penglei/sign-server-cert-by-intermediate-cert

## sign-server-cert-by-intermediate-cert
#!/bin/bash

config_file=config.json
cat << EOF > $config_file
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "the_intermediate": {
        "ca_constraint": {
            "is_ca": true,
            "max_path_len": 0,
            "max_path_len_zero": true
        },
        "usages": [
            "digital signature",
            "cert sign",
            "crl sign",
            "signing"
        ],
        "expiry": "87600h"
      },
      "the_server": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF


#generate root ca cert
root_name=root
cfssl gencert -initca - << ROOTCSR | cfssljson -bare $root_name
{
  "CN": "local_root",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "ca": {
    "expiry": "131400h",
    "pathlen": 1
  },
  "names":[]
}
ROOTCSR


#{generate intermediate ca cert
intermdt_name=intermediate
cfssl genkey -initca - << INTERMDTCSR | cfssljson -bare $intermdt_name
{
  "CN": "local_intermediate",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "ca": {
    "expiry": "87600h",
    "pathlen": 0
  },
  "names":[]
}
INTERMDTCSR

cfssl sign \
    -ca $root_name.pem -ca-key $root_name-key.pem \
    -config $config_file -profile the_intermediate \
    $intermdt_name.csr | cfssljson -bare $intermdt_name
#}


# generate server cert
cfssl gencert \
    -ca=$intermdt_name.pem -ca-key=$intermdt_name-key.pem \
    --config=$config_file -profile=the_server \
    - << SERVERCSR | cfssljson -bare server
{

  "CN": "localhost",
  "hosts":[
    "127.0.0.1",
    "localhost"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}
SERVERCSR
	#!/bin/bash

	config_file=config.json
	cat << EOF > $config_file
	{
	"signing": {
	"default": {
	"expiry": "87600h"
	},
	"profiles": {
	"the_intermediate": {
	"ca_constraint": {
	"is_ca": true,
	"max_path_len": 0,
	"max_path_len_zero": true
	},
	"usages": [
	"digital signature",
	"cert sign",
	"crl sign",
	"signing"
	],
	"expiry": "87600h"
	},
	"the_server": {
	"usages": [
	"signing",
	"key encipherment",
	"server auth"
	],
	"expiry": "87600h"
	}
	}
	}
	}
	EOF


	#generate root ca cert
	root_name=root
	cfssl gencert -initca - << ROOTCSR \| cfssljson -bare $root_name
	{
	"CN": "local_root",
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"ca": {
	"expiry": "131400h",
	"pathlen": 1
	},
	"names":[]
	}
	ROOTCSR


	#{generate intermediate ca cert
	intermdt_name=intermediate
	cfssl genkey -initca - << INTERMDTCSR \| cfssljson -bare $intermdt_name
	{
	"CN": "local_intermediate",
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"ca": {
	"expiry": "87600h",
	"pathlen": 0
	},
	"names":[]
	}
	INTERMDTCSR

	cfssl sign \
	-ca $root_name.pem -ca-key $root_name-key.pem \
	-config $config_file -profile the_intermediate \
	$intermdt_name.csr \| cfssljson -bare $intermdt_name
	#}


	# generate server cert
	cfssl gencert \
	-ca=$intermdt_name.pem -ca-key=$intermdt_name-key.pem \
	--config=$config_file -profile=the_server \
	- << SERVERCSR \| cfssljson -bare server
	{

	"CN": "localhost",
	"hosts":[
	"127.0.0.1",
	"localhost"
	],
	"key": {
	"algo": "rsa",
	"size": 2048
	}
	}
	SERVERCSR