Skip to content

Instantly share code, notes, and snippets.

@jameskyle

jameskyle/certs.sh

Last active June 7, 2017 18:46
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Generating CA, Server, & Client Certificates
Raw
certs.sh
#!/bin/bash
###############################################################################
# NOTICE: This script is intended to be used in conjunction with a openssl.cnf
# template such as this one:
# https://gist.github.com/jameskyle/8106d4d5c6dfa5395cef
# (C) Copyright 2014 James A. Kyle.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################
set -ex
OPENSSL=${OPENSSL:-/usr/local/Cellar/openssl/1.0.1h/bin/openssl}
ROOT=${ROOT:-certs}
DOMAIN=${DOMAIN:-tfoundry.com}
COUNTRY=${COUNTRY:-US}
STATE=${STATE:-California}
CITY=${CITY:-Palo Alto}
ORG=${ORG:-AT&T}
UNIT=${UNIT:-Foundry}
EMAIL=${EMAIL:-jk328n@att.com}
SUBJECT_AlT_TYPE=DNS # Other option is IP
declare -a ALT_NAMES=(
"core1.zion.tfoundry.com"
"core2.zion.tfoundry.com"
"core3.zion.tfoundry.com"
"core4.zion.tfoundry.com"
)
##############################################################################
# Should Not Need To Edit Below This Line
##############################################################################
export ORG
export COUNTRY
export STATE
export EMAIL
export UNIT
export ROOT
export CITY
CONFIG_TEMPLATE=${CONFIG_TEMPLATE:-openssl.cnf.template}
CONFIG=${CONFIG:-/tmp/openssl.cnf}
cp ${CONFIG_TEMPLATE} ${CONFIG}
ALT_TAG="# ALT_NAMES"
for (( i = 0; i < ${#ALT_NAMES[@]}; i++ )); do
count=$(($i + 1))
sed -i.bak "s|^${ALT_TAG}|${SUBJECT_AlT_TYPE}.${count}=${ALT_NAMES[i]}\\
${ALT_TAG}|" ${CONFIG}
done
echo "Please provide a client id..."
read client_id
while [ $client_id = "" ];do
echo "Must provide a client id...."
read client_id
done
CLIENT_SUBJECT="/C=${COUNTRY}/ST=${STATE}/O=${ORG}/OU=${UNIT}/"
CLIENT_SUBJECT="${CLIENT_SUBJECT}CN=${client_id}.${DOMAIN}"
mkdir -p ${ROOT}
if [[ ! -e ${ROOT}/index.txt ]];then
echo "Creating index file..."
touch ${ROOT}/index.txt
fi
if [[ ! -e ${ROOT}/serial ]];then
echo "Creating server keys..."
echo 01 > ${ROOT}/serial
fi
if [[ ! -e ${ROOT}/ca.key ]];then
${OPENSSL} req -batch -nodes -new -x509 -keyout ${ROOT}/ca.key -out \
${ROOT}/ca.crt -config ${CONFIG} 2>&1 > /dev/null
fi
if [[ ! -e ${ROOT}/server.key ]];then
${OPENSSL} req -batch -nodes -new -extensions server -keyout \
${ROOT}/server.key -out ${ROOT}/server.csr -config \
${CONFIG} 2>&1 > /dev/null
fi
if [[ ! -e ${ROOT}/server-key.pem ]];then
echo "Removing server key password..."
${OPENSSL} rsa -in ${ROOT}/server.key -out ${ROOT}/server-key.pem
fi
if [[ ! -e ${ROOT}/server.crt ]];then
${OPENSSL} ca -batch -extensions server -out ${ROOT}/server.crt -in \
${ROOT}/server.csr -config ${CONFIG} 2>&1 > /dev/null
fi
${OPENSSL} req -batch -days 3650 -new -keyout ${ROOT}/${client_id}.key -subj \
${CLIENT_SUBJECT} -out ${ROOT}/${client_id}.csr -config ${CONFIG}
${OPENSSL} ca -batch -days 3650 -out ${ROOT}/${client_id}.crt -in \
${ROOT}/${client_id}.csr -config ${CONFIG}
echo "Removing client key password..."
${OPENSSL} rsa -in ${ROOT}/${client_id}.key -out ${ROOT}/${client_id}-key.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment