Sharpie/initialize-puppetca.sh

## initialize-puppetca.sh
#!/bin/bash

# Initialize a Puppet Intermediate Certificate Authority (CA) by generating
# a RSA key and Certificate Signing Request using the OpenSSL CLI.

# Fail if any subcommand fails.
set -e
# Ensure files created by this script are only accessible to the user
# that ran the script.
umask 0077

# Check that OpenSSL is installed.
printf 'Checking for openssl...\n' >&2
openssl version >&2 || {
  printf 'This script requires the openssl command to be installed and functional.\n' >&2
  exit 1
}

key_output="${PWD}/puppet_ca_key.pem"
csr_output="${PWD}/puppet_ca_csr.pem"

for f in "${key_output}" "${csr_output}"; do
  if [[ -e "${f}" ]]; then
    printf 'An output file already exists: %s\n' "${f}" >&2
    printf 'Move it aside before running this script.\n' >&2
    exit 1
  fi
done

printf '\nGenerating RSA key and signing request...\n' >&2
workdir=$(mktemp -d -t initialize-puppetca.XXX)
# NOTE: For compatiblity with RFC 5280, ca_name should be 64 characters or less.
ca_name="Puppet Enterprise CA generated at $(date +'%Y-%m-%d %H:%M:%S %z')"

cat <<EOF > "${workdir}/intermediate_ca.ini"
# See "CONFIGURATION FILE FORMAT" section of the req manpage:
#
#     man 1 req
#
# https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#CONFIGURATION-FILE-FORMAT
[req]
# NOTE: Setting prompt to no prevents 'openssl req' from asking
#       the user if they wish to modify the distinguished_name
#       or extensions.
prompt=no

# These settings specify other INI sections that provide configuration.
distinguished_name = dn_data
req_extensions = extension_data

# See "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" section of
# the req manpage:
#
#     man 1 req
#
# https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
[dn_data]
CN="${ca_name}"

# See the x509v3_config man page:
#
#     man 5 x509v3_config
#
# https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html
[extension_data]
# pathlen:0 prevents this CA from issuing subordinate CA certificates.
basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign
subjectKeyIdentifier=hash
nsComment="Puppet Server Internal Certificate"
EOF

openssl req \
  -config "${workdir}/intermediate_ca.ini" \
  -outform PEM -out "${csr_output}" \
  -newkey rsa:4096 -sha256 \
  -keyform PEM -nodes -keyout "${key_output}" >&2

printf '\nRSA private key created: %s\n' "${key_output}" >&2
printf 'Keep this file somewhere safe. It will be needed during PE installation.\n' >&2

printf '\nPEM formatted Certificate Signing Request created: %s\n' "${csr_output}" >&2
printf 'Submit this file to your external Certificate Authority.\n' >&2

printf '%s\n' "${csr_output}"
	#!/bin/bash

	# Initialize a Puppet Intermediate Certificate Authority (CA) by generating
	# a RSA key and Certificate Signing Request using the OpenSSL CLI.

	# Fail if any subcommand fails.
	set -e
	# Ensure files created by this script are only accessible to the user
	# that ran the script.
	umask 0077

	# Check that OpenSSL is installed.
	printf 'Checking for openssl...\n' >&2
	openssl version >&2 \|\| {
	printf 'This script requires the openssl command to be installed and functional.\n' >&2
	exit 1
	}

	key_output="${PWD}/puppet_ca_key.pem"
	csr_output="${PWD}/puppet_ca_csr.pem"

	for f in "${key_output}" "${csr_output}"; do
	if [[ -e "${f}" ]]; then
	printf 'An output file already exists: %s\n' "${f}" >&2
	printf 'Move it aside before running this script.\n' >&2
	exit 1
	fi
	done

	printf '\nGenerating RSA key and signing request...\n' >&2
	workdir=$(mktemp -d -t initialize-puppetca.XXX)
	# NOTE: For compatiblity with RFC 5280, ca_name should be 64 characters or less.
	ca_name="Puppet Enterprise CA generated at $(date +'%Y-%m-%d %H:%M:%S %z')"

	cat <<EOF > "${workdir}/intermediate_ca.ini"
	# See "CONFIGURATION FILE FORMAT" section of the req manpage:
	#
	# man 1 req
	#
	# https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#CONFIGURATION-FILE-FORMAT
	[req]
	# NOTE: Setting prompt to no prevents 'openssl req' from asking
	# the user if they wish to modify the distinguished_name
	# or extensions.
	prompt=no

	# These settings specify other INI sections that provide configuration.
	distinguished_name = dn_data
	req_extensions = extension_data

	# See "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" section of
	# the req manpage:
	#
	# man 1 req
	#
	# https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
	[dn_data]
	CN="${ca_name}"

	# See the x509v3_config man page:
	#
	# man 5 x509v3_config
	#
	# https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html
	[extension_data]
	# pathlen:0 prevents this CA from issuing subordinate CA certificates.
	basicConstraints=critical,CA:TRUE,pathlen:0
	keyUsage=critical,keyCertSign,cRLSign
	subjectKeyIdentifier=hash
	nsComment="Puppet Server Internal Certificate"
	EOF

	openssl req \
	-config "${workdir}/intermediate_ca.ini" \
	-outform PEM -out "${csr_output}" \
	-newkey rsa:4096 -sha256 \
	-keyform PEM -nodes -keyout "${key_output}" >&2

	printf '\nRSA private key created: %s\n' "${key_output}" >&2
	printf 'Keep this file somewhere safe. It will be needed during PE installation.\n' >&2

	printf '\nPEM formatted Certificate Signing Request created: %s\n' "${csr_output}" >&2
	printf 'Submit this file to your external Certificate Authority.\n' >&2

	printf '%s\n' "${csr_output}"