Created
February 26, 2018 12:56
-
-
Save aayla-secura/1bc114e6957918c8b8898ad4fe311fe5 to your computer and use it in GitHub Desktop.
Create a CA ROOT X.509 self-signed certificate, then create and sign an X.509 subject certificate.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Defaults | |
CA_EXPIRY=7300 # in days | |
SUBJ_EXPIRY=730 # in days | |
KEYDIR="$HOME/.ssl/private" | |
CERTDIR="$HOME/.ssl/certs" | |
CA="localCA" | |
SUBJ="subj" | |
CA_KEYLEN=4096 | |
SUBJ_KEYLEN=2048 | |
DRYRUN=0 | |
NAME="$(basename ${BASH_SOURCE[0]})" | |
usage () { | |
cat <<EOF | |
Usage: $NAME <options> | |
Options: | |
-kD <keydir> Key directory. Default is '$KEYDIR'. | |
-cD <certdir> Certificate directory. Default is '$CERTDIR'. | |
-ca <CA> CA name. Default is '$CA'. | |
-s <SUBJ> Subject name. Default is '$SUBJ'. | |
-caKL <n> CA key length in bits. Default is $CA_KEYLEN. | |
-sKL <n> Subject key length in bits. Default is $SUBJ_KEYLEN. | |
-caX <n> CA ROOT certificate expiry in days. Default is $CA_EXPIRY. | |
-sX <n> Subject certificate expiry in days. Default is $SUBJ_EXPIRY. | |
-dry Only print actions. | |
CA ROOT key filename will be <keydir>/<CA>.key, certificate will be <certdir>/<CA>.pem | |
Subject key filename will be <keydir>/<SUBJ>.key, request will be <certdir>/<SUBJ>.csr, certificate will be <certdir>/<SUBJ>.pem | |
All missing keys and certificates will be generated. | |
EOF | |
exit 1 | |
} | |
echo_and_eval () { | |
local cmd="$1" | |
echo " $cmd" | |
(( DRYRUN )) || eval "$cmd" || exit 1 | |
} | |
# Process command line | |
while (( $# )) ; do | |
case "$1" in | |
-kD) | |
KEYDIR="${2%/}" | |
shift 2 | |
;; | |
-cD) | |
CERTDIR="${2%/}" | |
shift 2 | |
;; | |
-ca) | |
CA="$2" | |
shift 2 | |
;; | |
-s) | |
SUBJ="$2" | |
shift 2 | |
;; | |
-caKL) | |
CA_KEYLEN="$2" | |
shift 2 | |
;; | |
-sKL) | |
SUBJ_KEYLEN="$2" | |
shift 2 | |
;; | |
-caX) | |
CA_EXPIRY="$2" | |
shift 2 | |
;; | |
-sX) | |
SUBJ_EXPIRY="$2" | |
shift 2 | |
;; | |
-dry) | |
DRYRUN=1 | |
shift 1 | |
;; | |
*) | |
usage | |
;; | |
esac | |
done | |
# Checks | |
for var in "$CA_EXPIRY" "$SUBJ_EXPIRY" "$CA_KEYLEN" "$SUBJ_KEYLEN" ; do | |
[[ $var =~ ^[0-9]+$ ]] || usage | |
done | |
for var in "$KEYDIR" "$CERTDIR" "$CA" "$SUBJ" ; do | |
[[ -n $var ]] || usage | |
done | |
CA_KEY="$KEYDIR/$CA.key" | |
SUBJ_KEY="$KEYDIR/$SUBJ.key" | |
CA_CERT="$CERTDIR/$CA.pem" | |
SUBJ_CSR="$CERTDIR/$SUBJ.csr" | |
SUBJ_CERT="$CERTDIR/$SUBJ.pem" | |
if [[ -f $SUBJ_CERT ]] ; then | |
echo "Subject certificate exists, done" | |
exit 0 | |
fi | |
# Create directories | |
[[ -d $(dirname $KEYDIR) ]] || echo_and_eval "mkdir -p '$KEYDIR' && chmod g-g,o-o '$KEYDIR'" | |
[[ -d $(dirname $CERTDIR) ]] || echo_and_eval "mkdir -p '$CERTDIR'" | |
if [[ ! -f $CA_CERT ]] ; then | |
# Generate CA's encrypted PKCS#8 key and self-signed certificate | |
# echo_and_eval "openssl req -x509 -new -newkey rsa:$CA_KEYLEN -keyout '$CA_KEY' -days $CA_EXPIRY -sha256 -extensions v3_ca -out '$CA_CERT'" | |
if [[ ! -f $CA_KEY ]] ; then | |
echo "Generating CA private key, saving to '$CA_KEY'" | |
echo_and_eval "openssl genpkey -algorithm RSA -aes-256-cbc -pkeyopt rsa_keygen_bits:$CA_KEYLEN -out '$CA_KEY'" | |
fi | |
echo "Generating CA ROOT certificate, saving to '$CA_CERT'" | |
echo_and_eval "openssl req -x509 -new -key '$CA_KEY' -days $CA_EXPIRY -sha256 -extensions v3_ca -out '$CA_CERT'" | |
fi | |
# Generate subject's encrypted PKCS#8 key and certificate signing request | |
# echo_and_eval "openssl req -new -newkey rsa:$SUBJ_KEYLEN -keyout '$SUBJ_KEY' -out '$SUBJ_CSR' -extensions v3_req" | |
if [[ ! -f $SUBJ_CSR ]] ; then | |
if [[ ! -f $SUBJ_KEY ]] ; then | |
echo "Generating subject private key, saving to '$SUBJ_KEY'" | |
echo_and_eval "openssl genpkey -algorithm RSA -aes-256-cbc -pkeyopt rsa_keygen_bits:$SUBJ_KEYLEN -out '$SUBJ_KEY'" | |
fi | |
echo "Generating subject certificate request, saving to '$SUBJ_CSR'" | |
echo_and_eval "openssl req -new -key '$SUBJ_KEY' -out '$SUBJ_CSR' -extensions v3_req" | |
fi | |
# Sign subject's request and generate its certificate | |
echo "Signing subject certificate request, saving certificate to '$SUBJ_CERT'" | |
echo_and_eval "openssl x509 -req -in '$SUBJ_CSR' -CA '$CA_CERT' -CAkey '$CA_KEY' -CAcreateserial -days '$SUBJ_EXPIRY' -sha256 -out '$SUBJ_CERT'" | |
echo_and_eval "rm '$SUBJ_CSR'" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment