Created
December 29, 2020 08:27
-
-
Save msmyers/a23880781d2c242ff53a08462a534d42 to your computer and use it in GitHub Desktop.
Sub-CA: self-signed pki automation tool.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Assumptions: easyrsa3 available in current dir, and functional openssl. | |
# This basic example puts the "evoeco_ca" and "children_ca" PKI dirs on the same system. | |
# A real-world setup would use different systems and transport the public components. | |
msmyers_ca="evoeco-ca" | |
# TODO: externalize | |
nopass="nopass" | |
subca="subca" | |
batch=1 | |
declare children_ca=( | |
"evoeco-ca-bins" | |
"evoeco-ca-usrs" | |
) | |
destroy_system() { | |
# *NEVER* automate rm -rf | |
rm -rf evoeco-ca || true | |
rm -rf evoeco-ca-* || true | |
# rm -rf evoeco-ca-bins || true | |
} | |
pause() { | |
read -r "Press Enter to continue" </dev/tty | |
} | |
# Homebrew uses "easyrsa" and Linux uses "./easyrsa" | |
# solution 1: alias easyrsa="/usr/share/easy-rsa/easyrsa" | |
# solution 2: | |
# easyrsa() { | |
# /usr/share/easy-rsa/easyrsa "$@ | |
# } | |
# solution 3: cry | |
main() { | |
# stop on first error. | |
set -e | |
# TODO: confirmation | |
# pause | |
destroy_system | |
start() { | |
build_group | |
} | |
init_pki() { | |
EASYRSA_PKI="$(pwd)/$1" \ | |
easyrsa init-pki | |
} | |
make_ca() { | |
EASYRSA_BATCH="$batch" EASYRSA_PKI="$(pwd)/$1" \ | |
easyrsa build-ca "$2" "$3" | |
} | |
sign_subca() { | |
EASYRSA_PKI="$(pwd)/$msmyers_ca" \ | |
easyrsa import-req "$(pwd)/$1/reqs/ca.req" "$1" | |
EASYRSA_BATCH=1 EASYRSA_PKI="$(pwd)/$msmyers_ca" \ | |
easyrsa sign-req ca "$1" | |
} | |
save_subca() { | |
cp "$(pwd)/$msmyers_ca/issued/$1.crt" "$1"/ca.crt | |
} | |
build_chain() { | |
init_pki "$1" | |
make_ca "$@" | |
sign_subca "$1" | |
save_subca "$1" | |
# [ -f smyersca_postops.sh ] && ( smyersca_postops.sh "$@" ) | |
} | |
build_group() { | |
init_pki "$msmyers_ca" | |
make_ca "$msmyers_ca" | |
for child_ca in "${children_ca[@]}"; do | |
build_chain "$child_ca" "$nopass" "$subca" | |
done | |
} | |
start # tap point. App starts here. | |
} | |
main # tap point. App starts here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment