Sub-CA: self-signed pki automation tool.

setup.sh

#!/usr/bin/env bash

# Assumptions: easyrsa3 available in current dir, and functional openssl.
# This basic example puts the "evoeco_ca" and "children_ca" PKI dirs on the same system.
# A real-world setup would use different systems and transport the public components.

msmyers_ca="evoeco-ca"

# TODO: externalize
nopass="nopass"
subca="subca"
batch=1

declare children_ca=(
  "evoeco-ca-bins"
  "evoeco-ca-usrs"
)

destroy_system() {
  # *NEVER* automate rm -rf
  rm -rf evoeco-ca      || true
  rm -rf evoeco-ca-*    || true
  #  rm -rf evoeco-ca-bins || true
}

pause() {
  read -r "Press Enter to continue" </dev/tty
}

# Homebrew uses "easyrsa" and Linux uses "./easyrsa"
#   solution 1: alias easyrsa="/usr/share/easy-rsa/easyrsa"
#   solution 2:
#               easyrsa() {
#                   /usr/share/easy-rsa/easyrsa "$@
#               }
#   solution 3: cry

main() {
  # stop on first error.
  set -e

  # TODO: confirmation
  #  pause
  destroy_system

  start() {
    build_group
  }

  init_pki() {
    EASYRSA_PKI="$(pwd)/$1" \
      easyrsa init-pki
  }

  make_ca() {
    EASYRSA_BATCH="$batch" EASYRSA_PKI="$(pwd)/$1" \
      easyrsa build-ca "$2" "$3"
  }

  sign_subca() {
    EASYRSA_PKI="$(pwd)/$msmyers_ca" \
      easyrsa import-req "$(pwd)/$1/reqs/ca.req" "$1"

    EASYRSA_BATCH=1 EASYRSA_PKI="$(pwd)/$msmyers_ca" \
      easyrsa sign-req ca "$1"
  }

  save_subca() {
    cp "$(pwd)/$msmyers_ca/issued/$1.crt" "$1"/ca.crt
  }

  build_chain() {
    init_pki   "$1"
    make_ca    "$@"
    sign_subca "$1"
    save_subca "$1"

    #  [ -f smyersca_postops.sh ] && ( smyersca_postops.sh "$@" )
  }

  build_group() {
    init_pki  "$msmyers_ca"
    make_ca   "$msmyers_ca"

    for child_ca in "${children_ca[@]}"; do
      build_chain "$child_ca" "$nopass" "$subca"
    done
  }

  start # tap point. App starts here.

}

main # tap point. App starts here.