-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathserver_cert.sh
executable file
·150 lines (130 loc) · 3.57 KB
/
server_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/bin/bash -e
#Script by Sam Gleske
#Tue Jan 26 17:21:21 PST 2016
#Ubuntu 16.04.1 LTS
#Linux 4.4.0-51-generic x86_64
#GNU bash, version 4.3.46(1)-release (x86_64-pc-linux-gnu)
#Setup script has been adapted from instructions
#http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
#https://docs.docker.com/engine/security/https/
if [ -f .env ]; then
source .env
fi
CERT_DIR="${CERT_DIR:-./myCA}"
REQ_OPTS="${REQ_OPTS:--batch -nodes}"
CERT_DIR="${CERT_DIR%/}"
SERVER_EXPIRE_DAYS="${SERVER_EXPIRE_DAYS:-397}"
function usage() {
cat <<EOF
$0 [OPTIONS] common-name
DESCRIPTION:
Generate SSL SAN server certificates for a local CA. Where the common-name is
typically a domain name.
OPTIONS:
-h,--help show help
--ip-alts One or more ip addresses as the following argument (space
separated). They will be used as subject alternative names.
--dns-alts One or more domain names as the following argument (space
separated). They will be used as subject alternative names.
--localhost Include loopback hostname and IP addresses as part of the
signed certificate. localhost, IPv4 127.0.0.1, and IPv6 ::1.
EXAMPLES:
Generate a basic certificate using DNS only.
$0 example.com
Generate a more advanced certificate allowing auth to happen over multiple
domains as well as via IP.
$0 example.com --dns-alts "a.example.com b.example.com" --ip-alts "10.0.0.1"
EOF
}
#common name
server=""
dns_alts=""
ip_alts=""
use_localhost=false
enable_auth=false
while [ "$#" -gt '0' ]; do
case $1 in
-h|--help)
usage 1>&2
exit 1
;;
--localhost)
use_localhost=true
shift
;;
--ip-alts)
shift
ip_alts="$1"
shift
;;
--dns-alts)
shift
dns_alts="$1"
shift
;;
--auth)
enable_auth=true
shift
;;
*)
if [ -z "${server}" ]; then
server="$1"
fi
shift
;;
esac
done
if [ -z "$server" ];then
echo "Error: missing common-name which is typically a DNS name." 1>&2
usage 1>&2
exit 1
fi
#start alternative names for openssl cnf
if ${use_localhost}; then
dns_alts_cnf="DNS:${server},DNS:localhost"
#::1 is IPv6 loopback
ip_alts_cnf="IP:127.0.0.1,IP:::1"
else
dns_alts_cnf="DNS:${server}"
ip_alts_cnf=""
fi
if [ ! -z "${ip_alts}" ]; then
for x in ${ip_alts}; do
ip_alts_cnf="${ip_alts_cnf},IP:${x}"
done
fi
ip_alts_cnf="${ip_alts_cnf#,}"
if [ ! -z "${dns_alts}" ]; then
for x in ${dns_alts}; do
dns_alts_cnf="${dns_alts_cnf},DNS:${x}"
done
fi
all_alts="${dns_alts_cnf},${ip_alts_cnf}"
all_alts="${all_alts%,}"
#configuration for openssl
opensslcnf="basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = ${all_alts}"
if [ "$enable_auth" = true ]; then
opensslcnf="${opensslcnf}
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=critical,serverAuth
"
fi
cd "${CERT_DIR}"
if [ -e "certs/${server}.crt" ]; then
echo "Server certificate exists. Must revoke existing certificate." 1>&2
echo "revoke_cert.sh ${server}" 1>&2
exit 1
fi
#create the key and CSR
openssl req -config openssl.cnf -new -newkey rsa:4096 -sha256 \
-keyout "private/${server}.key" -subj "/CN=${server}" \
-text -out "newcerts/${server}.csr" ${REQ_OPTS}
#sign the CSR
openssl ca -config openssl.cnf -extfile <( echo "${opensslcnf}" ) \
-in "newcerts/${server}.csr" -out "certs/${server}.crt" -days "${SERVER_EXPIRE_DAYS}" -batch
#change appropriate permissions
chmod 0600 private/${server}.key
chmod 0644 certs/${server}.crt