Skip to content

Instantly share code, notes, and snippets.

@shokinn
Created May 1, 2019 02:35
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save shokinn/241a69d8e1c8793a48c2f74b8dfc7edf to your computer and use it in GitHub Desktop.
Save shokinn/241a69d8e1c8793a48c2f74b8dfc7edf to your computer and use it in GitHub Desktop.
Dokcer CA cert gen helper

Docker CA cert get helper

Folder structure

.
├── ca-key.pem
├── ca.pem
├── ca.srl
├── gen_client_cert.sh
└── gen_server_cert.sh
#!/usr/bin/env bash
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
# Delete client dir if exists
if [[ -d $SCRIPTPATH/client ]]; then
rm -rf $SCRIPTPATH/client
fi
# Create folder for client keys
mkdir $SCRIPTPATH/client
chmod -v 0770 $SCRIPTPATH/client
# Gen client key
openssl genrsa -out $SCRIPTPATH/client/key.pem 8192
chmod -v 0400 $SCRIPTPATH/client/key.pem
# Gen csr
openssl req -subj '/CN=client' -new -key $SCRIPTPATH/client/key.pem -out $SCRIPTPATH/client/client.csr
# Create new extfile
echo extendedKeyUsage = clientAuth > $SCRIPTPATH/client/extfile-client.cnf
# Generate the signed certificate:
openssl x509 -req -days 365 -sha256 -in $SCRIPTPATH/client/client.csr -CA $SCRIPTPATH/ca.pem -CAkey $SCRIPTPATH/ca-key.pem -CAcreateserial -out $SCRIPTPATH/client/cert.pem -extfile $SCRIPTPATH/client/extfile-client.cnf
#!/usr/bin/env bash
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
echo "Enter all FQDNs"
echo "Just hit enter if you are finished."
while true; do
read -r -p "FQDN: " input
if [[ -n $input ]]; then
fqdn_array=("${fqdn_array[@]}" $input)
else
break
fi
done
echo "Enter all IPs"
echo "Just hit enter if you are finished."
while true; do
read -r -p "IP: " input
if [[ -n $input ]]; then
ip_array=("${ip_array[@]}" $input)
else
break
fi
done
# Create folder for server keys
mkdir $SCRIPTPATH/${fqdn_array[0]}
chmod -v 0770 $SCRIPTPATH/${fqdn_array[0]}
# Gen server key
openssl genrsa -out $SCRIPTPATH/${fqdn_array[0]}/server-key.pem 8192
# Gen csr
openssl req -subj "/CN=${fqdn_array[0]}" -sha256 -new -key $SCRIPTPATH/${fqdn_array[0]}/server-key.pem -out $SCRIPTPATH/${fqdn_array[0]}/server.csr
for fqdn in ${fqdn_array[@]}; do
if [[ -z $fqdns ]]; then
fqdns="DNS:$fqdn"
else
fqdns="$fqdns,DNS:$fqdn"
fi
done
for ip in ${ip_array[@]}; do
if [[ -z $ips ]]; then
ips="IP:$ip"
else
ips="$ips,IP:$ip"
fi
done
# Delete extfile if exists
if [[ -f $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf ]]; then
rm $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf
fi
# Create new extfile
echo subjectAltName = $fqdns,DNS:localhost,$ips,IP:127.0.0.1 >> $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf
echo extendedKeyUsage = serverAuth >> $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf
# Generate the signed certificate:
openssl x509 -req -days 365 -sha256 -in $SCRIPTPATH/${fqdn_array[0]}/server.csr -CA $SCRIPTPATH/ca.pem -CAkey $SCRIPTPATH/ca-key.pem -CAcreateserial -out $SCRIPTPATH/${fqdn_array[0]}/server-cert.pem -extfile $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment