Skip to content

Instantly share code, notes, and snippets.

@sagolubev
Created April 10, 2021 09:41
Show Gist options
  • Save sagolubev/af7b04b0c8a4a9d4f6c6392743b91b99 to your computer and use it in GitHub Desktop.
Save sagolubev/af7b04b0c8a4a9d4f6c6392743b91b99 to your computer and use it in GitHub Desktop.
Script for certs generation
#!/bin/bash
#see https://docs.docker.com/engine/security/https/
EXPIRATIONDAYS=700
CASUBJSTRING="/C=GB/ST=London/L=London/O=ExampleCompany/OU=IT/CN=example.com/emailAddress=test@example.com"
while [[ $# -gt 1 ]]
do
key="$1"
case $key in
-m|--mode)
MODE="$2"
shift
;;
-h|--hostname)
NAME="$2"
shift
;;
-hip|--hostip)
SERVERIP="$2"
shift
;;
-pw|--password)
PASSWORD="$2"
shift
;;
-t|--targetdir)
TARGETDIR="$2"
shift
;;
-e|--expirationdays)
EXPIRATIONDAYS="$2"
shift
;;
--ca-subj)
CASUBJSTRING="$2"
shift
;;
*)
# unknown option
;;
esac
shift
done
echo "Mode $MODE"
echo "Host/Clientname $NAME"
echo "Host IP $SERVERIP"
echo "Targetdir $TARGETDIR"
echo "Expiration $EXPIRATIONDAYS"
programname=$0
function usage {
echo "usage: $programname -m ca -h example.de [-hip 1.2.3.4] -pw my-secret -t /target/dir [-e 365]"
echo " -m|--mode 'ca' to create CA, 'server' to create server cert, 'client' to create client cert"
echo " -h|--hostname|-n|--name DNS hostname for the server or name of client"
echo " -hip|--hostip host's IP - default: none"
echo " -pw|--password Password for CA Key generation"
echo " -t|--targetdir Targetdir for certfiles and keys"
echo " -e|--expirationdays certificate expiration in day - default: 700 days"
echo " --ca-subj subj string for ca cert - default: Example String..."
exit 1
}
function createCA {
openssl genrsa -aes256 -passout pass:$PASSWORD -out $TARGETDIR/ca-key.pem 4096
openssl req -passin pass:$PASSWORD -new -x509 -days $EXPIRATIONDAYS -key $TARGETDIR/ca-key.pem -sha256 -out $TARGETDIR/ca.pem -subj $CASUBJSTRING
chmod 0400 $TARGETDIR/ca-key.pem
chmod 0444 $TARGETDIR/ca.pem
}
function checkCAFilesExist {
if [[ ! -f "$TARGETDIR/ca.pem" || ! -f "$TARGETDIR/ca-key.pem" ]]; then
echo "$TARGETDIR/ca.pem or $TARGETDIR/ca-key.pem not found. Create CA first with '-m ca'"
exit 1
fi
}
function createServerCert {
checkCAFilesExist
if [[ -z $SERVERIP ]]; then
IPSTRING=""
else
IPSTRING=",IP:$SERVERIP"
fi
openssl genrsa -out $TARGETDIR/server-key.pem 4096
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/server-key.pem -out $TARGETDIR/server.csr
echo "subjectAltName = DNS:$NAME$IPSTRING" > $TARGETDIR/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/server.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/server-cert.pem -extfile $TARGETDIR/extfile.cnf
rm $TARGETDIR/server.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
chmod 0400 $TARGETDIR/server-key.pem
chmod 0444 $TARGETDIR/server-cert.pem
}
function createClientCert {
checkCAFilesExist
openssl genrsa -out $TARGETDIR/client-key.pem 4096
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/client-key.pem -out $TARGETDIR/client.csr
echo "extendedKeyUsage = clientAuth" > $TARGETDIR/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/client.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/client-cert.pem -extfile $TARGETDIR/extfile.cnf
rm $TARGETDIR/client.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
chmod 0400 $TARGETDIR/client-key.pem
chmod 0444 $TARGETDIR/client-cert.pem
mv $TARGETDIR/client-key.pem $TARGETDIR/client-$NAME-key.pem
mv $TARGETDIR/client-cert.pem $TARGETDIR/client-$NAME-cert.pem
}
if [[ -z $MODE || ($MODE != "ca" && -z $NAME) || -z $PASSWORD || -z $TARGETDIR ]]; then
usage
fi
mkdir -p $TARGETDIR
if [[ $MODE = "ca" ]]; then
createCA
elif [[ $MODE = "server" ]]; then
createServerCert
elif [[ $MODE = "client" ]]; then
createClientCert
else
usage
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment