Shark/genca.sh

## genca.sh
#!/usr/bin/env bash

# TRACE="1"
set -eou pipefail; [[ ${TRACE:-} ]] && set -x

gpg_encrypt() {
    declare file="$1"
    declare passphrase="$2"

    gpg --batch --passphrase-fd 0 --symmetric --cipher-algo AES256 --output "$file".enc "$file" <<< "$passphrase"
}

main() {
    local passphrase
    passphrase="${PASSPHRASE:-}"
    if [[ -z $passphrase ]]; then
        >&1 echo "PASSPHRASE must be given"
        exit 1
    fi

    tmpdir="$(mktemp -d)"
    trap "rm -r '$tmpdir'" EXIT

    local curdir
    curdir="$PWD"
    cd "$tmpdir"

    # Generate CA key
    openssl genrsa -out ca.key 4096

    # Generate CA cert (validity 10 years)
    openssl req -new -x509 -days 3650 -subj '/CN=*' -key ca.key -sha256 -out ca.crt

    # Generate Docker daemon key and cert
    openssl genrsa -out daemon.key 4096
    openssl req -subj '/CN=*' -sha256 -new -key daemon.key -out daemon.csr
    echo 'extendedKeyUsage = serverAuth' > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in daemon.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out daemon.crt -extfile extfile.cnf

    # Generate client key and cert
    openssl genrsa -out client.key 4096
    openssl req -subj '/CN=*' -sha256 -new -key client.key -out client.csr
    echo 'extendedKeyUsage = clientAuth' > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -extfile extfile.cnf

    gpg_encrypt ca.crt "$passphrase"
    gpg_encrypt client.crt "$passphrase"
    gpg_encrypt client.key "$passphrase"
    gpg_encrypt daemon.crt "$passphrase"
    gpg_encrypt daemon.key "$passphrase"

    rm daemon.crt daemon.key daemon.csr extfile.cnf ca.srl client.crt client.key client.csr ca.crt ca.key
    mv ca.crt.enc client.crt.enc client.key.enc daemon.crt.enc daemon.key.enc "$curdir/"
}

main "$@"
	#!/usr/bin/env bash

	# TRACE="1"
	set -eou pipefail; [[ ${TRACE:-} ]] && set -x

	gpg_encrypt() {
	declare file="$1"
	declare passphrase="$2"

	gpg --batch --passphrase-fd 0 --symmetric --cipher-algo AES256 --output "$file".enc "$file" <<< "$passphrase"
	}

	main() {
	local passphrase
	passphrase="${PASSPHRASE:-}"
	if [[ -z $passphrase ]]; then
	>&1 echo "PASSPHRASE must be given"
	exit 1
	fi

	tmpdir="$(mktemp -d)"
	trap "rm -r '$tmpdir'" EXIT

	local curdir
	curdir="$PWD"
	cd "$tmpdir"

	# Generate CA key
	openssl genrsa -out ca.key 4096

	# Generate CA cert (validity 10 years)
	openssl req -new -x509 -days 3650 -subj '/CN=*' -key ca.key -sha256 -out ca.crt

	# Generate Docker daemon key and cert
	openssl genrsa -out daemon.key 4096
	openssl req -subj '/CN=*' -sha256 -new -key daemon.key -out daemon.csr
	echo 'extendedKeyUsage = serverAuth' > extfile.cnf
	openssl x509 -req -days 3650 -sha256 -in daemon.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out daemon.crt -extfile extfile.cnf

	# Generate client key and cert
	openssl genrsa -out client.key 4096
	openssl req -subj '/CN=*' -sha256 -new -key client.key -out client.csr
	echo 'extendedKeyUsage = clientAuth' > extfile.cnf
	openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -extfile extfile.cnf

	gpg_encrypt ca.crt "$passphrase"
	gpg_encrypt client.crt "$passphrase"
	gpg_encrypt client.key "$passphrase"
	gpg_encrypt daemon.crt "$passphrase"
	gpg_encrypt daemon.key "$passphrase"

	rm daemon.crt daemon.key daemon.csr extfile.cnf ca.srl client.crt client.key client.csr ca.crt ca.key
	mv ca.crt.enc client.crt.enc client.key.enc daemon.crt.enc daemon.key.enc "$curdir/"
	}

	main "$@"