#!/bin/bash | |
# | |
# requires CA.pl from OpenSSL: https://github.com/openssl/openssl/blob/master/apps/CA.pl.in | |
# | |
# generating CA.pl from OpenSSL source: | |
# /usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ | |
# "-oMakefile" apps/CA.pl.in > "apps/CA.pl" | |
# sudo cp apps/CA.pl /usr/local/bin | |
# | |
# This script requires that a CA certificate has already been created and | |
# that the CA private key passphrase can be found in $CA_ROOT/ca-cert-passphrase.txt | |
# | |
# NB: OpenSSL doesn't handle concurrent access to the CA database. | |
# Wrap this script with flock command or use some other method to serialize access. | |
# | |
CAPL=/usr/local/bin/CA.pl | |
CA_ROOT=/opt/demoCA | |
OPENSSL=/usr/bin/openssl | |
CERT_BASE=$CA_ROOT/certs | |
cn=$1 | |
pass=`openssl rand -hex 18` | |
pushd `dirname $CA_ROOT` | |
echo "issuing certificate for $cn" | |
# create certificate request | |
SUBJECT="/C=FI/L=Helsinki/O=Practicing techie/CN=$cn/emailAddress=info@practicingtechie.com" | |
OPENSSL=$OPENSSL $CAPL -newreq -extra-req "-passout pass:$pass -subj '$SUBJECT'" | |
# sign certificate request | |
OPENSSL=$OPENSSL $CAPL -sign -extra-ca "-passin file:$CA_ROOT/ca-cert-passphrase.txt -batch" | |
if [ "$?" -ne 0 ]; then | |
echo "FATAL: failed to sign, aborting" | |
exit 1 | |
fi | |
# export private key unencrypted, archive files | |
$OPENSSL rsa -in newkey.pem -out newkey-nodes.pem -passin pass:$pass | |
mkdir -p $CERT_BASE/$cn | |
mv new*.pem $CERT_BASE/$cn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment