-
Notifications
You must be signed in to change notification settings - Fork 2
/
02-issue-server-cert.sh
executable file
·120 lines (99 loc) · 2.71 KB
/
02-issue-server-cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/bash -e
set -euo pipefail
if [ -z "${1:-}" ]; then
echo "Usage: $0 <CA_NAME>"
echo "<CA_NAME> is the name of the CA cert files"
echo "There should be a <CA_NAME>.pem for the CA certificate"
echo "and a <CA_NAME>.key for the private key"
exit 1
fi
echo "Issuing server certificate"
ISSUER_CA="${1}"
cd "$(dirname "$0")"
DN_C="${TLS_DN_C:-SE}"
DN_ST="${TLS_DN_ST:-Stockholm}"
DN_L="${TLS_DN_L:-Stockholm}"
DN_O="${TLS_DN_O:-MyOrgName}"
DN_OU="${TLS_DN_OU:-MyService}"
DN_CN="${TLS_SERVER_COMMON_NAME:-localhost}"
SAN_IP=""
if [ -n "${TLS_SERVER_IP:-}" ]; then
SAN_IP="IP = $TLS_SERVER_IP"
fi
SAN_DNS="DNS = $DN_CN"
if [ -n "${TLS_SERVER_DNS:-}" ]; then
SAN_DNS="DNS = $TLS_SERVER_DNS"
fi
# Openssl command oneliners do not support request extentions well
# hence the need of a config file
cat <<-EOF > config
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = $DN_C
ST = $DN_ST
L = $DN_L
O = $DN_O
OU = $DN_OU
CN = $DN_CN
[req_ext]
subjectAltName = @alt_names
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[alt_names]
$SAN_DNS
$SAN_IP
[ca]
default_ca = DEFAULT_CA
[DEFAULT_CA]
dir = ./ca
database = \$dir/index.txt
new_certs_dir = \$dir
certificate = ${ISSUER_CA}.pem
private_key = ${ISSUER_CA}.key
serial = \$dir/serial
default_days = 3650
default_crl_days= 30
default_md = sha256
policy = cert_policy
email_in_dn = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = none
[ cert_policy ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
EOF
mkdir -p ca
rm -f ./ca/*
if [ ! -f ca/index.txt ]; then touch ca/index.txt; fi
if [ ! -f ca/index.txt.attr ]; then touch ca/index.txt.attr; fi
if [ ! -f ca/serial ]; then date '+%s' > ca/serial; fi
case $ALG in
rsa)
openssl genrsa -out server.key 2048
openssl req -newkey rsa:2048 -sha256 -key server.key -out server.csr -nodes -config ./config
;;
ec|ecc)
openssl ecparam -name prime256v1 -genkey -noout -out server.key
openssl req -newkey ec:<(openssl ecparam -name secp384r1) -key server.key -out server.csr -nodes -config ./config
;;
dsa)
openssl gendsa -out "server.key" <(openssl dsaparam 2048)
openssl req -newkey dsa:<(openssl dsaparam 2048) -key server.key -out server.csr -nodes -config ./config
;;
*)
echo "Unknown algorithm: $ALG"
exit 1
;;
esac
openssl ca -notext -batch -out server.pem -config config -extensions req_ext -infiles server.csr
rm -f server.csr