Skip to content

Instantly share code, notes, and snippets.

@duzun

duzun/casign

Created Feb 24, 2020
Embed
What would you like to do?
Create a SSL certificate signed by your CA root certificate.
#!/usr/bin/env bash
##
# Sign a certificate using my root_ca.
#
# Note: duzun_root_ca.crt must be in the trusted root ca (see https://www.archlinux.org/news/ca-certificates-update/)
#
# @author Dumitru Uzun (DUzun.Me)
# @version 1.1.0
##
_me_=$(basename "$0")
usage() {
cat << EOS
Usage:
$_me_ <name>.csr | <name>.key | -h
If <name>.key is used, you will be prompted to supply certificate information,
and a new <name>.csr is generated.
Next time just run \`$_me_ <name>.csr\` to re-use the same information.
If there is a <name>.ext file, it is used with -extfile,
otherwise it is generated to be used the next time.
A new <name>.pem file would be generated on success.
EOS
}
if [ -z "$1" ] || [ "$1" == "-h" ]; then
usage
exit 1
fi
root_ca=/home/duzun/.ssh/duzun_root_CA.crt
root_ca_key=/home/duzun/.ssh/duzun_root_CA.key
key=$1
keypath=$(realpath "$1")
dir=$(dirname "$keypath")
basename=$(basename "$key")
ext=${basename##*.}
name=${basename%.*}
[ "$ext" == "$key" ] && ext=
if [ -z "$ext" ]; then
if [ -f "$name.csr" ]; then
ext='csr'
elif [ -f "$name.key" ]; then
ext='key'
else
usage
exit 2
fi
key="$name.$ext"
elif [ ! -f "$key" ]; then
echo >&2 "File '$key' not found";
exit 3
fi
echo "key: $key"
echo "dir: $dir"
# echo basename: $basename
# echo name: $name
# echo ext: $ext
#
# Generate CSR from .key
if [[ "$ext" == "key" ]]; then
arg="-key $key"
if [ ! -f "$key" ]; then
arg="-newkey rsa:2048 -keyout $key"
fi
if [ -f "$name.csr.cnf" ]; then
openssl req -new -sha256 -nodes -out "$name.csr" $arg -config <( cat "$name.csr.cnf" )
else
openssl req -new -sha256 -nodes -out "$name.csr" $arg
fi
key="$name.csr"
fi
arg='-days 1096 -sha256';
if [ ! -f "$dir/$name.ext" ]; then
cn=$(openssl req -noout -subject -in "$key" -subject | sed 's/, /\n/g' | grep 'CN =' | awk '{print $3}')
[ -z "$cn" ] && [ -f "$dir/$name.pem" ] && cn=$(openssl x509 -noout -subject -in "$dir/$name.pem" | sed 's/, /\n/g' | grep 'CN =' | awk '{print $3}');
[ -z "$cn" ] && cn=$name;
cat << EOF > "$dir/$name.ext"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $cn
DNS.2 = *.$cn
EOF
# gen_ext=1
fi
if [ -f "$dir/$name.ext" ]; then
arg="$arg -extfile $dir/$name.ext"
fi
openssl x509 -req -in "$key" \
-CA "$root_ca" \
-CAkey "$root_ca_key" \
-CAcreateserial \
-out "$dir/$name.pem" \
$arg
if [ -f "$dir/$name.pem" ]; then
cat "$root_ca" >> "$dir/$name.pem";
fi
# if [ ! -z "$gen_ext" ]; then rm "$dir/$name.ext";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment