Created
August 7, 2016 19:35
-
-
Save dunkelstern/204b151f4a6452acad484ab4a93f22d4 to your computer and use it in GitHub Desktop.
Create certificates for a new machine for an IKEv2 vpn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ "$1" = "" ] ; then | |
| echo "Usage: $0 <machine_name>" | |
| exit 1 | |
| fi | |
| machinename=$1 | |
| # configure these to the visible public values of the server | |
| ip="10.0.0.0" | |
| ipv6="::1" | |
| host="vpn.example.com" | |
| pushd /etc/ipsec.d | |
| mkdir -p p12 | |
| ipsec pki --gen --type rsa --size 2048 --outform der > private/$machinename.der | |
| chmod 600 private/$machinename.der | |
| ipsec pki --pub --in private/$machinename.der --type rsa | \ | |
| ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der \ | |
| --dn "C=DE, O=Dunkelstern, CN=$machinename@$host" --san "$machinename@$host" --san "$machinename@$ip" \ | |
| --san "$machinename@[$ipv6]" --outform der > certs/$machinename.der | |
| openssl rsa -inform DER -in private/$machinename.der -out private/$machinename.pem -outform PEM | |
| openssl x509 -inform DER -in certs/$machinename.der -out certs/$machinename.pem -outform PEM | |
| openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM | |
| openssl pkcs12 -export -inkey private/$machinename.pem -in certs/$machinename.pem \ | |
| -name "$machinename VPN Certificate" -certfile cacerts/strongswanCert.pem \ | |
| -caname "Dunkelstern VPN Root CA" -out p12/$machinename.p12 | |
| popd |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment