Last active
April 28, 2023 03:41
-
-
Save hongkongkiwi/09aa828ec1579384ab4c to your computer and use it in GitHub Desktop.
Script to generate a Root CA, Intermediate CA and then to sign the Intermediate with the Root.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
USER=`id -u -n` | |
GROUP=`id -g -n` | |
GENERATE_ROOT_CA_FILE="YES" | |
GENERATE_CA_DER_FILE="YES" | |
GENERATE_IM_CA_FILE="YES" | |
GENERATE_IM_DER_FILE="NO" | |
GENERATE_DH_FILE="NO" | |
USE_SUDO="NO" | |
CA_PRIVATE_KEY="/etc/ssl/private/rootCA.pem" | |
CA_PUBLIC_CERT="/etc/ssl/certs/rootCA.crt" | |
CA_PUBLIC_DER="/etc/ssl/certs/rootCA.der" | |
IM_CA_PRIVATE_KEY="/etc/ssl/private/squidCA.pem" | |
IM_CA_CSR="/tmp/squidCA.csr" | |
IM_CA_PUBLIC_CERT="/etc/ssl/certs/squidCA.crt" | |
IM_CA_PUBLIC_DER="/etc/ssl/certs/rootCA.der" | |
DH_FILE="/etc/ssl/private/squidDHParam.pem" | |
CA_COUNTRY="HK" | |
CA_STATE="" | |
CA_LOCALITY="Hong Kong" | |
CA_ORGANISATION="Parent Router Ltd" | |
CA_COMMON_NAME="PARENTROUTER Root CA" | |
CA_VALID_DAYS=365 | |
CA_ENCRYPTION_TYPE="rsa:4096" | |
IM_CA_COUNTRY="HK" | |
IM_CA_STATE="" | |
IM_CA_LOCALITY="Hong Kong" | |
IM_CA_ORGANISATION="Parent Router Ltd" | |
IM_CA_COMMON_NAME="myrouter.parentrouter" | |
IM_CA_VALID_DAYS="365" | |
IM_CA_ENCRYPTION_STRENGTH="4096" | |
IM_CA_SERIAL="01" | |
DH_STRENGTH="2048" | |
SSL_KEY_DIR=`dirname "$CA_PRIVATE_KEY"` | |
SSL_PUB_DIR=`dirname "$CA_PUBLIC_CERT"` | |
SUDO="sudo" | |
OPENSSL="openssl" | |
confirm () { | |
# call with a prompt string or use a default | |
read -r -p "${1:-Are you sure? [y/N]} " response | |
case $response in | |
[yY][eE][sS]|[yY]) | |
true | |
;; | |
*) | |
false | |
;; | |
esac | |
} | |
if [ "$USE_SUDO" != "YES" ]; then | |
SUDO="" | |
fi | |
if [ "$USER" != "root" ]; then | |
echo "We need root access to write to $SSL_KEY_DIR directory" | |
if [ "$USE_SUDO" == "YES" ]; then | |
exec $SUDO -p "Password:" -- "$0" "$@" | |
fi | |
fi | |
if [ ! -d "$SSL_KEY_DIR" ]; then | |
$SUDO mkdir -p "$SSL_KEY_DIR" | |
fi | |
if [ ! -d "$SSL_PUB_DIR" ]; then | |
$SUDO mkdir -p "$SSL_PUB_DIR" | |
fi | |
##### ROOT CA GENERATION ######## | |
if [ "$GENERATE_ROOT_CA_FILE" == "YES" ]; then | |
if [ -f "$CA_PRIVATE_KEY" ] && confirm "Root Key Pair Already Exists! Regenerate? y/n:"; then | |
# Generate Private / Public Key Pair | |
echo "Generating Root SSL Key Pair..." | |
$SUDO $OPENSSL \ | |
req \ | |
-new \ | |
-nodes \ | |
-newkey "$CA_ENCRYPTION_TYPE" \ | |
-sha256 \ | |
-days $CA_VALID_DAYS \ | |
-x509 \ | |
-keyout "$CA_PRIVATE_KEY" \ | |
-out "$CA_PUBLIC_CERT" \ | |
-subj "/C=${CA_COUNTRY}/ST=${CA_STATE}/L=${CA_LOCALITY}/O=${CA_ORGANISATION}/CN=${CA_COMMON_NAME}" \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Generate Root SSL Key Pair!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Generated Root SSL Key Pair" | |
fi | |
if [ "$GENERATE_CA_DER_FILE" == "YES" ] && [ -f "$CA_PUBLIC_CERT" ]; then | |
echo "Generating CA SSL DER File..." | |
# Output a DER file for import | |
$SUDO $OPENSSL \ | |
x509 \ | |
-outform der \ | |
-in "$CA_PUBLIC_CERT" \ | |
-out "$CA_PUBLIC_DER" \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Generate SSL DER file!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Generated SSL DER File!" | |
fi | |
fi | |
fi | |
fi | |
##### END ROOT CA GENERATION ######## | |
##### INTERMEDIATE CA GENERATION ######## | |
if [ ! -f "$CA_PRIVATE_KEY" ]; then | |
echo "WARNING: Could not find root CA file. Will not generate generate intermediate ca keypair as we cannot sign it" | |
fi | |
if [ "$GENERATE_IM_CA_FILE" == "YES" ] && [ -f "$CA_PRIVATE_KEY" ]; then | |
if [ -f "$IM_CA_PRIVATE_KEY" ] && confirm "Intermediate Key Pair Already Exists! Regenerate? y/n:"; then | |
rm "$IM_CA_PUBLIC_CERT" | |
# Generate Private / Public Key Pair | |
echo "Generating Intermediate CA SSL Key Pair..." | |
# Generate the Intermediate Key | |
$SUDO $OPENSSL \ | |
genrsa \ | |
-out "$IM_CA_PRIVATE_KEY" \ | |
$IM_CA_ENCRYPTION_STRENGTH \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Generate Intermediate CA SSL Key Pair!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Generated Intermediate CA SSL Key Pair" | |
fi | |
fi | |
if [ -f "$IM_CA_PUBLIC_CERT" ] && confirm "Intermediate Key Already Signed! Re-sign? y/n:"; then | |
rm "$IM_CA_PUBLIC_CERT" | |
echo "Signing Intermediate CA SSL File..." | |
# Generate a CSR for the Intermediate Key | |
$SUDO $OPENSSL \ | |
req \ | |
-new \ | |
-sha256 \ | |
-key "$IM_CA_PRIVATE_KEY" \ | |
-out "$IM_CA_CSR" \ | |
-subj "/C=${IM_CA_COUNTRY}/ST=${IM_CA_STATE}/L=${IM_CA_LOCALITY}/O=${IM_CA_ORGANISATION}/CN=${IM_CA_COMMON_NAME}" \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Sign Intermediate CA SSL Key!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Signed Intermediate CA SSL Key" | |
fi | |
# Sign the Intermediate Cert | |
$SUDO $OPENSSL \ | |
x509 \ | |
-req \ | |
-days $IM_CA_VALID_DAYS \ | |
-in "$IM_CA_CSR" \ | |
-CA "$CA_PUBLIC_CERT" \ | |
-CAkey "$CA_PRIVATE_KEY" \ | |
-set_serial "$IM_CA_SERIAL" \ | |
-out "$IM_CA_PUBLIC_CERT" \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Sign Intermediate CA CSR!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Signed Intermediate CA CSR" | |
fi | |
if [ -f "$IM_CA_CSR" ]; then | |
# Remove the CSR | |
$SUDO rm "$IM_CA_CSR" | |
fi | |
fi | |
if [ "$GENERATE_IM_DER_FILE" == "YES" ] && [ -f "$IM_CA_PUBLIC_CERT" ]; then | |
echo "Generating Intermediate CA SSL DER File..." | |
# Output a DER file for import | |
$SUDO $OPENSSL \ | |
x509 \ | |
-outform der \ | |
-in "$IM_CA_PUBLIC_CERT" \ | |
-out "$IM_CA_PUBLIC_DER" \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Generate Intermediate CA SSL DER file!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Generated Intermediate CA SSL DER File!" | |
fi | |
fi | |
fi | |
if [ "$GENERATE_DH_FILE" == "YES" ]; then | |
echo "Generating DH File... (this may take some time)" | |
# Generate the DH file for encryption | |
$SUDO $OPENSSL \ | |
dhparam \ | |
-outform PEM \ | |
-out "$DH_FILE" \ | |
$DH_STRENGTH \ | |
2> /dev/null | |
if [ $? != 0 ]; then | |
echo "ERROR: Failed to Generate DHParam file!" | |
exit $? | |
else | |
echo -e "\tSuccessfully Generated DHParam file!" | |
fi | |
fi | |
##### END INTERMEDIATE CA GENERATION ######## | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment