-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcreate-self-signed-certs.sh
executable file
·149 lines (125 loc) · 4.71 KB
/
create-self-signed-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/usr/bin/env bash
# Define where to store the generated certs and metadata.
DIR="$(pwd)/.certs"
SERVICES_NAMES=ds-agent
rm -rf $DIR
mkdir -p $DIR
# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat >"${DIR}/openssl.cnf" <<EOF
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 2048
default_keyfile = tmp/external.key
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = BR
stateOrProvinceName = PB
localityName = Campina Grande
organizationName = HANIoT
organizationalUnitName = HANIoT
commonName = HANIoT CA
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
####################################################################
[ client_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names
####################################################################
[ server_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
####################################################################
[ client_server_extensions ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash
subjectAltName = @alt_names
####################################################################
[ alt_names ]
IP.1 = 127.0.0.1
DNS.1 = localhost
EOF
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
#
# To put a password on the key, remove the -nodes option.
#
# Be sure to update the subject to match your organization.
#
# Generate your CA certificate
openssl req -x509 \
-config "$DIR/openssl.cnf" \
-nodes -days 3650 \
-subj "/O=HANIoT,CN=HANIoT CA" \
-keyout "$DIR/ca.key" \
-out "$DIR/ca.pem" 2>/dev/null
# Params:
# type (server, client) $1, CN $2, Alt Names $3, filename $4
generateCerts() {
ORG="$2"
TYPE="server_extensions"
if [ "$1" = "client" ]; then
TYPE="client_extensions"
elif [ "$1" = "client/server" ]; then
TYPE="client_server_extensions"
fi
# Add Subject Alternative Names
DNS_LIST=$(echo $3 | sed "s/,/ /g")
NUMBER=2
for DNS in ${DNS_LIST}; do
echo "DNS.${NUMBER} = ${DNS}" >>$DIR/openssl.cnf
NUMBER=$((NUMBER + 1))
done
# Generate the private key
openssl genrsa -out "$DIR/$4_key.pem" 2>/dev/null
# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req \
-new -nodes \
-key "$DIR/$4_key.pem" \
-subj "/O=$ORG/CN=HANIoT" \
-out "$DIR/$4.csr" 2>/dev/null
# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509 \
-req -days 3650 -in "$DIR/$4.csr" \
-CA "$DIR/ca.pem" -CAkey "$DIR/ca.key" -CAcreateserial \
-out "$DIR/$4_cert.pem" -extfile "$DIR/openssl.cnf" \
-extensions $TYPE 2>/dev/null
chmod 0644 "$DIR/ca.pem" "$DIR/$4_key.pem" "$DIR/$4_cert.pem"
}
# Certificates for service
COUNT=1
SERVICE="ds-agent"
SERVICES_ALT_NAMES_MONGO="mongo,mongo-ds-agent"
echo "$COUNT - Generating certificates for the \"${SERVICE^^}\" Service..."
generateCerts "server" "$SERVICE" "localhost" "server" "$DIR" # Server
# (Optional) Remove unused files at the moment
rm -rf $DIR/ca.key $DIR/*.srl $DIR/*.csr $DIR/*.cnf