Last active
September 22, 2017 20:45
-
-
Save marko-asplund/e89099859c6b12291e8b4e4e35383be7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# requires CA.pl from OpenSSL: https://github.com/openssl/openssl/blob/master/apps/CA.pl.in | |
# | |
# generating CA.pl from OpenSSL source: | |
# /usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ | |
# "-oMakefile" apps/CA.pl.in > "apps/CA.pl" | |
# sudo cp apps/CA.pl /usr/local/bin | |
# | |
# This script requires that a CA certificate has already been created and | |
# that the CA private key passphrase can be found in $CA_ROOT/ca-cert-passphrase.txt | |
# | |
# NB: OpenSSL doesn't handle concurrent access to the CA database. | |
# Wrap this script with flock command or use some other method to serialize access. | |
# | |
CAPL=/usr/local/bin/CA.pl | |
CA_ROOT=/opt/demoCA | |
OPENSSL=/usr/bin/openssl | |
CERT_BASE=$CA_ROOT/certs | |
cn=$1 | |
pass=`openssl rand -hex 18` | |
pushd `dirname $CA_ROOT` | |
echo "issuing certificate for $cn" | |
# create certificate request | |
SUBJECT="/C=FI/L=Helsinki/O=Practicing techie/CN=$cn/emailAddress=info@practicingtechie.com" | |
OPENSSL=$OPENSSL $CAPL -newreq -extra-req "-passout pass:$pass -subj '$SUBJECT'" | |
# sign certificate request | |
OPENSSL=$OPENSSL $CAPL -sign -extra-ca "-passin file:$CA_ROOT/ca-cert-passphrase.txt -batch" | |
if [ "$?" -ne 0 ]; then | |
echo "FATAL: failed to sign, aborting" | |
exit 1 | |
fi | |
# export private key unencrypted, archive files | |
$OPENSSL rsa -in newkey.pem -out newkey-nodes.pem -passin pass:$pass | |
mkdir -p $CERT_BASE/$cn | |
mv new*.pem $CERT_BASE/$cn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment