This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # requires CA.pl from OpenSSL: https://github.com/openssl/openssl/blob/master/apps/CA.pl.in | |
| # | |
| # generating CA.pl from OpenSSL source: | |
| # /usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ | |
| # "-oMakefile" apps/CA.pl.in > "apps/CA.pl" | |
| # sudo cp apps/CA.pl /usr/local/bin | |
| # | |
| # This script requires that a CA certificate has already been created and | |
| # that the CA private key passphrase can be found in $CA_ROOT/ca-cert-passphrase.txt | |
| # | |
| # NB: OpenSSL doesn't handle concurrent access to the CA database. | |
| # Wrap this script with flock command or use some other method to serialize access. | |
| # | |
| CAPL=/usr/local/bin/CA.pl | |
| CA_ROOT=/opt/demoCA | |
| OPENSSL=/usr/bin/openssl | |
| CERT_BASE=$CA_ROOT/certs | |
| cn=$1 | |
| pass=`openssl rand -hex 18` | |
| pushd `dirname $CA_ROOT` | |
| echo "issuing certificate for $cn" | |
| # create certificate request | |
| SUBJECT="/C=FI/L=Helsinki/O=Practicing techie/CN=$cn/emailAddress=info@practicingtechie.com" | |
| OPENSSL=$OPENSSL $CAPL -newreq -extra-req "-passout pass:$pass -subj '$SUBJECT'" | |
| # sign certificate request | |
| OPENSSL=$OPENSSL $CAPL -sign -extra-ca "-passin file:$CA_ROOT/ca-cert-passphrase.txt -batch" | |
| if [ "$?" -ne 0 ]; then | |
| echo "FATAL: failed to sign, aborting" | |
| exit 1 | |
| fi | |
| # export private key unencrypted, archive files | |
| $OPENSSL rsa -in newkey.pem -out newkey-nodes.pem -passin pass:$pass | |
| mkdir -p $CERT_BASE/$cn | |
| mv new*.pem $CERT_BASE/$cn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment