Shell script to generate a new CA and a new certificate on MineMeld instances

generate-certificate.sh

#!/bin/bash

# set -x
set -e

if [ -z "$1" ]; then
   echo "Usage: $0 <minemeld hostname>" 1>&2
   exit 1
fi

if [ "$EUID" != "0" ]; then
   echo "This script must be run with root privleges. Try with:" 1>&2
   echo "sudo $0 $1" 1>&2
   exit 1
fi

BASEDIR=$(dirname "$0")
export CA_DIR=$(mktemp -d)

echo ">> Using directory $CA_DIR"

function extract_config()
{
    echo "Unpacking config to $BASEDIR/minemeld-temp-ca.cnf"
    match=$(grep --text --line-number '^OPENSSL_CONFIG_FILE:$' $0 | cut -d ':' -f 1)
    payload_start=$((match + 1))
    tail -n +$payload_start $0 > $BASEDIR/minemeld-temp-ca.cnf
}

function extract_pem()
{
    match=$(grep --text --line-number '^-----BEGIN CERTIFICATE' $1 | cut -d ':' -f 1)
    tail -n +$match $1 >> $2
}

extract_config

# generate CA certificate and key
echo ">> Generating CA key and certificate"
openssl req -x509 -newkey rsa:4096 -sha256 -nodes \
        -keyout $CA_DIR/CA.key -out $CA_DIR/CA.crt \
        -subj "/C=IT/ST=PR/L=Parma/O=MineMeld/OU=TBD/CN=please use a real CA/emailAddress=techbizdev@paloaltonetworks.com" \
        -days 3650

# generate key and CSR for minemeld
echo ">> Generating MineMeld key and CSR"
openssl req -new -newkey rsa:4096 -sha256 -nodes \
        -keyout $CA_DIR/minemeld.pem -out $CA_DIR/minemeld.csr \
        -subj "/C=IT/ST=PR/L=Parma/O=MineMeld/OU=TBD/CN=$1"

# fake a CA
echo ">> Signing MineMeld CSR with CA"
touch $CA_DIR/index.txt
echo "01" > $CA_DIR/serial
openssl ca -batch -config $BASEDIR/minemeld-temp-ca.cnf -policy policy_loose -extensions server_cert -out $CA_DIR/minemeld.cer -infiles $CA_DIR/minemeld.csr

echo ">> Shredding and removing CA key"
# overwrites and delete the CA key
shred -vzn 3 $CA_DIR/CA.key || true
rm $CA_DIR/CA.key

if [[ "$2" -eq "--test" ]]; then
    exit 0
fi

# copy the private key
mv $CA_DIR/minemeld.pem /etc/nginx/minemeld.pem
chmod 0600 /etc/nginx/minemeld.pem

# create the full chain
rm -f /etc/nginx/minemeld.cer
extract_pem $CA_DIR/minemeld.cer /etc/nginx/minemeld.cer
extract_pem $CA_DIR/CA.crt /etc/nginx/minemeld.cer
chmod 0600 /etc/nginx/minemeld.cer

cp $CA_DIR/CA.crt $BASEDIR/CA.crt

if [ -d /usr/share/minemeld ]; then
    mv $CA_DIR/CA.crt /usr/share/minemeld/CA.crt
fi

# removes CA directory
rm -rf $CA_DIR

echo ">> Reloading nginx configuration"
service nginx reload || true

echo
echo "-------------------------------------------------------------------"
echo "New MineMeld WebUI private key and certificate installed !"
echo
echo "NOTE: Use CA.crt in the current directory to create a Certificate"
echo "Profile on PAN-OS 8.0."
echo "-------------------------------------------------------------------"

exit 0

OPENSSL_CONFIG_FILE:
[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = $ENV::CA_DIR
new_certs_dir     = $dir
database          = $dir/index.txt
serial            = $dir/serial
private_key       = $dir/CA.key
certificate       = $dir/CA.crt

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 1105
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "MineMeld Temporary Server Certificate - via OpenSSL"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

generate-certificate.sh

This script:

• creates a new private key and self-signed certificate to be used as a disposable CA
• creates a new private key and CSR for MineMeld WebUI
• signs the CSR with the newly created CA
• securely deletes the CA private key
• installs the new full chain and private key in the nginx directory
• reloads the nginx config

Outputs

• new private key and full chain installed under /etc/nginx/minemeld.pem and /etc/nginx/minemeld.cer
• new CA certificate CA.crt in the current directory. This can be used for PAN-OS 8.0 Certificate Profiles

How To Use

$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh
$ chmod a+x generate-certificate.sh
$ sudo ./generate-certificate.sh <minemeld hostname>