Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
#!/bin/bash
#
# requires CA.pl from OpenSSL: https://github.com/openssl/openssl/blob/master/apps/CA.pl.in
#
# generating CA.pl from OpenSSL source:
# /usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
# "-oMakefile" apps/CA.pl.in > "apps/CA.pl"
# sudo cp apps/CA.pl /usr/local/bin
#
# This script requires that a CA certificate has already been created and
# that the CA private key passphrase can be found in $CA_ROOT/ca-cert-passphrase.txt
#
# NB: OpenSSL doesn't handle concurrent access to the CA database.
# Wrap this script with flock command or use some other method to serialize access.
#
CAPL=/usr/local/bin/CA.pl
CA_ROOT=/opt/demoCA
OPENSSL=/usr/bin/openssl
CERT_BASE=$CA_ROOT/certs
cn=$1
pass=`openssl rand -hex 18`
pushd `dirname $CA_ROOT`
echo "issuing certificate for $cn"
# create certificate request
SUBJECT="/C=FI/L=Helsinki/O=Practicing techie/CN=$cn/emailAddress=info@practicingtechie.com"
OPENSSL=$OPENSSL $CAPL -newreq -extra-req "-passout pass:$pass -subj '$SUBJECT'"
# sign certificate request
OPENSSL=$OPENSSL $CAPL -sign -extra-ca "-passin file:$CA_ROOT/ca-cert-passphrase.txt -batch"
if [ "$?" -ne 0 ]; then
echo "FATAL: failed to sign, aborting"
exit 1
fi
# export private key unencrypted, archive files
$OPENSSL rsa -in newkey.pem -out newkey-nodes.pem -passin pass:$pass
mkdir -p $CERT_BASE/$cn
mv new*.pem $CERT_BASE/$cn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment