phillipharding/AppOnlyCertificateGenerationWithOpenSSL.sh

## AppOnlyCertificateGenerationWithOpenSSL.sh
#!/bin/bash
set -euo pipefail

CERTFILE=certificate.cer
PRIVATEKEYFILE=private-key.pem
DAYS=1095
echo "
Generated certificate will have an expiry of $DAYS days [$((DAYS / 365)) years] from today.
"
openssl req -x509 -newkey rsa:2048 -sha1 -keyout $PRIVATEKEYFILE -out $CERTFILE -nodes -set_serial 1 -days $DAYS -config cert-config.cnf

# get certificate and private keys
CERT=$(cat $CERTFILE)
PRV=$(cat $PRIVATEKEYFILE)

# generate keyId
UUID=$(uuidgen | awk '{print tolower($0)}')

# key certificate thumbprint
FP=$(openssl x509 -in $CERTFILE -fingerprint -noout | sed "s/^SHA[^=]*=\(.*\)$/\1/" | sed "s/://g" | awk '{print tolower($0)}')

# key certificate thumbprint (hex -> base64)
CKI=$(echo $FP | xxd -r -p | base64)

# get one-line PEM
PEM=$(awk 'NF {sub(/\r\n/, ""); printf "%s",$0;}' $CERTFILE)
PEMOL=$(echo $PEM | sed -E -e "s/-----(BEGIN|END) CERTIFICATE-----//g")
# echo "$PEM"

# echo "KeyId:$UUID" && echo "Fingerprint: $FP" && echo "Custom Key Identifier: $CKI" && echo "Certificate:\n$PEMOL"
echo ""
echo -e "\033[0mKey Credentials:
\033[32m{
\t\"customKeyIdentifier\": \"$CKI\",
\t\"value\": \"$PEMOL\",
\t\"keyId\": \"$UUID\",
\t\"usage\": \"Verify\",
\t\"type\": \"AsymmetricX509Cert\",
} \033[0m
"

echo -e "\033[0mPrivate Key:
\033[32m$PRV \033[0m
"

echo -e "\033[0mCertificate:
\033[32m$CERT \033[0m
"

echo -e "\033[0mCertificate Fingerprint:
\033[32m$FP \033[0m
"

## cert-config.cnf
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions  = v3_req
x509_extensions = usr_cert

[ req_distinguished_name ]
C=GB
ST=Lancashire
L=Manchester
O=Company Name
OU=Company Name UK
CN=Purpose

[ usr_cert ]
basicConstraints = CA:true
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign
nsCertType = server, client, email, objsign, sslCA, emailCA, objCA
extendedKeyUsage = clientAuth,serverAuth,codeSigning,emailProtection,timeStamping
subjectKeyIdentifier = hash

[ v3_req ]
basicConstraints = CA:true
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign
nsCertType = server, client, email, objsign, sslCA, emailCA, objCA
extendedKeyUsage = clientAuth,serverAuth,codeSigning,emailProtection,timeStamping
subjectKeyIdentifier = hash
	#!/bin/bash
	set -euo pipefail

	CERTFILE=certificate.cer
	PRIVATEKEYFILE=private-key.pem
	DAYS=1095
	echo "
	Generated certificate will have an expiry of $DAYS days [$((DAYS / 365)) years] from today.
	"
	openssl req -x509 -newkey rsa:2048 -sha1 -keyout $PRIVATEKEYFILE -out $CERTFILE -nodes -set_serial 1 -days $DAYS -config cert-config.cnf

	# get certificate and private keys
	CERT=$(cat $CERTFILE)
	PRV=$(cat $PRIVATEKEYFILE)

	# generate keyId
	UUID=$(uuidgen \| awk '{print tolower($0)}')

	# key certificate thumbprint
	FP=$(openssl x509 -in $CERTFILE -fingerprint -noout \| sed "s/^SHA[^=]=\(.\)$/\1/" \| sed "s/://g" \| awk '{print tolower($0)}')

	# key certificate thumbprint (hex -> base64)
	CKI=$(echo $FP \| xxd -r -p \| base64)

	# get one-line PEM
	PEM=$(awk 'NF {sub(/\r\n/, ""); printf "%s",$0;}' $CERTFILE)
	PEMOL=$(echo $PEM \| sed -E -e "s/-----(BEGIN\|END) CERTIFICATE-----//g")
	# echo "$PEM"

	# echo "KeyId:$UUID" && echo "Fingerprint: $FP" && echo "Custom Key Identifier: $CKI" && echo "Certificate:\n$PEMOL"
	echo ""
	echo -e "\033[0mKey Credentials:
	\033[32m{
	\t\"customKeyIdentifier\": \"$CKI\",
	\t\"value\": \"$PEMOL\",
	\t\"keyId\": \"$UUID\",
	\t\"usage\": \"Verify\",
	\t\"type\": \"AsymmetricX509Cert\",
	} \033[0m
	"

	echo -e "\033[0mPrivate Key:
	\033[32m$PRV \033[0m
	"

	echo -e "\033[0mCertificate:
	\033[32m$CERT \033[0m
	"

	echo -e "\033[0mCertificate Fingerprint:
	\033[32m$FP \033[0m
	"
	[req]
	prompt = no
	distinguished_name = req_distinguished_name
	req_extensions = v3_req
	x509_extensions = usr_cert

	[ req_distinguished_name ]
	C=GB
	ST=Lancashire
	L=Manchester
	O=Company Name
	OU=Company Name UK
	CN=Purpose

	[ usr_cert ]
	basicConstraints = CA:true
	keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign
	nsCertType = server, client, email, objsign, sslCA, emailCA, objCA
	extendedKeyUsage = clientAuth,serverAuth,codeSigning,emailProtection,timeStamping
	subjectKeyIdentifier = hash

	[ v3_req ]
	basicConstraints = CA:true
	keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign
	nsCertType = server, client, email, objsign, sslCA, emailCA, objCA
	extendedKeyUsage = clientAuth,serverAuth,codeSigning,emailProtection,timeStamping
	subjectKeyIdentifier = hash