Last active
August 29, 2015 14:16
-
-
Save notheotherben/604200986baaa45c3592 to your computer and use it in GitHub Desktop.
Sierra Softworks Guided Certificate Request Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env bash | |
echo "Sierra Softworks Certificate Request Script" | |
echo "v1.0.0-beta" | |
KEY_NAME=$1 | |
EDITOR=$2 | |
################################################# | |
################### IMPORTANT! ################## | |
################################################# | |
# These defaults are the StartSSL CA certificates | |
# replace them if you are using a different authority. | |
CA_CERTS=("http://www.startssl.com/certs/ca.pem" "http://www.startssl.com/certs/sub.class1.server.ca.pem") | |
function default() { | |
if [ $# -lt 2 ]; then return 1; fi | |
local value=$(eval "echo \$$1") | |
if [[ "x$value" == "x" ]]; then | |
eval "$1='$2'" | |
fi | |
return 0 | |
} | |
function exists() { | |
local exists= | |
if [ -f $1 ]; then exists=0; else exists=1; fi | |
return $exists | |
} | |
function success() { | |
echo "Done" | |
} | |
function fail() { | |
echo "Failed" | |
exit 1 | |
} | |
function ensureEditor() { | |
if [[ "x$EDITOR" == "x" ]]; then | |
read -p "Which editor would you like to use? [vim]: " EDITOR | |
default EDITOR vim || fail | |
return 0 | |
else | |
return 1 | |
fi | |
} | |
# Load the name of the certificate - will result in files called ${KEY_NAME}.${EXT} | |
if [ "$KEY_NAME" = "" ]; then | |
read -p "Please enter the name of your key [ssl]: " KEY_NAME | |
default KEY_NAME ssl || fail | |
fi | |
# Check if there is already a certificate signing request - if there is then use it | |
if [ -f "${KEY_NAME}.csr" ]; then | |
USE_CSR="y" | |
else | |
# Otherwise ask if the user wishes to make use of a CSR | |
read -p "Would you like to use a Certificate Signing Request? [y]: " USE_CSR | |
default USE_CSR y || fail | |
fi | |
if [ "$USE_CSR" = "y" ]; then | |
echo "" | |
echo "Checking for Certificate Signing Request" | |
if [ ! -f "${KEY_NAME}.csr" ]; then | |
echo "This will create a signing request called ${KEY_NAME}.csr and a key file called ${KEY_NAME}.key" | |
read -p "Enter the key size in bytes [2048]: " KEY_SIZE | |
default KEY_SIZE 2048 || fail | |
echo " - Generating key..." | |
openssl genrsa -out "${KEY_NAME}.key" $KEY_SIZE || fail | |
exists "${KEY_NAME}.key" || fail | |
echo " - Creating CSR..." | |
openssl req -new -sha256 -key "${KEY_NAME}.key" -out "${KEY_NAME}.csr" || fail | |
exists "${KEY_NAME}.csr" || fail | |
echo "Please copy the resulting signing request into the CA submission portal" | |
echo "This will open up your editor to allow you to copy the signing request's data" | |
ensureEditor || read -p "Press ENTER to continue... " | |
$EDITOR "${KEY_NAME}.csr" || fail | |
else | |
echo "Certificate Signing Request already present" | |
echo "" | |
echo -n "Checking that key matches signing request..." | |
exists "${KEY_NAME}.key" || fail | |
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5) | |
CSR_MD5=$(openssl req -noout -modulus -in "${KEY_NAME}.csr" | openssl md5) | |
if [ "$KEY_MD5" = "$CSR_MD5" ]; then | |
success | |
else | |
fail | |
fi | |
fi | |
fi | |
echo "Checking for Key File" | |
if [ ! -f "${KEY_NAME}.key" ]; then | |
echo "This will create a key called ${KEY_NAME}.key" | |
echo "Please paste the secure key contents into the editor window." | |
ensureEditor || read -p "Press ENTER to continue... " | |
$EDITOR "${KEY_NAME}.key" || fail | |
exists "${KEY_NAME}.key" || fail | |
else | |
echo "Key file already present" | |
fi | |
echo "" | |
echo "Checking for Certificate" | |
if [ ! -f "${KEY_NAME}.pem" ]; then | |
echo "Please retrieve the certificate from your CA toolbox." | |
echo "You will be required to paste its contents into the editor window which appears." | |
ensureEditor || read -p "Press ENTER to continue... " | |
$EDITOR "${KEY_NAME}.pem" || fail | |
exists "${KEY_NAME}.pem" || fail | |
else | |
echo "Certificate file already present" | |
fi | |
echo "" | |
echo -n "Checking that certificate and key match..." | |
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5) | |
CERT_MD5=$(openssl x509 -noout -modulus -in "${KEY_NAME}.pem" | openssl md5) | |
if [ "$KEY_MD5" = "$CERT_MD5" ]; then | |
success | |
else | |
fail | |
fi | |
echo "" | |
echo "Checking for Certificate Chain" | |
if [ ! -f "${KEY_NAME}.chain.pem" ]; then | |
echo "Building Certificate Chain" | |
cp "${KEY_NAME}.pem" "${KEY_NAME}.chain.pem" | |
exists "${KEY_NAME}.chain.pem" || fail | |
echo "Acquiring CA Certificates" | |
CA_COUNT=0 | |
while [ "x${CA_CERTS[CA_COUNT]}" != "x" ]; do | |
CERT_NAME="${CA_CERTS[CA_COUNT]##.*/}" | |
echo -n "Downloading CA certificate '${CERT_NAME}' ..." | |
wget -qO- "${CA_CERTS[CA_COUNT]}" >> "${KEY_NAME}.chain.pem" && success || fail | |
CA_COUNT=$(( $CA_COUNT + 1 )) | |
done | |
fi | |
echo "" | |
echo -n "Checking that certificate chain and key match..." | |
KEY_MD5=$(openssl rsa -noout -modulus -in "${KEY_NAME}.key" | openssl md5) | |
CERTCHAIN_MD5=$(openssl x509 -noout -modulus -in "${KEY_NAME}.chain.pem" | openssl md5) | |
if [ "$KEY_MD5" = "$CERTCHAIN_MD5" ]; then | |
success | |
else | |
fail | |
fi | |
echo "" | |
echo -n "Decrypting Certificate Key... " | |
openssl rsa -in "${KEY_NAME}.key" -out "${KEY_NAME}.key" && success || fail | |
echo "" | |
echo "You're ready!" | |
echo "You should use ${KEY_NAME}.key as your private key and ${KEY_NAME}.chain.pem for your certificate chain." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Walk me through the process of creating a certificate called myCertifiate | |
certreq myCertificate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment