Script to setup the root and intermediate CA

setup_root_and_intermediate_ca.sh

#!/bin/bash

BASEDIR="/root/ca"
ROOTCA="${BASEDIR}/root_ca"
PUPPETCA="${BASEDIR}/puppet"

mkdir -p "${ROOTCA}"
mkdir -p "${PUPPETCA}"

# setup the root ca
cd "${ROOTCA}"
mkdir -p certs crl newcerts private csr
chmod 700 private 
touch index.txt 
echo 1000 > serial
echo 1000 >crlnumber

if [ ! -f openssl.cnf ] ; then
  echo "downloading example openssl.cnf for root ca file from github gist"
  curl -o openssl.cnf https://gist.githubusercontent.com/tom-krieger/c969f94ac7d179913d52bbec293d6989/raw/e7a3aef270f340de404b057fe8aa0c0e67e4249a/root-openssl.cnf
fi

# setup of intermediate ca
cd $PUPPETCA
mkdir -p certs crl newcerts private csr
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber

if [ ! -f openssl.cnf ] ; then
  echo "downloading example openssl.cnf for intermediate ca file from github gist"
  curl -o openssl.cnf https://gist.githubusercontent.com/tom-krieger/035daf0bafe797b8c7ed2864be9d13f7/raw/fb85f8186a7f9cfbb54f8354c7d370538c6c8939/intermediate-openssl.cnf
fi

echo "=============================================="
echo "creating encrypted passphrase file            "
echo "You need to enter an encryption password twice"
echo "=============================================="
cd $BASEDIR
# this secret we will use to protect private keys
echo "your secret" > passfile
# You need to enter a encryption password
openssl enc -aes-256-cfb8 -salt -in passfile \
    -out passfile.enc
chmod 0400 passfile passfile.enc

# create the root ca
echo "===================="
echo "creating the root ca"
echo "===================="
cd $ROOTCA
openssl genrsa -aes256 \
      -passout file:../passfile.enc \
      -out private/cakey.pem 4096
chmod 400 private/cakey.pem

openssl req -config openssl.cnf -new -x509 -days 3650 -extensions v3_ca \
      -passin file:../passfile.enc \
      -key private/cakey.pem \
      -out certs/cacert.pem

openssl ca -config openssl.cnf \
      -passin file:../passfile.enc \
      -gencrl -out crl/crl.pem

# create the intermediate ca
echo "============================"
echo "creating the intermediate ca"
echo "============================"
cd $PUPPETCA
openssl genrsa -aes256 \
      -passout file:${BASEDIR}/passfile.enc \
      -out private/puppet.cakey.pem 4096
chmod 400 private/puppet.cakey.pem

openssl req -config openssl.cnf -new -sha256 \
      -passin file:../passfile.enc \
      -key private/puppet.cakey.pem \
      -out csr/puppet.csr.pem

cd $ROOTCA
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 2650 -notext -batch \
      -passin file:../passfile.enc \
      -in ../puppet/csr/puppet.csr.pem \
      -out ../puppet/certs/puppet.cacert.pem

cd $PUPPETCA
openssl ca -config openssl.cnf \
      -passin file:../passfile.enc \
      -gencrl -out crl/puppet.crl.pem

echo "=============================================="
echo "creating files for Puppet Enterprise installer"
echo "=============================================="
mkdir -p /root/puppet_install
cat ${PUPPETCA}/certs/puppet.cacert.pem > /root/puppet_install/cert_bundle.pem
echo >>/root/puppet_install/cert_bundle.pem
cat ${ROOTCA}/certs/cacert.pem >>/root/puppet_install/cert_bundle.pem
echo >>/root/puppet_install/cert_bundle.pem

cp ${ROOTCA}/crl/crl.pem /root/puppet_install/crl_bundle.pem
echo >> /root/puppet_install/crl_bundle.pem

cd ${PUPPETCA}
openssl rsa -in private/puppet.cakey.pem \
      -out /root/puppet_install/puppet-ca.key \
      -passin file:../passfile.enc

exit 0