Script to generate a Root CA, Intermediate CA and then to sign the Intermediate with the Root.

generate-ssl-certs.sh

#!/bin/bash

USER=`id -u -n`
GROUP=`id -g -n`

GENERATE_ROOT_CA_FILE="YES"
GENERATE_CA_DER_FILE="YES"
GENERATE_IM_CA_FILE="YES"
GENERATE_IM_DER_FILE="NO"
GENERATE_DH_FILE="NO"

USE_SUDO="NO"

CA_PRIVATE_KEY="/etc/ssl/private/rootCA.pem"
CA_PUBLIC_CERT="/etc/ssl/certs/rootCA.crt"
CA_PUBLIC_DER="/etc/ssl/certs/rootCA.der"
IM_CA_PRIVATE_KEY="/etc/ssl/private/squidCA.pem"
IM_CA_CSR="/tmp/squidCA.csr"
IM_CA_PUBLIC_CERT="/etc/ssl/certs/squidCA.crt"
IM_CA_PUBLIC_DER="/etc/ssl/certs/rootCA.der"
DH_FILE="/etc/ssl/private/squidDHParam.pem"

CA_COUNTRY="HK"
CA_STATE=""
CA_LOCALITY="Hong Kong"
CA_ORGANISATION="Parent Router Ltd"
CA_COMMON_NAME="PARENTROUTER Root CA"
CA_VALID_DAYS=365
CA_ENCRYPTION_TYPE="rsa:4096"

IM_CA_COUNTRY="HK"
IM_CA_STATE=""
IM_CA_LOCALITY="Hong Kong"
IM_CA_ORGANISATION="Parent Router Ltd"
IM_CA_COMMON_NAME="myrouter.parentrouter"
IM_CA_VALID_DAYS="365"
IM_CA_ENCRYPTION_STRENGTH="4096"

IM_CA_SERIAL="01"

DH_STRENGTH="2048"

SSL_KEY_DIR=`dirname "$CA_PRIVATE_KEY"`
SSL_PUB_DIR=`dirname "$CA_PUBLIC_CERT"`

SUDO="sudo"
OPENSSL="openssl"

confirm () {
    # call with a prompt string or use a default
    read -r -p "${1:-Are you sure? [y/N]} " response
    case $response in
        [yY][eE][sS]|[yY])
            true
            ;;
        *)
            false
            ;;
    esac
}

if [ "$USE_SUDO" != "YES" ]; then
	SUDO=""
fi

if [ "$USER" != "root" ]; then
	echo "We need root access to write to $SSL_KEY_DIR directory"
	if [ "$USE_SUDO" == "YES" ]; then
		exec $SUDO -p "Password:" -- "$0" "$@"
	fi
fi

if [ ! -d "$SSL_KEY_DIR" ]; then
	$SUDO mkdir -p "$SSL_KEY_DIR"
fi

if [ ! -d "$SSL_PUB_DIR" ]; then
	$SUDO mkdir -p "$SSL_PUB_DIR"
fi

##### ROOT CA GENERATION ########
if [ "$GENERATE_ROOT_CA_FILE" == "YES" ]; then
	if [ -f "$CA_PRIVATE_KEY" ] && confirm "Root Key Pair Already Exists! Regenerate? y/n:"; then
		# Generate Private / Public Key Pair
		echo "Generating Root SSL Key Pair..."
		$SUDO $OPENSSL \
			req \
			-new \
			-nodes \
			-newkey "$CA_ENCRYPTION_TYPE" \
			-sha256 \
			-days $CA_VALID_DAYS \
			-x509 \
			-keyout "$CA_PRIVATE_KEY" \
			-out "$CA_PUBLIC_CERT" \
			-subj "/C=${CA_COUNTRY}/ST=${CA_STATE}/L=${CA_LOCALITY}/O=${CA_ORGANISATION}/CN=${CA_COMMON_NAME}" \
			2> /dev/null

		if [ $? != 0 ]; then
			echo "ERROR: Failed to Generate Root SSL Key Pair!"
			exit $?
		else
			echo -e "\tSuccessfully Generated Root SSL Key Pair"
		fi

		if [ "$GENERATE_CA_DER_FILE" == "YES" ] && [ -f "$CA_PUBLIC_CERT" ]; then
			echo "Generating CA SSL DER File..."
			# Output a DER file for import
			$SUDO $OPENSSL \
				x509 \
				-outform der \
				-in "$CA_PUBLIC_CERT" \
				-out "$CA_PUBLIC_DER" \
				2> /dev/null

			if [ $? != 0 ]; then
				echo "ERROR: Failed to Generate SSL DER file!"
				exit $?
			else
				echo -e "\tSuccessfully Generated SSL DER File!"
			fi
		fi
	fi
fi
##### END ROOT CA GENERATION ########

##### INTERMEDIATE CA GENERATION ########
if [ ! -f "$CA_PRIVATE_KEY" ]; then
	echo "WARNING: Could not find root CA file. Will not generate generate intermediate ca keypair as we cannot sign it"
fi

if [ "$GENERATE_IM_CA_FILE" == "YES" ] && [ -f "$CA_PRIVATE_KEY" ]; then
	if [ -f "$IM_CA_PRIVATE_KEY" ] && confirm "Intermediate Key Pair Already Exists! Regenerate? y/n:"; then
		rm "$IM_CA_PUBLIC_CERT"

		# Generate Private / Public Key Pair
		echo "Generating Intermediate CA SSL Key Pair..."
		# Generate the Intermediate Key
		$SUDO $OPENSSL \
			genrsa \
			-out "$IM_CA_PRIVATE_KEY" \
			$IM_CA_ENCRYPTION_STRENGTH \
			2> /dev/null

		if [ $? != 0 ]; then
			echo "ERROR: Failed to Generate Intermediate CA SSL Key Pair!"
			exit $?
		else
			echo -e "\tSuccessfully Generated Intermediate CA SSL Key Pair"
		fi
	fi

	if [ -f "$IM_CA_PUBLIC_CERT" ] && confirm "Intermediate Key Already Signed! Re-sign? y/n:"; then
		rm "$IM_CA_PUBLIC_CERT"

		echo "Signing Intermediate CA SSL File..."
		# Generate a CSR for the Intermediate Key
		$SUDO $OPENSSL \
			req \
			-new \
			-sha256 \
			-key "$IM_CA_PRIVATE_KEY" \
			-out "$IM_CA_CSR" \
			-subj "/C=${IM_CA_COUNTRY}/ST=${IM_CA_STATE}/L=${IM_CA_LOCALITY}/O=${IM_CA_ORGANISATION}/CN=${IM_CA_COMMON_NAME}" \
			2> /dev/null

		if [ $? != 0 ]; then
			echo "ERROR: Failed to Sign Intermediate CA SSL Key!"
			exit $?
		else
			echo -e "\tSuccessfully Signed Intermediate CA SSL Key"
		fi

		# Sign the Intermediate Cert
		$SUDO $OPENSSL \
			x509 \
			-req \
			-days $IM_CA_VALID_DAYS \
			-in "$IM_CA_CSR" \
			-CA "$CA_PUBLIC_CERT" \
			-CAkey "$CA_PRIVATE_KEY" \
			-set_serial "$IM_CA_SERIAL" \
			-out "$IM_CA_PUBLIC_CERT" \
			2> /dev/null

		if [ $? != 0 ]; then
			echo "ERROR: Failed to Sign Intermediate CA CSR!"
			exit $?
		else
			echo -e "\tSuccessfully Signed Intermediate CA CSR"
		fi

		if [ -f "$IM_CA_CSR" ]; then
			# Remove the CSR
			$SUDO rm "$IM_CA_CSR"
		fi
	fi

	if [ "$GENERATE_IM_DER_FILE" == "YES" ] && [ -f "$IM_CA_PUBLIC_CERT" ]; then
		echo "Generating Intermediate CA SSL DER File..."
		# Output a DER file for import
		$SUDO $OPENSSL \
			x509 \
			-outform der \
			-in "$IM_CA_PUBLIC_CERT" \
			-out "$IM_CA_PUBLIC_DER" \
			2> /dev/null

		if [ $? != 0 ]; then
			echo "ERROR: Failed to Generate Intermediate CA SSL DER file!"
			exit $?
		else
			echo -e "\tSuccessfully Generated Intermediate CA SSL DER File!"
		fi
	fi
fi

if [ "$GENERATE_DH_FILE" == "YES" ]; then
	echo "Generating DH File... (this may take some time)"
	# Generate the DH file for encryption
	$SUDO $OPENSSL \
		dhparam \
		-outform PEM \
		-out "$DH_FILE" \
		$DH_STRENGTH \
		2> /dev/null

	if [ $? != 0 ]; then
    echo "ERROR: Failed to Generate DHParam file!"
		exit $?
	else
		echo -e "\tSuccessfully Generated DHParam file!"
	fi
fi
##### END INTERMEDIATE CA GENERATION ########

exit 0