Generating CA, Server, & Client Certificates

certs.sh

#!/bin/bash

###############################################################################
# NOTICE: This script is intended to be used in conjunction with a openssl.cnf
#         template such as this one: 
#         https://gist.github.com/jameskyle/8106d4d5c6dfa5395cef
# (C) Copyright 2014 James A. Kyle.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################

set -ex
OPENSSL=${OPENSSL:-/usr/local/Cellar/openssl/1.0.1h/bin/openssl}
ROOT=${ROOT:-certs}
DOMAIN=${DOMAIN:-tfoundry.com}
COUNTRY=${COUNTRY:-US}
STATE=${STATE:-California}
CITY=${CITY:-Palo Alto}
ORG=${ORG:-AT&T}
UNIT=${UNIT:-Foundry}
EMAIL=${EMAIL:-jk328n@att.com}

SUBJECT_AlT_TYPE=DNS  # Other option is IP
declare -a ALT_NAMES=(
    "core1.zion.tfoundry.com"
    "core2.zion.tfoundry.com"
    "core3.zion.tfoundry.com"
    "core4.zion.tfoundry.com"
)

##############################################################################
# Should Not Need To Edit Below This Line 
##############################################################################

export ORG
export COUNTRY
export STATE
export EMAIL
export UNIT
export ROOT
export CITY

CONFIG_TEMPLATE=${CONFIG_TEMPLATE:-openssl.cnf.template}
CONFIG=${CONFIG:-/tmp/openssl.cnf}

cp ${CONFIG_TEMPLATE} ${CONFIG}

ALT_TAG="# ALT_NAMES"
for (( i = 0; i < ${#ALT_NAMES[@]}; i++ )); do
    count=$(($i + 1))
    sed -i.bak "s|^${ALT_TAG}|${SUBJECT_AlT_TYPE}.${count}=${ALT_NAMES[i]}\\
${ALT_TAG}|" ${CONFIG}
done


echo "Please provide a client id..."
read client_id

while [ $client_id = "" ];do 
    echo "Must provide a client id...."
    read client_id
done

CLIENT_SUBJECT="/C=${COUNTRY}/ST=${STATE}/O=${ORG}/OU=${UNIT}/"
CLIENT_SUBJECT="${CLIENT_SUBJECT}CN=${client_id}.${DOMAIN}"

mkdir -p ${ROOT}

if [[ ! -e ${ROOT}/index.txt ]];then
    echo "Creating index file..."
    touch ${ROOT}/index.txt
fi

if [[ ! -e ${ROOT}/serial ]];then
    echo "Creating server keys..."
    echo 01 > ${ROOT}/serial
fi

if [[ ! -e ${ROOT}/ca.key ]];then
    ${OPENSSL} req -batch -nodes -new -x509 -keyout ${ROOT}/ca.key -out \
        ${ROOT}/ca.crt -config ${CONFIG} 2>&1 > /dev/null
fi

if [[ ! -e ${ROOT}/server.key ]];then
    ${OPENSSL} req -batch -nodes -new -extensions server -keyout \
        ${ROOT}/server.key -out ${ROOT}/server.csr -config \
        ${CONFIG} 2>&1 > /dev/null
fi

if [[ ! -e ${ROOT}/server-key.pem ]];then
    echo "Removing server key password..."
    ${OPENSSL} rsa -in ${ROOT}/server.key -out ${ROOT}/server-key.pem
fi

if [[ ! -e ${ROOT}/server.crt ]];then
    ${OPENSSL} ca -batch -extensions server -out ${ROOT}/server.crt -in \
        ${ROOT}/server.csr -config ${CONFIG} 2>&1 > /dev/null
fi

${OPENSSL} req -batch -days 3650 -new -keyout ${ROOT}/${client_id}.key -subj \
    ${CLIENT_SUBJECT} -out ${ROOT}/${client_id}.csr -config ${CONFIG}
${OPENSSL} ca -batch -days 3650 -out ${ROOT}/${client_id}.crt -in \
    ${ROOT}/${client_id}.csr -config ${CONFIG}

echo "Removing client key password..."
${OPENSSL} rsa -in ${ROOT}/${client_id}.key -out ${ROOT}/${client_id}-key.pem