#!/bin/bash -x # licence : GPL v2 # copyright : 8d technologies, xavier renaut # /etc/ssl/ca/ca # usage : # # /etc/ssl/8D/www.8d.com : # cert_client_create.sh www.8d.com /etc/ssl/8D/8Dcacert # cert_client_create.sh lsacaut.jason.jala.stunnel /etc/ssl/8D/jason.holo.8d.com/jason.holo.8d.com # cert_client_create.sh -c "svn.cn.blah.com" svn.test /tmp/cert-tests/catest # cert_client_create.sh -c "svn cn blah" -m "xavier@natch" svn.test /tmp/cert-tests/catest # request only, no signing : # cert_client_create.sh -r support.8d.com # sign a csr : i=as1-2;pc=/etc/ssl/8D/8Dcacert; openssl x509 -req -sha256 -days 6600 -CAserial $pc.srl -CA $pc.pem -CAkey $pc.key -in $i.csr -out $i.crt # see /etc/ssl/8D/equinox/ilos/get-and-sign.sh # -s for server extensions # just for fun. is good to tell. adds serial id's # -c override some defs # -p password file for p12 # server is a section of /etc/ssl/openssl.cnf extensions="" extensions="-extensions server" extfile="-extfile /etc/ssl/openssl.cnf" days="2190" days="3650" size="1024" size="2048" size="3072" size="4096" request="0" mail_address="sysadmin.sslcerts@8d.com" while getopts nrse:y:c:m:p: o ; do case "$o" in s) echo using -extensions server extensions="-extensions server" ;; y) years=$OPTARG days=$(( $years * 365 )) echo using $years years of validity $days days ;; r) request=1 echo request only, no signing ;; e) extensions="-extensions $OPTARG" echo using $extensions ;; m) mail_address="$OPTARG" echo using mail $mail_address ;; c) # not so useful. need to cn="$OPTARG" echo using cn $cn ;; n) echo -e "\033[0;31m will remove extensions \033[0m" remove_extensions=1 ;; p) password_file_p12="-password file:$OPTARG" ;; esac done shift $(($OPTIND - 1)) [ "$1" = "" ] && echo 'cert_client_create.sh (CN|username)' && exit 1 i=$1 [ "$cn" = "" ] && cn=$i if [ "$request" = "0" ] ;then [ "$2" = "" ] && echo 'cert_client_create.sh (CN|username) path_certificate/base_name_for_parent_certificate\? '&& exit 1 # path certificate pc=$2 fi if openssl x509 -text -noout -in $pc.crt| grep -A1 'X509v3 Basic Constraints' | grep -q 'CA:TRUE' then echo -e "\033[0;31m Will use $extensions \033[0m" else extensions="-extensions usr_cert" echo -e "\033[0;31m Will use $extensions since the issuer is not a CA cert \033[0m" fi #pc_basename=$(basename $pc) subject="/C=CA/ST=Quebec/L=Montreal/O=8D Technologies Inc./OU=SysAdmin dpt./CN=$cn/emailAddress=$mail_address/" subject=$(echo $subject |perl -pe 's/ /\\ /g') #if [ "$pc_basename" != "8Dcacert" ] if [ "$remove_extensions" = "1" ] then extensions="" extfile="" fi cs="" [ -f ${pc}.srl ] || cs='-CAcreateserial' openssl genrsa -out $i.key $size && # extfile cannot be used #openssl req $extfile $extensions -subj "$subject" -sha256 -new -key $i.key -out $i.csr && openssl req -subj "$subject" -sha256 -new -key $i.key -out $i.csr && openssl gendh 512 > $i.dh if [ "$request" = "1" ] ;then echo "end creating csr $i, post to signer now (eg, entrust, verisign, ou godaddy...)";exit 0;fi # -CAcreateserial si y'en a pas #openssl x509 -req -sha1 -days $days $cs -CAserial $pc.srl -CA $pc.crt -CAkey $pc.key -in $i.csr -out $i.crt && openssl x509 -req $extfile $extensions -sha256 -days $days $cs -CAserial $pc.srl -CA $pc.pem -CAkey $pc.key -in $i.csr -out $i.crt && openssl pkcs12 -export -clcerts -in $i.crt -inkey $i.key -out $i.p12 $password_file_p12 cat $i.crt $i.key > $i.pem # http://www.aboveground.cx/~rjmooney/projects/misc/clientcertauth.html