-
-
Save sagolubev/af7b04b0c8a4a9d4f6c6392743b91b99 to your computer and use it in GitHub Desktop.
Script for certs generation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#see https://docs.docker.com/engine/security/https/ | |
EXPIRATIONDAYS=700 | |
CASUBJSTRING="/C=GB/ST=London/L=London/O=ExampleCompany/OU=IT/CN=example.com/emailAddress=test@example.com" | |
while [[ $# -gt 1 ]] | |
do | |
key="$1" | |
case $key in | |
-m|--mode) | |
MODE="$2" | |
shift | |
;; | |
-h|--hostname) | |
NAME="$2" | |
shift | |
;; | |
-hip|--hostip) | |
SERVERIP="$2" | |
shift | |
;; | |
-pw|--password) | |
PASSWORD="$2" | |
shift | |
;; | |
-t|--targetdir) | |
TARGETDIR="$2" | |
shift | |
;; | |
-e|--expirationdays) | |
EXPIRATIONDAYS="$2" | |
shift | |
;; | |
--ca-subj) | |
CASUBJSTRING="$2" | |
shift | |
;; | |
*) | |
# unknown option | |
;; | |
esac | |
shift | |
done | |
echo "Mode $MODE" | |
echo "Host/Clientname $NAME" | |
echo "Host IP $SERVERIP" | |
echo "Targetdir $TARGETDIR" | |
echo "Expiration $EXPIRATIONDAYS" | |
programname=$0 | |
function usage { | |
echo "usage: $programname -m ca -h example.de [-hip 1.2.3.4] -pw my-secret -t /target/dir [-e 365]" | |
echo " -m|--mode 'ca' to create CA, 'server' to create server cert, 'client' to create client cert" | |
echo " -h|--hostname|-n|--name DNS hostname for the server or name of client" | |
echo " -hip|--hostip host's IP - default: none" | |
echo " -pw|--password Password for CA Key generation" | |
echo " -t|--targetdir Targetdir for certfiles and keys" | |
echo " -e|--expirationdays certificate expiration in day - default: 700 days" | |
echo " --ca-subj subj string for ca cert - default: Example String..." | |
exit 1 | |
} | |
function createCA { | |
openssl genrsa -aes256 -passout pass:$PASSWORD -out $TARGETDIR/ca-key.pem 4096 | |
openssl req -passin pass:$PASSWORD -new -x509 -days $EXPIRATIONDAYS -key $TARGETDIR/ca-key.pem -sha256 -out $TARGETDIR/ca.pem -subj $CASUBJSTRING | |
chmod 0400 $TARGETDIR/ca-key.pem | |
chmod 0444 $TARGETDIR/ca.pem | |
} | |
function checkCAFilesExist { | |
if [[ ! -f "$TARGETDIR/ca.pem" || ! -f "$TARGETDIR/ca-key.pem" ]]; then | |
echo "$TARGETDIR/ca.pem or $TARGETDIR/ca-key.pem not found. Create CA first with '-m ca'" | |
exit 1 | |
fi | |
} | |
function createServerCert { | |
checkCAFilesExist | |
if [[ -z $SERVERIP ]]; then | |
IPSTRING="" | |
else | |
IPSTRING=",IP:$SERVERIP" | |
fi | |
openssl genrsa -out $TARGETDIR/server-key.pem 4096 | |
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/server-key.pem -out $TARGETDIR/server.csr | |
echo "subjectAltName = DNS:$NAME$IPSTRING" > $TARGETDIR/extfile.cnf | |
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/server.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/server-cert.pem -extfile $TARGETDIR/extfile.cnf | |
rm $TARGETDIR/server.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl | |
chmod 0400 $TARGETDIR/server-key.pem | |
chmod 0444 $TARGETDIR/server-cert.pem | |
} | |
function createClientCert { | |
checkCAFilesExist | |
openssl genrsa -out $TARGETDIR/client-key.pem 4096 | |
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/client-key.pem -out $TARGETDIR/client.csr | |
echo "extendedKeyUsage = clientAuth" > $TARGETDIR/extfile.cnf | |
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/client.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/client-cert.pem -extfile $TARGETDIR/extfile.cnf | |
rm $TARGETDIR/client.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl | |
chmod 0400 $TARGETDIR/client-key.pem | |
chmod 0444 $TARGETDIR/client-cert.pem | |
mv $TARGETDIR/client-key.pem $TARGETDIR/client-$NAME-key.pem | |
mv $TARGETDIR/client-cert.pem $TARGETDIR/client-$NAME-cert.pem | |
} | |
if [[ -z $MODE || ($MODE != "ca" && -z $NAME) || -z $PASSWORD || -z $TARGETDIR ]]; then | |
usage | |
fi | |
mkdir -p $TARGETDIR | |
if [[ $MODE = "ca" ]]; then | |
createCA | |
elif [[ $MODE = "server" ]]; then | |
createServerCert | |
elif [[ $MODE = "client" ]]; then | |
createClientCert | |
else | |
usage | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment