] | |
default_ca = CA_default | |
[ req_distinguished_name ] | |
countryName = US | |
stateOrProvinceName = CA | |
organizationName = Tetrateio | |
commonName = *.service.local Intermidiate CA | |
[ san_reqext ] | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.0 = service.${DNS} | |
[ v3_intermediate_ca ] | |
# Extensions for the intermediate CA | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:2 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ CA_default ] | |
# Directory and file locations. | |
dir = "" | |
private_key = auto-intermediate1.key | |
certificate = auto-intermediate1.crt | |
new_certs_dir = "." | |
database = index.txt | |
email_in_dn = test@cx.tetrate.info | |
policy = policy_loose | |
serial = serial | |
rand_serial = .rand | |
[ server_cert ] | |
# Extensions for server certificates | |
basicConstraints = CA:FALSE | |
nsCertType = server | |
nsComment = "Grilled Cheese Generated Server Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth | |
[ policy_loose ] | |
# Allow the intermediate CA to sign a more diverse range of certificates. | |
# See the POLICY FORMAT section of the `ca` man page. | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
EOF | |
# Creating openssl config file for the intermediate (tried to keep at minimum) | |
cat <<EOF | envsubst > auto-intermediate2.cnf | |
[req] | |
default_bits = 2048 | |
prompt = no | |
distinguished_name = req_distinguished_name | |
req_extensions = san_reqext | |
x509_extensions = v3_intermediate_ca | |
[ ca ] | |
default_ca = CA_default | |
[ req_distinguished_name ] | |
countryName = US | |
stateOrProvinceName = CA | |
organizationName = Tetrateio | |
commonName = *.fin.service.local Intermidiate CA | |
[ san_reqext ] | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.0 = fin.service.${DNS} | |
[ v3_intermediate_ca ] | |
# Extensions for the intermediate CA | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:2 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ CA_default ] | |
# Directory and file locations. | |
dir = "" | |
private_key = auto-intermediate2.key | |
certificate = auto-intermediate2.crt | |
new_certs_dir = "." | |
database = index.txt | |
email_in_dn = test@cx.tetrate.info | |
policy = policy_loose | |
serial = serial | |
rand_serial = .rand | |
[ server_cert ] | |
# Extensions for server certificates | |
basicConstraints = CA:FALSE | |
nsCertType = server | |
nsComment = "Grilled Cheese Generated Server Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth | |
[ policy_loose ] | |
# Allow the intermediate CA to sign a more diverse range of certificates. | |
# See the POLICY FORMAT section of the `ca` man page. | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
EOF | |
# file is required to genarate chain (the file is removed at the end of this script) | |
touch auto-index.txt | |
# creating ROOT CA pair | |
openssl req \ | |
-x509 \ | |
-sha256 \ | |
-nodes \ | |
-days 365 \ | |
-newkey rsa:4096 \ | |
-subj /C=US/ST=CA/O=Tetrateio/CN=*.local Root CA \ | |
-keyout auto-root.key \ | |
-out auto-root.crt | |
# generating an encryption key for the intermediate *.service.local | |
openssl req \ | |
-out auto-intermediate1.csr \ | |
-newkey rsa:2048 -nodes \ | |
-keyout auto-intermediate1.key \ | |
-config auto-intermediate1.cnf | |
# generating an encryption key for the intermediate *.fin.service.local | |
openssl req \ | |
-out auto-intermediate2.csr \ | |
-newkey rsa:2048 -nodes \ | |
-keyout auto-intermediate2.key \ | |
-config auto-intermediate2.cnf | |
# creating intermediate cert for *.service.local | |
openssl x509 -req \ | |
-sha256 \ | |
-days 365 \ | |
-set_serial 0 \ | |
-CA auto-root.crt \ | |
-CAkey auto-root.key \ | |
-in auto-intermediate1.csr \ | |
-out auto-intermediate1.crt \ | |
-extfile auto-intermediate1.cnf \ | |
-extensions v3_intermediate_ca | |
# creating intermediate cert for *.fin.service.local | |
openssl x509 -req \ | |
-sha256 \ | |
-days 365 \ | |
-set_serial 1 \ | |
-CA auto-intermediate1.crt \ | |
-CAkey auto-intermediate1.key \ | |
-in auto-intermediate2.csr \ | |
-out auto-intermediate2.crt \ | |
-extfile auto-intermediate2.cnf \ | |
-extensions v3_intermediate_ca | |
# generating the leaf encryption key | |
openssl req \ | |
-out ${APP}.csr \ | |
-newkey rsa:2048 -nodes \ | |
-keyout ${APP}.key \ | |
-config ${APP}.cnf | |
# signing the leaf certificate with intermediate CA | |
openssl x509 \ | |
-req \ | |
-sha256 \ | |
-days 365 \ | |
-CA auto-intermediate2.crt \ | |
-CAkey auto-intermediate2.key \ | |
-set_serial 2 \ | |
-in ${APP}.csr \ | |
-out ${APP}.crt \ | |
-extfile ${APP}.cnf \ | |
-extensions san_reqext | |
# remove unneeded files | |
rm *.cnf | |
rm *.csr | |
# creating combinations | |
# full-proper-chain | |
cp ${APP}.crt test-full-correct-chain.crt | |
cat auto-intermediate2.crt >> test-full-correct-chain.crt | |
cat auto-intermediate1.crt >> test-full-correct-chain.crt | |
# forking no root | |
cp test-full-correct-chain.crt test-not-root-chain.crt | |
#completing full chain | |
cat auto-root.crt >> test-full-correct-chain.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment