.
├── ca-key.pem
├── ca.pem
├── ca.srl
├── gen_client_cert.sh
└── gen_server_cert.sh
Created
May 1, 2019 02:35
-
-
Save shokinn/241a69d8e1c8793a48c2f74b8dfc7edf to your computer and use it in GitHub Desktop.
Dokcer CA cert gen helper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" | |
# Delete client dir if exists | |
if [[ -d $SCRIPTPATH/client ]]; then | |
rm -rf $SCRIPTPATH/client | |
fi | |
# Create folder for client keys | |
mkdir $SCRIPTPATH/client | |
chmod -v 0770 $SCRIPTPATH/client | |
# Gen client key | |
openssl genrsa -out $SCRIPTPATH/client/key.pem 8192 | |
chmod -v 0400 $SCRIPTPATH/client/key.pem | |
# Gen csr | |
openssl req -subj '/CN=client' -new -key $SCRIPTPATH/client/key.pem -out $SCRIPTPATH/client/client.csr | |
# Create new extfile | |
echo extendedKeyUsage = clientAuth > $SCRIPTPATH/client/extfile-client.cnf | |
# Generate the signed certificate: | |
openssl x509 -req -days 365 -sha256 -in $SCRIPTPATH/client/client.csr -CA $SCRIPTPATH/ca.pem -CAkey $SCRIPTPATH/ca-key.pem -CAcreateserial -out $SCRIPTPATH/client/cert.pem -extfile $SCRIPTPATH/client/extfile-client.cnf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" | |
echo "Enter all FQDNs" | |
echo "Just hit enter if you are finished." | |
while true; do | |
read -r -p "FQDN: " input | |
if [[ -n $input ]]; then | |
fqdn_array=("${fqdn_array[@]}" $input) | |
else | |
break | |
fi | |
done | |
echo "Enter all IPs" | |
echo "Just hit enter if you are finished." | |
while true; do | |
read -r -p "IP: " input | |
if [[ -n $input ]]; then | |
ip_array=("${ip_array[@]}" $input) | |
else | |
break | |
fi | |
done | |
# Create folder for server keys | |
mkdir $SCRIPTPATH/${fqdn_array[0]} | |
chmod -v 0770 $SCRIPTPATH/${fqdn_array[0]} | |
# Gen server key | |
openssl genrsa -out $SCRIPTPATH/${fqdn_array[0]}/server-key.pem 8192 | |
# Gen csr | |
openssl req -subj "/CN=${fqdn_array[0]}" -sha256 -new -key $SCRIPTPATH/${fqdn_array[0]}/server-key.pem -out $SCRIPTPATH/${fqdn_array[0]}/server.csr | |
for fqdn in ${fqdn_array[@]}; do | |
if [[ -z $fqdns ]]; then | |
fqdns="DNS:$fqdn" | |
else | |
fqdns="$fqdns,DNS:$fqdn" | |
fi | |
done | |
for ip in ${ip_array[@]}; do | |
if [[ -z $ips ]]; then | |
ips="IP:$ip" | |
else | |
ips="$ips,IP:$ip" | |
fi | |
done | |
# Delete extfile if exists | |
if [[ -f $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf ]]; then | |
rm $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf | |
fi | |
# Create new extfile | |
echo subjectAltName = $fqdns,DNS:localhost,$ips,IP:127.0.0.1 >> $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf | |
echo extendedKeyUsage = serverAuth >> $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf | |
# Generate the signed certificate: | |
openssl x509 -req -days 365 -sha256 -in $SCRIPTPATH/${fqdn_array[0]}/server.csr -CA $SCRIPTPATH/ca.pem -CAkey $SCRIPTPATH/ca-key.pem -CAcreateserial -out $SCRIPTPATH/${fqdn_array[0]}/server-cert.pem -extfile $SCRIPTPATH/${fqdn_array[0]}/extfile.cnf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment