Skip to content

Instantly share code, notes, and snippets.

@notheotherben
Last active August 29, 2015 14:16
Show Gist options
  • Save notheotherben/604200986baaa45c3592 to your computer and use it in GitHub Desktop.
Save notheotherben/604200986baaa45c3592 to your computer and use it in GitHub Desktop.
Sierra Softworks Guided Certificate Request Script
#! /usr/bin/env bash
echo "Sierra Softworks Certificate Request Script"
echo "v1.0.0-beta"
KEY_NAME=$1
EDITOR=$2
#################################################
################### IMPORTANT! ##################
#################################################
# These defaults are the StartSSL CA certificates
# replace them if you are using a different authority.
CA_CERTS=("http://www.startssl.com/certs/ca.pem" "http://www.startssl.com/certs/sub.class1.server.ca.pem")
function default() {
if [ $# -lt 2 ]; then return 1; fi
local value=$(eval "echo \$$1")
if [[ "x$value" == "x" ]]; then
eval "$1='$2'"
fi
return 0
}
function exists() {
local exists=
if [ -f $1 ]; then exists=0; else exists=1; fi
return $exists
}
function success() {
echo "Done"
}
function fail() {
echo "Failed"
exit 1
}
function ensureEditor() {
if [[ "x$EDITOR" == "x" ]]; then
read -p "Which editor would you like to use? [vim]: " EDITOR
default EDITOR vim || fail
return 0
else
return 1
fi
}
# Load the name of the certificate - will result in files called ${KEY_NAME}.${EXT}
if [ "$KEY_NAME" = "" ]; then
read -p "Please enter the name of your key [ssl]: " KEY_NAME
default KEY_NAME ssl || fail
fi
# Check if there is already a certificate signing request - if there is then use it
if [ -f "${KEY_NAME}.csr" ]; then
USE_CSR="y"
else
# Otherwise ask if the user wishes to make use of a CSR
read -p "Would you like to use a Certificate Signing Request? [y]: " USE_CSR
default USE_CSR y || fail
fi
if [ "$USE_CSR" = "y" ]; then
echo ""
echo "Checking for Certificate Signing Request"
if [ ! -f "${KEY_NAME}.csr" ]; then
echo "This will create a signing request called ${KEY_NAME}.csr and a key file called ${KEY_NAME}.key"
read -p "Enter the key size in bytes [2048]: " KEY_SIZE
default KEY_SIZE 2048 || fail
echo " - Generating key..."
openssl genrsa -out "${KEY_NAME}.key" $KEY_SIZE || fail
exists "${KEY_NAME}.key" || fail
echo " - Creating CSR..."
openssl req -new -sha256 -key "${KEY_NAME}.key" -out "${KEY_NAME}.csr" || fail
exists "${KEY_NAME}.csr" || fail
echo "Please copy the resulting signing request into the CA submission portal"
echo "This will open up your editor to allow you to copy the signing request's data"
ensureEditor || read -p "Press ENTER to continue... "
$EDITOR "${KEY_NAME}.csr" || fail
else
echo "Certificate Signing Request already present"
echo ""
echo -n "Checking that key matches signing request..."
exists "${KEY_NAME}.key" || fail
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5)
CSR_MD5=$(openssl req -noout -modulus -in "${KEY_NAME}.csr" | openssl md5)
if [ "$KEY_MD5" = "$CSR_MD5" ]; then
success
else
fail
fi
fi
fi
echo "Checking for Key File"
if [ ! -f "${KEY_NAME}.key" ]; then
echo "This will create a key called ${KEY_NAME}.key"
echo "Please paste the secure key contents into the editor window."
ensureEditor || read -p "Press ENTER to continue... "
$EDITOR "${KEY_NAME}.key" || fail
exists "${KEY_NAME}.key" || fail
else
echo "Key file already present"
fi
echo ""
echo "Checking for Certificate"
if [ ! -f "${KEY_NAME}.pem" ]; then
echo "Please retrieve the certificate from your CA toolbox."
echo "You will be required to paste its contents into the editor window which appears."
ensureEditor || read -p "Press ENTER to continue... "
$EDITOR "${KEY_NAME}.pem" || fail
exists "${KEY_NAME}.pem" || fail
else
echo "Certificate file already present"
fi
echo ""
echo -n "Checking that certificate and key match..."
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5)
CERT_MD5=$(openssl x509 -noout -modulus -in "${KEY_NAME}.pem" | openssl md5)
if [ "$KEY_MD5" = "$CERT_MD5" ]; then
success
else
fail
fi
echo ""
echo "Checking for Certificate Chain"
if [ ! -f "${KEY_NAME}.chain.pem" ]; then
echo "Building Certificate Chain"
cp "${KEY_NAME}.pem" "${KEY_NAME}.chain.pem"
exists "${KEY_NAME}.chain.pem" || fail
echo "Acquiring CA Certificates"
CA_COUNT=0
while [ "x${CA_CERTS[CA_COUNT]}" != "x" ]; do
CERT_NAME="${CA_CERTS[CA_COUNT]##.*/}"
echo -n "Downloading CA certificate '${CERT_NAME}' ..."
wget -qO- "${CA_CERTS[CA_COUNT]}" >> "${KEY_NAME}.chain.pem" && success || fail
CA_COUNT=$(( $CA_COUNT + 1 ))
done
fi
echo ""
echo -n "Checking that certificate chain and key match..."
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5)
CERTCHAIN_MD5=$(openssl x509 -noout -modulus -in "${KEY_NAME}.chain.pem" | openssl md5)
if [ "$KEY_MD5" = "$CERTCHAIN_MD5" ]; then
success
else
fail
fi
echo ""
echo -n "Decrypting Certificate Key... "
openssl rsa -in "${KEY_NAME}.key" -out "${KEY_NAME}.key" && success || fail
echo ""
echo "You're ready!"
echo "You should use ${KEY_NAME}.key as your private key and ${KEY_NAME}.chain.pem for your certificate chain."
# Walk me through the process of creating a certificate called myCertifiate
certreq myCertificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment