Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@lightcode

lightcode/genauthority.sh

Created May 31, 2016 18:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lightcode/bd97c3c1264ba78b136519d9cb854211 to your computer and use it in GitHub Desktop.
Save lightcode/bd97c3c1264ba78b136519d9cb854211 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
genauthority.sh
#!/bin/bash
mkdir -p authority
CA="authority/ca.pem"
CA_KEY="authority/ca-key.pem"
CA_SRL="authority/ca.srl"
if [[ -f "$CA" ]] && [[ "$CA_KEY" ]]; then
echo "CA key and cert already exists"
exit 1
fi
rm -f "${CA_KEY}.tmp" "${CA_KEY}" "${CA}"
openssl genrsa -aes256 -passout pass:foobar -out "${CA_KEY}.tmp" 4096
openssl rsa -in "${CA_KEY}.tmp" -passin pass:foobar -out "${CA_KEY}"
rm "${CA_KEY}.tmp"
openssl req -new -x509 -days 3650 -key "${CA_KEY}" -sha256 -out "${CA}" \
-subj "/C=FR/ST=France/O=TOTO NETWORK"
echo 01 > "${CA_SRL}"
Raw
genclient.sh
#!/bin/bash
CA="authority/ca.pem"
CA_KEY="authority/ca-key.pem"
CLIENT="$1"
fatal() {
echo "fail: exit"
exit 20
}
CLIENT_KEY="clients/${CLIENT}-key.pem"
CLIENT_CSR="clients/${CLIENT}.csr"
CLIENT_CERT="clients/${CLIENT}-cert.pem"
if [[ -f "${CLIENT_KEY}" ]] && [[ -f "$CLIENT_CERT" ]]; then
echo "key and cert already exists"
exit 1
fi
rm -f "${CLIENT_KEY}" "${CLIENT_CSR}" "${CLIENT_CERT}"
echo "extendedKeyUsage = clientAuth" > extfile.cnf
openssl genrsa -out "${CLIENT_KEY}" 2048 || fatal
openssl req -subj "/CN=${CLIENT}" -new -key "${CLIENT_KEY}" -out "${CLIENT_CSR}" || fatal
openssl x509 -req -days 365 -in "${CLIENT_CSR}" -CA "${CA}" -CAkey "${CA_KEY}" \
-out "$CLIENT_CERT" -extfile extfile.cnf || fatal
rm -vf "${CLIENT_CSR}" 2> /dev/null
exit 0
Raw
genserver.sh
#!/bin/bash
CA="authority/ca.pem"
CA_KEY="authority/ca-key.pem"
CLIENT="$1"
fatal() {
echo "fail: exit"
exit 20
}
CLIENT_KEY="servers/${CLIENT}-key.pem"
CLIENT_CSR="servers/${CLIENT}.csr"
CLIENT_CERT="servers/${CLIENT}-cert.pem"
if [[ -f "${CLIENT_KEY}" ]] && [[ -f "${CLIENT_CERT}" ]]; then
echo "key and cert already exists"
exit 1
fi
rm -vf "${CLIENT_KEY}" "${CLIENT_CSR}" "${CLIENT_CERT}" 2> /dev/null
openssl genrsa -out "${CLIENT_KEY}" 2048 || fatal
openssl req -new -sha256 \
-key "${CLIENT_KEY}" \
-subj "/CN=${CLIENT}" \
-reqexts SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:${CLIENT}")) \
-out "${CLIENT_CSR}" || fatal
openssl x509 -req -days 365 \
-extensions SAN \
-extfile <(cat /etc/pki/tls/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:${CLIENT}")) \
-in "${CLIENT_CSR}" -CA "${CA}" -CAkey "${CA_KEY}" \
-out "$CLIENT_CERT" || fatal
rm -vf "${CLIENT_CSR}" 2> /dev/null
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment