Created
February 15, 2023 05:14
-
-
Save misebox/73f9ec765dbb41dbdfcb4e02ed39bad2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Usage: ./generate-certificates.sh {OUTPUT_PATH (default: ./certs)} | |
function genclient() { | |
# Create the client-side certificates | |
OUT=$1 | |
OPENSSL_CLIENT=$2 | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl req -newkey rsa:2048 -days 3600 -nodes \ | |
-subj "${OPENSSL_CLIENT}" \ | |
-keyout /certs/client-key.pem -out /certs/client-req.pem | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl rsa -in /certs/client-key.pem -out /certs/client-key.pem | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl x509 -req -in /certs/client-req.pem -days 3600 \ | |
-CA /certs/root-ca.pem -CAkey /certs/root-ca-key.pem \ | |
-set_serial 01 -out /certs/client-cert.pem | |
# Verify the certificates are correct | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl verify -CAfile /certs/root-ca.pem /certs/client-cert.pem | |
} | |
function genroot() { | |
# Generate new CA certificate root-ca.pem file. | |
OUT=$1 | |
OPENSSL_ROOT_CA=$2 | |
docker run --rm -v $PWD/certs:/certs -it nginx \ | |
openssl genrsa 2048 > certs/root-ca-key.pem | |
docker run --rm -v $PWD/certs:/certs -it nginx \ | |
openssl req -new -x509 -nodes -days 3600 \ | |
-subj "${OPENSSL_ROOT_CA}" \ | |
-key /certs/root-ca-key.pem -out /certs/root-ca.pem | |
} | |
function genserver() { | |
# Create the server-side certificates | |
# This has more interaction that must be automated | |
OUT=$1 | |
OPENSSL_SERVER=$2 | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl req -newkey rsa:2048 -days 3600 -nodes \ | |
-subj "${OPENSSL_SERVER}" \ | |
-keyout /certs/server-key.pem -out /certs/server-req.pem | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl rsa -in /certs/server-key.pem -out /certs/server-key.pem | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl x509 -req -in /certs/server-req.pem -days 3600 \ | |
-CA /certs/root-ca.pem -CAkey /certs/root-ca-key.pem \ | |
-set_serial 01 -out /certs/server-cert.pem | |
# Verify the certificates are correct | |
docker run --rm -v $OUT:/certs -it nginx \ | |
openssl verify -CAfile /certs/root-ca.pem /certs/server-cert.pem | |
} | |
if [ "$1" != "" ] | |
then | |
OUT_DIR=$1 | |
else | |
OUT_DIR=$PWD/certs | |
fi | |
echo "output dir: $OUT_DIR" | |
mkdir -p $OUT_DIR | |
OPENSSL_SUBJ="/C=JP/ST=Tokyo/L=Shibuya" | |
OPENSSL_CA="${OPENSSL_SUBJ}/CN=fake-CA" | |
OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=fake-server" | |
OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=fake-client" | |
genroot "$OUT_DIR" "${OPENSSL_CA}" | |
genserver "$OUT_DIR" "${OPENSSL_SERVER}" | |
genclient "$OUT_DIR" "${OPENSSL_CLIENT}" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment