takuya/strgonswan-create-certs.sh

## strgonswan-create-certs.sh
#!/usr/bin/env bash

function create_ca(){
  #
  ipsec pki --gen > ${CA_KEY}
  ipsec pki --self --in ${CA_KEY} --ca --dn "C=JP, O=strongSwan, CN=${SRV_NAME} CA" > ${CA_CRT}
}
function create_server_crt(){
  #
  ipsec pki --gen > ${SRV_KEY}
  ipsec pki --pub --in ${SRV_KEY} | \
      ipsec pki \
        --issue --cacert ${CA_CRT} \
        --cakey ${CA_KEY} --san ${SRV_NAME} \
        --flag serverAuth --dn "C=JP, O=strongSwan, CN=${SRV_NAME}" > ${SRV_CRT}
}
function create_client_crt(){
  [[ -z $USERNAME ]]  && USERNAME=takuya
  [[ -z $PASSWORD ]]  && PASSWORD=my_own_password

  ipsec pki --gen --outform pem > "${USERNAME}.key.pem"
  ipsec pki --pub --in "${USERNAME}.key.pem" | \
  ipsec pki --issue --cacert $CA_CRT  \
     --cakey $CA_KEY \
     --dn "CN=${USERNAME}" \
     --san "${USERNAME}" \
     --outform pem \
     --flag clientAuth --outform pem  > "${USERNAME}.cert.pem"
  openssl pkcs12 \
    -in "${USERNAME}.cert.pem" \
    -inkey "${USERNAME}.key.pem" \
    -certfile ${CA_CRT} \
    -export \
    -out "${USERNAME}.cert.key.p12" \
    -password "pass:${PASSWORD}"
  openssl x509  -in "${USERNAME}.cert.pem" -noout -text
  openssl pkcs12   -info -nodes -in "${USERNAME}.cert.key.p12" -password "pass:${PASSWORD}"
}

function main(){
  CA_KEY=ca.key
  CA_CRT=ca.crt
  SRV_KEY=server.key
  SRV_CRT=server.crt
  SRV_NAME=s01.lxd
  OUT_PATH=./out
  ##
  [[ -e  ${OUT_PATH} ]] && rm -rf ${OUT_PATH}
  mkdir ${OUT_PATH}
  cd ${OUT_PATH}

  ## ca.crt / 自己認証局作成
  create_ca;
  ## server.crt / サーバー証明書作成
  create_server_crt;
  ## client.crt / クライアント用の証明書作成。
  create_client_crt;
  ### サーバーへの証明書の配置
  ls -alt
  move_files;

  ## 後始末
	cd -
}
function move_files(){

	rm /etc/ipsec.d/cacerts/*
	rm /etc/ipsec.d/certs/*
	rm /etc/ipsec.d/private/*

	cp ${CA_KEY} /etc/ipsec.d/private/
	cp ${CA_CRT} /etc/ipsec.d/cacerts/

	chmod 600 /etc/ipsec.d/private/$CA_KEY
	chmod 600 /etc/ipsec.d/cacerts/$CA_CRT
	chown root:root /etc/ipsec.d/private/$CA_KEY
	chown root:root /etc/ipsec.d/cacerts/$CA_CRT
}

main;
	#!/usr/bin/env bash

	function create_ca(){
	#
	ipsec pki --gen > ${CA_KEY}
	ipsec pki --self --in ${CA_KEY} --ca --dn "C=JP, O=strongSwan, CN=${SRV_NAME} CA" > ${CA_CRT}
	}
	function create_server_crt(){
	#
	ipsec pki --gen > ${SRV_KEY}
	ipsec pki --pub --in ${SRV_KEY} \| \
	ipsec pki \
	--issue --cacert ${CA_CRT} \
	--cakey ${CA_KEY} --san ${SRV_NAME} \
	--flag serverAuth --dn "C=JP, O=strongSwan, CN=${SRV_NAME}" > ${SRV_CRT}
	}
	function create_client_crt(){
	[[ -z $USERNAME ]] && USERNAME=takuya
	[[ -z $PASSWORD ]] && PASSWORD=my_own_password

	ipsec pki --gen --outform pem > "${USERNAME}.key.pem"
	ipsec pki --pub --in "${USERNAME}.key.pem" \| \
	ipsec pki --issue --cacert $CA_CRT \
	--cakey $CA_KEY \
	--dn "CN=${USERNAME}" \
	--san "${USERNAME}" \
	--outform pem \
	--flag clientAuth --outform pem > "${USERNAME}.cert.pem"
	openssl pkcs12 \
	-in "${USERNAME}.cert.pem" \
	-inkey "${USERNAME}.key.pem" \
	-certfile ${CA_CRT} \
	-export \
	-out "${USERNAME}.cert.key.p12" \
	-password "pass:${PASSWORD}"
	openssl x509 -in "${USERNAME}.cert.pem" -noout -text
	openssl pkcs12 -info -nodes -in "${USERNAME}.cert.key.p12" -password "pass:${PASSWORD}"
	}

	function main(){
	CA_KEY=ca.key
	CA_CRT=ca.crt
	SRV_KEY=server.key
	SRV_CRT=server.crt
	SRV_NAME=s01.lxd
	OUT_PATH=./out
	##
	[[ -e ${OUT_PATH} ]] && rm -rf ${OUT_PATH}
	mkdir ${OUT_PATH}
	cd ${OUT_PATH}

	## ca.crt / 自己認証局作成
	create_ca;
	## server.crt / サーバー証明書作成
	create_server_crt;
	## client.crt / クライアント用の証明書作成。
	create_client_crt;
	### サーバーへの証明書の配置
	ls -alt
	move_files;

	## 後始末
	cd -
	}
	function move_files(){

	rm /etc/ipsec.d/cacerts/*
	rm /etc/ipsec.d/certs/*
	rm /etc/ipsec.d/private/*

	cp ${CA_KEY} /etc/ipsec.d/private/
	cp ${CA_CRT} /etc/ipsec.d/cacerts/

	chmod 600 /etc/ipsec.d/private/$CA_KEY
	chmod 600 /etc/ipsec.d/cacerts/$CA_CRT
	chown root:root /etc/ipsec.d/private/$CA_KEY
	chown root:root /etc/ipsec.d/cacerts/$CA_CRT
	}

	main;