Created
October 2, 2020 12:08
-
-
Save joacar/45c1b4063356d29b8418756e985a43d7 to your computer and use it in GitHub Desktop.
Working with certificates and openssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
usage() { | |
echo "Usage: $0" | |
echo " <file>.cer - Windows certificate file .cer format." | |
echo " <file> - File name generated .crt. Default to <file>.crt." | |
exit 1 | |
} | |
if [ -z "$1" ]; then | |
usage | |
fi | |
FILENAME=$2 | |
if [ -z "$FILENAME" ]; then | |
FILENAME=${1%.*} | |
fi | |
openssl x509 -in "$1" -inform DER -outform PEM -out "$FILENAME.crt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
function usage() { | |
echo "Usage: ./certs.sh " | |
echo " root <name>" | |
echo " server <ca> <name>" | |
exit 1 | |
} | |
# Application name used in friendly name and CN where applicable | |
APP="<myapp>" | |
function pfx() { | |
echo -n "Export as .pfx? [yn]" | |
read answer | |
CA=$1 | |
NAME=$2 | |
if [ "$answer" != "${answer#[Yy]}" ]; then | |
openssl pkcs12 -export -out $NAME.pfx -inkey $NAME.key -in $NAME.crt -certfile $CA.crt -name "$APP $NAME" | |
fi | |
} | |
function root() { | |
if [ -z "$1" ]; then | |
echo "Supply name for root certificate authority" | |
usage | |
fi | |
CA=$1 | |
echo "Create CA $CA" | |
openssl genrsa -aes256 -out $CA.key 4096 | |
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 3650 -out $CA.crt \ | |
-subj "/CN=$APP root" | |
pfx $CA $CA | |
} | |
function server() { | |
if [ -z "$1" ]; then | |
echo "Supply root CA for server certificate" | |
usage | |
fi | |
if [ -z "$2" ]; then | |
echo "Supply name for server certificate" | |
usage | |
fi | |
NAME=$2 | |
CA=$1 | |
echo "Create server cert $NAME and sign with $CA" | |
openssl genrsa -out $NAME.key 2048 | |
openssl req -new -key $NAME.key -subj "/CN=$APP server" \ | |
-reqexts req_ext -config server.conf \ | |
-out $NAME.csr | |
openssl x509 -req -in $NAME.csr -CA $CA.crt -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 3650 -sha512 | |
pfx $CA $NAME | |
} | |
function client() { | |
if [ -z "$1" ]; then | |
echo "Supply root CA for client certificate" | |
usage | |
fi | |
if [ -z "$2" ]; then | |
echo "Supply name for client certificate" | |
usage | |
fi | |
NAME=$2 | |
CA=$1 | |
echo "Create client cert $NAME and sign with $CA" | |
openssl genrsa -out $NAME.key 2048 | |
openssl req -new -key $NAME.key -subj "/CN=$APP client" \ | |
-addext "extendedKeyUsage=clientAuth" \ | |
-out $NAME.csr | |
openssl x509 -req -in $NAME.csr -CA $CA.crt -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 3650 -sha512 | |
pfx $CA $NAME | |
} | |
if [ -z $1 ]; then | |
usage | |
fi | |
if [ "$1" = "root" ]; then | |
root $2 | |
elif [ "$1" = "server" ]; then | |
server $2 $3 | |
else | |
usage | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
usage() { | |
echo "Usage: $0" | |
echo " <file>.pem - PEM file format." | |
echo " <file> - File name generated .cer. Default to <file>.cer." | |
exit 1 | |
} | |
if [ -z "$1" ]; then | |
usage | |
fi | |
FILENAME=$2 | |
if [ -z "$FILENAME" ]; then | |
FILENAME=${1%.*} | |
fi | |
openssl x509 -inform PEM -in $1 -outform DER -out $FILENAME.cer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Create certificate to sign tokens issued by IdentityServer | |
usage() { | |
echo "Usage: $0 <command>" | |
echo " clear Remove files; crt, key, pfx and pem" | |
echo " thumbprint Print thumbprint" | |
echo " create Create certificate files for use in Windows (pfx) and Unix (pem)" | |
} | |
if [ -z $1 ]; then | |
usage | |
exit 0 | |
fi | |
if [ $1 = "clear" ]; then | |
rm *.crt *.key *.pfx *.pem | |
exit 1 | |
fi | |
if [ $1 = "thumbprint" ]; then | |
# Get .NET compatible fingerprint | |
# Prints example SH1 Fingerprint=<fingerprint> | |
# Split and take <fingerprint> from above \ | |
# Remove colon : | |
openssl x509 -in token.pem -noout -fingerprint | cut -d'=' -f2 | sed 's/://g' | |
exit 1 | |
fi | |
if [ "$1" = "create" ]; then | |
openssl req -x509 -newkey rsa:4096 -sha512 -nodes -keyout token.key -out token.crt -subj "/CN=<cn>/C=<c>/O=<o>/OU=<ou>" -days 365 | |
openssl pkcs12 -export -out token.pfx -inkey token.key -in token.crt -certfile token.crt | |
# Create PEM file | |
cat token.crt token.key > token.pem | |
echo "Inspect created certificate: certutil.exe -dump token.pfx" | |
echo "To get thumbprint call $0 thumbprint" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment