Sierra Softworks Guided Certificate Request Script

certreq

#! /usr/bin/env bash
echo "Sierra Softworks Certificate Request Script"
echo "v1.0.0-beta"
KEY_NAME=$1
EDITOR=$2

#################################################
################### IMPORTANT! ##################
#################################################
# These defaults are the StartSSL CA certificates
# replace them if you are using a different authority.
CA_CERTS=("http://www.startssl.com/certs/ca.pem" "http://www.startssl.com/certs/sub.class1.server.ca.pem")

function default() {
        if [ $# -lt 2 ]; then return 1; fi
        local value=$(eval "echo \$$1")
        if [[ "x$value" == "x" ]]; then
                eval "$1='$2'"
        fi
        return 0
}

function exists() {
        local exists=
        if [ -f $1 ]; then exists=0; else exists=1; fi
        return $exists
}

function success() {
        echo "Done"
}

function fail() {
        echo "Failed"
        exit 1
}

function ensureEditor() {
        if [[ "x$EDITOR" == "x" ]]; then
                read -p "Which editor would you like to use? [vim]: " EDITOR
                default EDITOR vim || fail
                return 0
        else
                return 1
        fi
}

# Load the name of the certificate - will result in files called ${KEY_NAME}.${EXT}
if [ "$KEY_NAME" = "" ]; then
        read -p "Please enter the name of your key [ssl]: " KEY_NAME
        default KEY_NAME ssl || fail
fi

# Check if there is already a certificate signing request - if there is then use it
if [ -f "${KEY_NAME}.csr" ]; then
        USE_CSR="y"
else
	# Otherwise ask if the user wishes to make use of a CSR
        read -p "Would you like to use a Certificate Signing Request? [y]: " USE_CSR
        default USE_CSR y || fail
fi

if [ "$USE_CSR" = "y" ]; then
	echo ""
        echo "Checking for Certificate Signing Request"
        if [ ! -f "${KEY_NAME}.csr" ]; then
                echo "This will create a signing request called ${KEY_NAME}.csr and a key file called ${KEY_NAME}.key"
                read -p "Enter the key size in bytes [2048]: " KEY_SIZE
                default KEY_SIZE 2048 || fail
                
                echo "  - Generating key..."
                openssl genrsa -out "${KEY_NAME}.key" $KEY_SIZE || fail
                exists "${KEY_NAME}.key" || fail
                
                echo "  - Creating CSR..."
                openssl req -new -sha256 -key "${KEY_NAME}.key" -out "${KEY_NAME}.csr" || fail
                exists "${KEY_NAME}.csr" || fail
                
                echo "Please copy the resulting signing request into the CA submission portal"
                echo "This will open up your editor to allow you to copy the signing request's data"
                ensureEditor || read -p "Press ENTER to continue... "
                $EDITOR "${KEY_NAME}.csr" || fail
	else
	        echo "Certificate Signing Request already present"

            echo ""
            echo -n "Checking that key matches signing request..."
            exists "${KEY_NAME}.key" || fail
            KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5)
            CSR_MD5=$(openssl req -noout -modulus -in "${KEY_NAME}.csr" | openssl md5)
            if [ "$KEY_MD5" = "$CSR_MD5" ]; then
                success
            else
                fail
            fi
	fi
fi

echo "Checking for Key File"
if [ ! -f "${KEY_NAME}.key" ]; then
        echo "This will create a key called ${KEY_NAME}.key"

        echo "Please paste the secure key contents into the editor window."
        ensureEditor || read -p "Press ENTER to continue... "
        $EDITOR "${KEY_NAME}.key" || fail
        exists "${KEY_NAME}.key" || fail
else
        echo "Key file already present"
fi

echo ""
echo "Checking for Certificate"
if [ ! -f "${KEY_NAME}.pem" ]; then
        echo "Please retrieve the certificate from your CA toolbox."
        echo "You will be required to paste its contents into the editor window which appears."
        ensureEditor || read -p "Press ENTER to continue... "
        $EDITOR "${KEY_NAME}.pem" || fail
        exists "${KEY_NAME}.pem" || fail
else
        echo "Certificate file already present"
fi

echo ""
echo -n "Checking that certificate and key match..."
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5)
CERT_MD5=$(openssl x509 -noout -modulus -in "${KEY_NAME}.pem" | openssl md5)
if [ "$KEY_MD5" = "$CERT_MD5" ]; then
    success
else
    fail
fi

echo ""
echo "Checking for Certificate Chain"
if [ ! -f "${KEY_NAME}.chain.pem" ]; then
    echo "Building Certificate Chain"
    cp "${KEY_NAME}.pem" "${KEY_NAME}.chain.pem"
    exists "${KEY_NAME}.chain.pem" || fail

    echo "Acquiring CA Certificates"
    CA_COUNT=0
    while [ "x${CA_CERTS[CA_COUNT]}" != "x" ]; do
    	CERT_NAME="${CA_CERTS[CA_COUNT]##.*/}"
    	echo -n "Downloading CA certificate '${CERT_NAME}' ..."
    	wget -qO- "${CA_CERTS[CA_COUNT]}" >> "${KEY_NAME}.chain.pem" && success || fail
        CA_COUNT=$(( $CA_COUNT + 1 ))
    done
fi

echo ""
echo -n "Checking that certificate chain and key match..."
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5)
CERTCHAIN_MD5=$(openssl x509 -noout -modulus -in "${KEY_NAME}.chain.pem" | openssl md5)
if [ "$KEY_MD5" = "$CERTCHAIN_MD5" ]; then
    success
else
    fail
fi

echo ""
echo -n "Decrypting Certificate Key... "
openssl rsa -in "${KEY_NAME}.key" -out "${KEY_NAME}.key" && success || fail

echo ""
echo "You're ready!"
echo "You should use ${KEY_NAME}.key as your private key and ${KEY_NAME}.chain.pem for your certificate chain."

examples.sh

# Walk me through the process of creating a certificate called myCertifiate
certreq myCertificate