Skip to content

Instantly share code, notes, and snippets.

@takuya
Created October 31, 2022 05:37
Embed
What would you like to do?
#!/usr/bin/env bash
function create_ca(){
#
ipsec pki --gen > ${CA_KEY}
ipsec pki --self --in ${CA_KEY} --ca --dn "C=JP, O=strongSwan, CN=${SRV_NAME} CA" > ${CA_CRT}
}
function create_server_crt(){
#
ipsec pki --gen > ${SRV_KEY}
ipsec pki --pub --in ${SRV_KEY} | \
ipsec pki \
--issue --cacert ${CA_CRT} \
--cakey ${CA_KEY} --san ${SRV_NAME} \
--flag serverAuth --dn "C=JP, O=strongSwan, CN=${SRV_NAME}" > ${SRV_CRT}
}
function create_client_crt(){
[[ -z $USERNAME ]] && USERNAME=takuya
[[ -z $PASSWORD ]] && PASSWORD=my_own_password
ipsec pki --gen --outform pem > "${USERNAME}.key.pem"
ipsec pki --pub --in "${USERNAME}.key.pem" | \
ipsec pki --issue --cacert $CA_CRT \
--cakey $CA_KEY \
--dn "CN=${USERNAME}" \
--san "${USERNAME}" \
--outform pem \
--flag clientAuth --outform pem > "${USERNAME}.cert.pem"
openssl pkcs12 \
-in "${USERNAME}.cert.pem" \
-inkey "${USERNAME}.key.pem" \
-certfile ${CA_CRT} \
-export \
-out "${USERNAME}.cert.key.p12" \
-password "pass:${PASSWORD}"
openssl x509 -in "${USERNAME}.cert.pem" -noout -text
openssl pkcs12 -info -nodes -in "${USERNAME}.cert.key.p12" -password "pass:${PASSWORD}"
}
function main(){
CA_KEY=ca.key
CA_CRT=ca.crt
SRV_KEY=server.key
SRV_CRT=server.crt
SRV_NAME=s01.lxd
OUT_PATH=./out
##
[[ -e ${OUT_PATH} ]] && rm -rf ${OUT_PATH}
mkdir ${OUT_PATH}
cd ${OUT_PATH}
## ca.crt / 自己認証局作成
create_ca;
## server.crt / サーバー証明書作成
create_server_crt;
## client.crt / クライアント用の証明書作成。
create_client_crt;
### サーバーへの証明書の配置
ls -alt
move_files;
## 後始末
cd -
}
function move_files(){
rm /etc/ipsec.d/cacerts/*
rm /etc/ipsec.d/certs/*
rm /etc/ipsec.d/private/*
cp ${CA_KEY} /etc/ipsec.d/private/
cp ${CA_CRT} /etc/ipsec.d/cacerts/
chmod 600 /etc/ipsec.d/private/$CA_KEY
chmod 600 /etc/ipsec.d/cacerts/$CA_CRT
chown root:root /etc/ipsec.d/private/$CA_KEY
chown root:root /etc/ipsec.d/cacerts/$CA_CRT
}
main;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment