-
Notifications
You must be signed in to change notification settings - Fork 8
/
ownca
executable file
·125 lines (106 loc) · 4.21 KB
/
ownca
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/bin/bash -e
OPENSSL_FILE="./openssl.cnf"
write_openssl() {
cat > "$OPENSSL_FILE" <<-OPENSSL
# OpenSSL configuration file.
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
default_bits = 2048
default_md = sha256
serial = \$dir/serial
database = \$dir/certindex.txt
new_certs_dir = \$dir/certs
certificate = \$dir/cacert.crt
private_key = \$dir/private/cakey.crt
default_days = 365
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_md = sha256
default_keyfile = key.crt # name of generated keys
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = \$ENV::CERT_HOST
OPENSSL
}
ACTION="$1"
if [[ $ACTION == "ca" ]] ; then
SUBJECT="${2:-/CN=OwnCA}"
touch certindex.txt
mkdir -p certs/
mkdir -p private/
if [[ ! -f "$OPENSSL_FILE" ]] ; then
write_openssl
fi
export CERT_HOST=""
openssl req -batch -new -x509 \
-config "$OPENSSL_FILE" \
-subj "$SUBJECT" -extensions v3_ca -nodes \
-keyout private/cakey.crt \
-out cacert.crt -days 3650
elif [[ $ACTION == "cert" ]] ; then
export CERT_HOST="$2"
if [[ -z $CERT_HOST ]] ; then
echo "Usage: $0 cert HOSTNAME"
exit 1
fi
if [[ ! -e private/cakey.crt ]] ; then
echo "First generate a CA using $0 ca"
exit 2
fi
mkdir "$CERT_HOST"
openssl req -batch -new -nodes \
-config "$OPENSSL_FILE" \
-subj "/CN=$CERT_HOST" \
-out "./$CERT_HOST/$CERT_HOST.req" \
-keyout "./$CERT_HOST/$CERT_HOST.key"
openssl ca -batch -create_serial \
-config "$OPENSSL_FILE" \
-in "./$CERT_HOST/$CERT_HOST.req" \
-out "./$CERT_HOST/$CERT_HOST.crt"
else
echo "Usage: $0 ca [SUBJECT]"
echo "Usage: $0 cert HOSTNAME"
exit 1
fi