hummus/gen-cert

## gen-cert
#!/bin/bash
# original url: http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr
set -e
set -x

domain="${1-$(cat /etc/hostname)}"
commonname="$domain"

# if the domain is a freakin IP it must also specify an IP SAN
# hopefully you have a python
IS_IP=$(python -c "import sys; ot=sys.argv[1].split('.'); len(ot)==4 and all([p.isdigit() for p in ot]) and all([0<int(p)<256 for p in ot]) and sys.stdout.write('1\n') or sys.stdout.write('0\n')" $domain)

if [ $IS_IP -eq 0 ]; then
    # hostname
    SAN="DNS:$domain.adept.local"
else
    # ip
    export SAN="IP:$domain"
fi


errcho (){
    >&2 echo "$1"
}

rand_letters (){
    cat /dev/urandom| tr -dc 'A-Z'|head -c $1
}

# Change to your company details
country=$(rand_letters 2)
state=$(rand_letters 2)
locality=None
organization=None
organizationalunit=None
email=None@$domain


# Optional
password=password

if [ -z "$domain" ]
then
    echo "Argument not present."
    echo "Useage $0 [common name]"

    exit 99
fi

errcho "Generating key request for $domain"

# Generate a key
openssl genrsa -des3 -passout pass:$password -out $domain.key 2048 -noout

# Remove passphrase from the key. Comment the line out to keep the passphrase
errcho "Removing passphrase from key"
openssl rsa -in $domain.key -passin pass:$password -out $domain.key

# # Create the request
# errcho "Creating CSR"
# CONFIG="[req]
# prompt = no
# req_extensions = v3_req
# distinguished_name = req_distinguished_name

# [req_distinguished_name]
# C = $country
# ST = $state
# L = $locality
# O = $organization
# OU = $organizationalunit
# CN = $commonname
# emailAddress = $email

# [v3_req]
# basicConstraints = CA:FALSE
# keyUsage = digitalSignature, keyEncipherment
# subjectAltName = @alt_names

# [alt_names]
# DNS.1 = $domain
# IP.1 = $domain
# "
# openssl req -new \
#     -key $domain.key \
#     -passin pass:$password \
#     -extensions v3_req \
#     -config <(echo "$CONFIG") \
#     -out $domain.csr
CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
subjectAltName=$SAN
"

openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \
  -subj "/CN=$commonname" -x509 -extensions ext -keyout $domain.key -out $domain.crt

# errcho "Self signing"
# openssl x509 -req -days 365 -in $domain.csr -signkey $domain.key -out $domain.crt

if [[ $GEN_CERT_PKCS12 -eq 1 ]]; then
    # maybe you need a single keystore file
    openssl pkcs12 -export -in $domain.crt -inkey $domain.key -out $domain.pkcs12 -password pass:password
    rm $domain.crt
    rm $domain.key
else
    # normal output, nice for catting somewhere
    # cat $domain.csr
    cat $domain.key
    cat $domain.crt
fi
# rm $domain.csr
	#!/bin/bash
	# original url: http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr
	set -e
	set -x

	domain="${1-$(cat /etc/hostname)}"
	commonname="$domain"

	# if the domain is a freakin IP it must also specify an IP SAN
	# hopefully you have a python
	IS_IP=$(python -c "import sys; ot=sys.argv[1].split('.'); len(ot)==4 and all([p.isdigit() for p in ot]) and all([0<int(p)<256 for p in ot]) and sys.stdout.write('1\n') or sys.stdout.write('0\n')" $domain)

	if [ $IS_IP -eq 0 ]; then
	# hostname
	SAN="DNS:$domain.adept.local"
	else
	# ip
	export SAN="IP:$domain"
	fi


	errcho (){
	>&2 echo "$1"
	}

	rand_letters (){
	cat /dev/urandom\| tr -dc 'A-Z'\|head -c $1
	}

	# Change to your company details
	country=$(rand_letters 2)
	state=$(rand_letters 2)
	locality=None
	organization=None
	organizationalunit=None
	email=None@$domain


	# Optional
	password=password

	if [ -z "$domain" ]
	then
	echo "Argument not present."
	echo "Useage $0 [common name]"

	exit 99
	fi

	errcho "Generating key request for $domain"

	# Generate a key
	openssl genrsa -des3 -passout pass:$password -out $domain.key 2048 -noout

	# Remove passphrase from the key. Comment the line out to keep the passphrase
	errcho "Removing passphrase from key"
	openssl rsa -in $domain.key -passin pass:$password -out $domain.key

	# # Create the request
	# errcho "Creating CSR"
	# CONFIG="[req]
	# prompt = no
	# req_extensions = v3_req
	# distinguished_name = req_distinguished_name

	# [req_distinguished_name]
	# C = $country
	# ST = $state
	# L = $locality
	# O = $organization
	# OU = $organizationalunit
	# CN = $commonname
	# emailAddress = $email

	# [v3_req]
	# basicConstraints = CA:FALSE
	# keyUsage = digitalSignature, keyEncipherment
	# subjectAltName = @alt_names

	# [alt_names]
	# DNS.1 = $domain
	# IP.1 = $domain
	# "
	# openssl req -new \
	# -key $domain.key \
	# -passin pass:$password \
	# -extensions v3_req \
	# -config <(echo "$CONFIG") \
	# -out $domain.csr
	CONFIG="
	[req]
	distinguished_name=dn
	[ dn ]
	[ ext ]
	basicConstraints=CA:TRUE,pathlen:0
	subjectAltName=$SAN
	"

	openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \
	-subj "/CN=$commonname" -x509 -extensions ext -keyout $domain.key -out $domain.crt

	# errcho "Self signing"
	# openssl x509 -req -days 365 -in $domain.csr -signkey $domain.key -out $domain.crt

	if [[ $GEN_CERT_PKCS12 -eq 1 ]]; then
	# maybe you need a single keystore file
	openssl pkcs12 -export -in $domain.crt -inkey $domain.key -out $domain.pkcs12 -password pass:password
	rm $domain.crt
	rm $domain.key
	else
	# normal output, nice for catting somewhere
	# cat $domain.csr
	cat $domain.key
	cat $domain.crt
	fi
	# rm $domain.csr