Skip to content

Instantly share code, notes, and snippets.

@mrVanDalo

mrVanDalo/MTLS Client Cert generator

Last active September 11, 2019 11:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mrVanDalo/4ef2eaca69ff2229e2fd3d1d395e2e83 to your computer and use it in GitHub Desktop.
Save mrVanDalo/4ef2eaca69ff2229e2fd3d1d395e2e83 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
MTLS Client Cert generator
{ pkgs ? import <nixpkgs> {} }:
let
openSSLScriptClientCA = pkgs.writeShellScriptBin "create-ca" ''
echo "create CA"
echo
mkdir ca
${pkgs.openssl}/bin/openssl genrsa -aes256 -out ca/ca.key 4096
chmod 400 ca/ca.key
${pkgs.openssl}/bin/openssl req -new -x509 -sha256 -days 730 -key ca/ca.key -out ca/ca.crt
chmod 444 ca/ca.crt
'';
openSSLScriptClientCert = pkgs.writeShellScriptBin "create-cert" ''
echo "create client cert"
echo
if [[ ! -f ca/ca.crt ]]
then
echo "create ca first"
exit 1
fi
CERT_NAME=''${1:-heiko}
mkdir client
${pkgs.openssl}/bin/openssl genrsa -out client/''${CERT_NAME}.key 2048
${pkgs.openssl}/bin/openssl req -new -key client/''${CERT_NAME}.key -out client/''${CERT_NAME}.csr
${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in client/''${CERT_NAME}.csr -CA ca/ca.crt \
-CAkey ca/ca.key -set_serial 2 -out client/''${CERT_NAME}.crt
'';
in
pkgs.mkShell {
buildInputs = with pkgs; [
openSSLScriptClientCA
openSSLScriptClientCert
openssl
];
shellHook = ''
HISTFILE=${toString ./.}/.history
'';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment