eloycoto/create_certs.sh

## create_certs.sh
echo "*****************  Certs creation  *************************"

function echo {
  COLOR="\e[93m";
  ENDCOLOR="\e[0m";
  printf "$COLOR%b$ENDCOLOR\n" "$1";
}

export CERT_FOLDER="$(pwd)/certs"
export DOMAIN="test.com"

mkdir -p $CERT_FOLDER
sudo rm $CERT_FOLDER/*
cd $CERT_FOLDER

echo "Certs creation on folder: $CERT_FOLDER"

echo ">> SSL create CA cert"
openssl genrsa -out rootCA.key 2048
openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

echo ">> SSL listen certificates"

openssl req \
    -subj "/CN=*"\
    -newkey rsa:4096 -nodes \
		-sha256 \
		-days 3650 \
		-keyout $DOMAIN.key \
		-out $DOMAIN.csr
	openssl x509 -req \
    -extfile <(printf "subjectAltName=DNS:test.com,DNS:test.lolca.com") \
    -in $DOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $DOMAIN.crt -days 500 -sha256

echo ">> SSL create TPM client cert"
sudo tpm2tss-genkey -a rsa -s 2048 client_tpm.key
sudo openssl req -new -x509 \
  -engine tpm2tss \
  -subj "/CN=*"\
  -key client_tpm.key  \
  -keyform engine \
  -out client.crt

echo ">> SSL create Certificate Signing Request"
sudo openssl x509 -x509toreq \
  -engine tpm2tss \
  -keyform engine \
  -in client.crt \
  -out CSR.csr \
  -signkey client_tpm.key

echo ">> SSL create client certificate"
openssl x509 -req -in CSR.csr \
  -CA rootCA.pem -CAkey rootCA.key \
  -CAcreateserial -out client_signed.crt \
  -days 500 -sha256

## nginx.conf
worker_processes  1;
master_process off;
daemon off;
error_log /dev/stdout debug;

events {
  worker_connections 1024;
}

http {
  server {
    listen 8043 ssl;

    ssl_certificate /opt/certs/test.com.crt;
    ssl_certificate_key /opt/certs/test.com.key;

    ssl_client_certificate /opt/certs/rootCA.pem;
    ssl_verify_client on;
    ssl_verify_depth 1000;

    location / {
      return 200 'OK!';
    }
  }
}

## test.sh
echo -e "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: Close\r\n\r\n"  | openssl s_client -connect 172.17.0.3:8043 \
  -cert certs/client_signed.crt \
  -key certs/client_tpm.key \
  -CAfile certs/rootCA.pem \
  -engine tpm2tss  \
  -keyform engine \
  -quiet
	echo "*************** Certs creation ***********************"

	function echo {
	COLOR="\e[93m";
	ENDCOLOR="\e[0m";
	printf "$COLOR%b$ENDCOLOR\n" "$1";
	}

	export CERT_FOLDER="$(pwd)/certs"
	export DOMAIN="test.com"

	mkdir -p $CERT_FOLDER
	sudo rm $CERT_FOLDER/*
	cd $CERT_FOLDER

	echo "Certs creation on folder: $CERT_FOLDER"

	echo ">> SSL create CA cert"
	openssl genrsa -out rootCA.key 2048
	openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

	echo ">> SSL listen certificates"

	openssl req \
	-subj "/CN=*"\
	-newkey rsa:4096 -nodes \
	-sha256 \
	-days 3650 \
	-keyout $DOMAIN.key \
	-out $DOMAIN.csr
	openssl x509 -req \
	-extfile <(printf "subjectAltName=DNS:test.com,DNS:test.lolca.com") \
	-in $DOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $DOMAIN.crt -days 500 -sha256

	echo ">> SSL create TPM client cert"
	sudo tpm2tss-genkey -a rsa -s 2048 client_tpm.key
	sudo openssl req -new -x509 \
	-engine tpm2tss \
	-subj "/CN=*"\
	-key client_tpm.key \
	-keyform engine \
	-out client.crt

	echo ">> SSL create Certificate Signing Request"
	sudo openssl x509 -x509toreq \
	-engine tpm2tss \
	-keyform engine \
	-in client.crt \
	-out CSR.csr \
	-signkey client_tpm.key

	echo ">> SSL create client certificate"
	openssl x509 -req -in CSR.csr \
	-CA rootCA.pem -CAkey rootCA.key \
	-CAcreateserial -out client_signed.crt \
	-days 500 -sha256
	worker_processes 1;
	master_process off;
	daemon off;
	error_log /dev/stdout debug;

	events {
	worker_connections 1024;
	}

	http {
	server {
	listen 8043 ssl;

	ssl_certificate /opt/certs/test.com.crt;
	ssl_certificate_key /opt/certs/test.com.key;

	ssl_client_certificate /opt/certs/rootCA.pem;
	ssl_verify_client on;
	ssl_verify_depth 1000;

	location / {
	return 200 'OK!';
	}
	}
	}
	echo -e "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: Close\r\n\r\n" \| openssl s_client -connect 172.17.0.3:8043 \
	-cert certs/client_signed.crt \
	-key certs/client_tpm.key \
	-CAfile certs/rootCA.pem \
	-engine tpm2tss \
	-keyform engine \
	-quiet