| #!/bin/bash | |
| # | |
| # requires CA.pl from OpenSSL: https://github.com/openssl/openssl/blob/master/apps/CA.pl.in | |
| # | |
| # generating CA.pl from OpenSSL source: | |
| # /usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ | |
| # "-oMakefile" apps/CA.pl.in > "apps/CA.pl" | |
| # sudo cp apps/CA.pl /usr/local/bin | |
| # | |
| # This script requires that a CA certificate has already been created and | |
| # that the CA private key passphrase can be found in $CA_ROOT/ca-cert-passphrase.txt | |
| # | |
| # NB: OpenSSL doesn't handle concurrent access to the CA database. | |
| # Wrap this script with flock command or use some other method to serialize access. | |
| # | |
| CAPL=/usr/local/bin/CA.pl | |
| CA_ROOT=/opt/demoCA | |
| OPENSSL=/usr/bin/openssl | |
| CERT_BASE=$CA_ROOT/certs | |
| cn=$1 | |
| pass=`openssl rand -hex 18` | |
| pushd `dirname $CA_ROOT` | |
| echo "issuing certificate for $cn" | |
| # create certificate request | |
| SUBJECT="/C=FI/L=Helsinki/O=Practicing techie/CN=$cn/emailAddress=info@practicingtechie.com" | |
| OPENSSL=$OPENSSL $CAPL -newreq -extra-req "-passout pass:$pass -subj '$SUBJECT'" | |
| # sign certificate request | |
| OPENSSL=$OPENSSL $CAPL -sign -extra-ca "-passin file:$CA_ROOT/ca-cert-passphrase.txt -batch" | |
| if [ "$?" -ne 0 ]; then | |
| echo "FATAL: failed to sign, aborting" | |
| exit 1 | |
| fi | |
| # export private key unencrypted, archive files | |
| $OPENSSL rsa -in newkey.pem -out newkey-nodes.pem -passin pass:$pass | |
| mkdir -p $CERT_BASE/$cn | |
| mv new*.pem $CERT_BASE/$cn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment