j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
pki-bootstrap_pub/src/pki_bootstrap/libs/pki_funcs_old.sh

156 lines
5.3 KiB
Bash
Raw Blame History

#!/bin/bash
#
# all main functions to generate a PKI certificate chain
#
#
# print text wrapped in a block
#
echo_block() {
echo
echo "***** ***** ***** *****"
echo $1
echo "***** ***** ***** *****"
}
#
# Grab the latest serial # from the file, auto-increment
#
get_serial() {
SERIAL=`head SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
fi
}
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca() {
# params
UNIQ_ID_CA=$1
SERIAL=$2
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
}
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca_i() {
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
# params
UNIQ_ID_CA=$1
SERIAL=$2
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config $CA_CNF -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
}
#
# Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_server() {
echo_block "Generate Server Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "server_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
}
#
# Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_client() {
echo_block "Generate Client Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "client_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client
openssl x509 -req -days 365 \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
}
#
# give some info if someone tries to execute this
echo_block "this script file has only helper functions"
Reference in New Issue View Git Blame Copy Permalink