Working with certificates and openssl

cer2crt.sh

#!/bin/bash

usage() {
  echo "Usage: $0"
  echo "  <file>.cer  - Windows certificate file .cer format."
  echo "  <file>      - File name generated .crt. Default to <file>.crt."
  exit 1
}

if [ -z "$1" ]; then
  usage
fi

FILENAME=$2
if [ -z "$FILENAME" ]; then
  FILENAME=${1%.*}
fi

openssl x509 -in "$1" -inform DER -outform PEM -out "$FILENAME.crt"

generate.sh

#!/usr/bin/env bash

function usage() {
  echo "Usage: ./certs.sh "
  echo "  root <name>"
  echo "  server <ca> <name>"
  exit 1
}

# Application name used in friendly name and CN where applicable
APP="<myapp>"

function pfx() {
  echo -n "Export as .pfx? [yn]"
  read answer
  CA=$1
  NAME=$2
  if [ "$answer" != "${answer#[Yy]}" ]; then
    openssl pkcs12 -export -out $NAME.pfx -inkey $NAME.key -in $NAME.crt -certfile $CA.crt -name "$APP $NAME"
  fi
}

function root() {
  if [ -z "$1" ]; then
    echo "Supply name for root certificate authority"
    usage
  fi
  CA=$1
  echo "Create CA $CA"
  openssl genrsa -aes256 -out $CA.key 4096
  openssl req -x509 -new -nodes -key $CA.key -sha256 -days 3650 -out $CA.crt \
          -subj "/CN=$APP root"
  pfx $CA $CA
}

function server() {
  if [ -z "$1" ]; then
    echo "Supply root CA for server certificate"
    usage
  fi
  if [ -z "$2" ]; then
    echo "Supply name for server certificate"
    usage
  fi
  NAME=$2
  CA=$1
  echo "Create server cert $NAME and sign with $CA"
  openssl genrsa -out $NAME.key 2048
  openssl req -new -key $NAME.key -subj "/CN=$APP server" \
          -reqexts req_ext -config server.conf \
          -out $NAME.csr
  openssl x509 -req -in $NAME.csr -CA $CA.crt -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 3650 -sha512
  pfx $CA $NAME
}

function client() {
  if [ -z "$1" ]; then
    echo "Supply root CA for client certificate"
    usage
  fi
  if [ -z "$2" ]; then
    echo "Supply name for client certificate"
    usage
  fi
  NAME=$2
  CA=$1
  echo "Create client cert $NAME and sign with $CA"
  openssl genrsa -out $NAME.key 2048
  openssl req -new -key $NAME.key -subj "/CN=$APP client" \
          -addext "extendedKeyUsage=clientAuth" \
          -out $NAME.csr
  openssl x509 -req -in $NAME.csr -CA $CA.crt -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 3650 -sha512
  pfx $CA $NAME
}

if [ -z $1 ]; then
  usage
fi

if [ "$1" = "root" ]; then
  root $2
elif [ "$1" = "server" ]; then
  server $2 $3
else
  usage
fi

pem2cer.sh

#!/bin/bash

usage() {
  echo "Usage: $0"
  echo "  <file>.pem  - PEM file format."
  echo "  <file>      - File name generated .cer. Default to <file>.cer."
  exit 1
}

if [ -z "$1" ]; then
  usage
fi

FILENAME=$2
if [ -z "$FILENAME" ]; then
  FILENAME=${1%.*}
fi

openssl x509 -inform PEM -in $1 -outform DER -out $FILENAME.cer

signcredentials.sh

#!/usr/bin/env bash

# Create certificate to sign tokens issued by IdentityServer

usage() {
  echo "Usage: $0 <command>"
  echo "  clear       Remove files; crt, key, pfx and pem"
  echo "  thumbprint  Print thumbprint"
  echo "  create      Create certificate files for use in Windows (pfx) and Unix (pem)"
}

if [ -z $1 ]; then
  usage
  exit 0
fi


if [ $1 = "clear" ]; then
  rm *.crt *.key *.pfx *.pem
  exit 1
fi

if [ $1 = "thumbprint" ]; then
  # Get .NET compatible fingerprint
  # Prints example SH1 Fingerprint=<fingerprint>
  # Split and take <fingerprint> from above \
  # Remove colon :
  openssl x509 -in token.pem -noout -fingerprint | cut -d'=' -f2 | sed 's/://g'
  exit 1
fi

if [ "$1" = "create" ]; then

  openssl req -x509 -newkey rsa:4096 -sha512 -nodes -keyout token.key -out token.crt -subj "/CN=<cn>/C=<c>/O=<o>/OU=<ou>" -days 365

  openssl pkcs12 -export -out token.pfx -inkey token.key -in token.crt -certfile token.crt

  # Create PEM file
  cat token.crt token.key > token.pem

  echo "Inspect created certificate: certutil.exe -dump token.pfx"
  echo "To get thumbprint call $0 thumbprint"

fi