nnsense/cert-gen.sh

## cert-gen.sh
# Generate certificates suitable for a local deployment including .p12 and base64 for k8s usage
# It can also creates java keystore certs, delete/comment out related lines at the end of main to remove it. Make sure java is installed.
# To make this a bit more silent some command has stdout/stderr redirected to /dev/null, remove it to get full output

# Uncomment to get debug info
# set -Eexuo pipefail

trap 'declare rc=$?; >&2 echo "Unexpected error executing $BASH_COMMAND at ${BASH_SOURCE[0]} line $LINENO"; exit $rc' ERR

cert_extfile () {
    declare ADDRESS=$1
    declare IPADDR=$(hostname -I | cut -d " " -f1)

    cat <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = GB
ST = UK
L = Cambridge
O = Dev
OU = Engineering
CN = ${ADDRESS}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = ${ADDRESS}
DNS.2 = ${HOSTNAME}
IP.1 = 127.0.0.1
IP.2 = ${IPADDR}

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
}

main () {
    CA_NAME="${HOSTNAME} CA"
    ADDRESS=$1
    CERT_DIR=$2

    mkdir -p $CERT_DIR

    openssl genrsa -out ${CERT_DIR}/srv_ca.key 2048 >/dev/null 2>&1
    openssl req -x509 -new -days 3650 -nodes -key ${CERT_DIR}/srv_ca.key -subj "/C=GB/ST=UK/L=Cambridge/O=Dev/OU=Engineering/CN=${ADDRESS}" -out ${CERT_DIR}/srv_ca.crt
    openssl genrsa -out ${CERT_DIR}/"${ADDRESS}".key 2048 >/dev/null 2>&1
    openssl req -new -key "${CERT_DIR}/${ADDRESS}".key -out "${CERT_DIR}/${ADDRESS}".csr -config <(cert_extfile "${ADDRESS}")
    openssl x509 -req -days 3650 -CA ${CERT_DIR}/srv_ca.crt -CAkey ${CERT_DIR}/srv_ca.key -CAcreateserial -in "${CERT_DIR}/${ADDRESS}".csr -out "${CERT_DIR}/${ADDRESS}".crt -extensions v3_ext -extfile <(cert_extfile "${ADDRESS}")
    openssl req  -noout -text -in ${CERT_DIR}/"${ADDRESS}".csr 1>/dev/null
    openssl x509  -noout -text -in ${CERT_DIR}/"${ADDRESS}".crt 1>/dev/null

    openssl pkcs12 -export -name "${ADDRESS}" -caname "${CA_NAME}" -in "${CERT_DIR}/${ADDRESS}".crt -inkey "${CERT_DIR}/${ADDRESS}".key -CAfile ${CERT_DIR}/srv_ca.crt -out "${CERT_DIR}/${ADDRESS}".p12 -passout pass:notimportant 1>/dev/null

    openssl verify -CAfile ${CERT_DIR}/srv_ca.crt "${CERT_DIR}/${ADDRESS}".crt

    base64 -w0 "${CERT_DIR}/${ADDRESS}".key > "${CERT_DIR}/${ADDRESS}".key-b64
    base64 -w0 "${CERT_DIR}/${ADDRESS}".crt > "${CERT_DIR}/${ADDRESS}".crt-b64

    keytool -importkeystore -alias "${ADDRESS}" -deststorepass changeit -destkeystore ${CERT_DIR}/"${ADDRESS}"_keystore.jks -srckeystore "${CERT_DIR}/${ADDRESS}".p12 -srcstoretype PKCS12 -srcstorepass notimportant -destkeypass changeit 2>/dev/null

    # Clean-up unneeded files
    rm -f ${CERT_DIR}/srv_ca.key ${CERT_DIR}/*.csr ${CERT_DIR}/*.srl

}

main "$@"
	# Generate certificates suitable for a local deployment including .p12 and base64 for k8s usage
	# It can also creates java keystore certs, delete/comment out related lines at the end of main to remove it. Make sure java is installed.
	# To make this a bit more silent some command has stdout/stderr redirected to /dev/null, remove it to get full output

	# Uncomment to get debug info
	# set -Eexuo pipefail

	trap 'declare rc=$?; >&2 echo "Unexpected error executing $BASH_COMMAND at ${BASH_SOURCE[0]} line $LINENO"; exit $rc' ERR

	cert_extfile () {
	declare ADDRESS=$1
	declare IPADDR=$(hostname -I \| cut -d " " -f1)

	cat <<EOF
	[ req ]
	default_bits = 2048
	prompt = no
	default_md = sha256
	req_extensions = req_ext
	distinguished_name = dn

	[ dn ]
	C = GB
	ST = UK
	L = Cambridge
	O = Dev
	OU = Engineering
	CN = ${ADDRESS}

	[ req_ext ]
	subjectAltName = @alt_names

	[ alt_names ]
	DNS.1 = ${ADDRESS}
	DNS.2 = ${HOSTNAME}
	IP.1 = 127.0.0.1
	IP.2 = ${IPADDR}

	[ v3_ext ]
	authorityKeyIdentifier=keyid,issuer:always
	basicConstraints=CA:FALSE
	keyUsage=keyEncipherment,dataEncipherment
	extendedKeyUsage=serverAuth,clientAuth
	subjectAltName=@alt_names
	EOF
	}

	main () {
	CA_NAME="${HOSTNAME} CA"
	ADDRESS=$1
	CERT_DIR=$2

	mkdir -p $CERT_DIR

	openssl genrsa -out ${CERT_DIR}/srv_ca.key 2048 >/dev/null 2>&1
	openssl req -x509 -new -days 3650 -nodes -key ${CERT_DIR}/srv_ca.key -subj "/C=GB/ST=UK/L=Cambridge/O=Dev/OU=Engineering/CN=${ADDRESS}" -out ${CERT_DIR}/srv_ca.crt
	openssl genrsa -out ${CERT_DIR}/"${ADDRESS}".key 2048 >/dev/null 2>&1
	openssl req -new -key "${CERT_DIR}/${ADDRESS}".key -out "${CERT_DIR}/${ADDRESS}".csr -config <(cert_extfile "${ADDRESS}")
	openssl x509 -req -days 3650 -CA ${CERT_DIR}/srv_ca.crt -CAkey ${CERT_DIR}/srv_ca.key -CAcreateserial -in "${CERT_DIR}/${ADDRESS}".csr -out "${CERT_DIR}/${ADDRESS}".crt -extensions v3_ext -extfile <(cert_extfile "${ADDRESS}")
	openssl req -noout -text -in ${CERT_DIR}/"${ADDRESS}".csr 1>/dev/null
	openssl x509 -noout -text -in ${CERT_DIR}/"${ADDRESS}".crt 1>/dev/null

	openssl pkcs12 -export -name "${ADDRESS}" -caname "${CA_NAME}" -in "${CERT_DIR}/${ADDRESS}".crt -inkey "${CERT_DIR}/${ADDRESS}".key -CAfile ${CERT_DIR}/srv_ca.crt -out "${CERT_DIR}/${ADDRESS}".p12 -passout pass:notimportant 1>/dev/null

	openssl verify -CAfile ${CERT_DIR}/srv_ca.crt "${CERT_DIR}/${ADDRESS}".crt

	base64 -w0 "${CERT_DIR}/${ADDRESS}".key > "${CERT_DIR}/${ADDRESS}".key-b64
	base64 -w0 "${CERT_DIR}/${ADDRESS}".crt > "${CERT_DIR}/${ADDRESS}".crt-b64

	keytool -importkeystore -alias "${ADDRESS}" -deststorepass changeit -destkeystore ${CERT_DIR}/"${ADDRESS}"_keystore.jks -srckeystore "${CERT_DIR}/${ADDRESS}".p12 -srcstoretype PKCS12 -srcstorepass notimportant -destkeypass changeit 2>/dev/null

	# Clean-up unneeded files
	rm -f ${CERT_DIR}/srv_ca.key ${CERT_DIR}/.csr ${CERT_DIR}/.srl

	}

	main "$@"