-
Notifications
You must be signed in to change notification settings - Fork 1
/
CA.generateNewIntermediateCA
executable file
·117 lines (97 loc) · 4.7 KB
/
CA.generateNewIntermediateCA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/bin/bash
#
# this is a script to help generate certificates for use with
# the EAP-TLS module.
#
#################################################################
# #
# Written by Steve Walsh, ACU National #
# and Chris Myers, Grangenet #
# email: stephen.walsh@acu.edu.au #
# email: chris.myers@aarnet.edu.au #
# for the Grangenet/AARNET EduROAM wireless project #
# #
# #
# Substantially modified for eduroam-as-a-Service use #
# by Stefan Winter, stefan.winter@restena.lu #
# #
#################################################################
# #
# Please send bug reports to stephen.walsh@acu.edu.au #
# or to stefan.winter@restena.lu #
# #
#################################################################
Pause() # Define a shell function called Pause
{
echo
echo -n Hit Enter to continue....
read
}
#
#To start, let's finds the path and version of openssl
openssl=$(which openssl)
version=$($openssl version)
currentver=$($openssl version | cut -c 9,11,13)
randomsource=/dev/hwrng
echo -n "Generating random source file ... "
dd if=$randomsource of=settings/random count=2
echo -e ""
echo -e "\t\t##################"
echo -e "\t\tCreating new sub-CA certificate"
echo -e "\t\tname : name-srv"
echo -e "\t\tserver certificate stored as cert-srv.pem"
echo -e "\t\tCA.pl -newreq"
echo -e "\t\tCA.pl -signreq"
echo -e "\t\tYou need to enter a new common name for this section"
echo -e "\t\tWe recommend SITENAME_server_cert"
echo -e "\t\t##################\n"
if [[ "$1" == "" ]]; then
while true; do
echo
echo "Please enter the password for the intermediate CA certificate: "
read PASSWORD
echo "you entered $PASSWORD. Is this correct?(y/n)"
read yn
case $yn in
y* | Y* ) echo "next step.." ; break ;;
[nN]* ) echo "Check your keyboard and try again" ;;
esac
done;
else
PASSWORD=$1
fi
if [[ "$2" != "" ]]; then
KEYARG="-batch -key"
KEY=$2
fi
if [[ "$3" == "" ]]; then
echo
echo "Please enter the path to put the cert into: "
read CERT_PATH;
else
CERT_PATH=$3
fi
if [[ "$4" != "" ]]; then
SUBJ="-subj"
SUBJECT_R="$4 R";
SUBJECT_E="$4 E";
fi
$openssl req -config ./settings/openssl-rsa.cnf -rand ./settings/random -new -newkey rsa:4096 -sha512 -keyout cert-srv-key.pem -out newreq-rsa.pem -days 365 $SUBJ "$SUBJECT_R" -passin pass:$PASSWORD -passout pass:$PASSWORD
$openssl req -config ./settings/openssl-ecdsa.cnf -rand ./settings/random -new -newkey ec:ec-521.param -sha512 -keyout cert-ecsrv-key.pem -out newreq-ecdsa.pem -days 365 $SUBJ "$SUBJECT_E" -passin pass:$PASSWORD -passout pass:$PASSWORD
$openssl ca -keyfile ./ROOT-RSA/private/cakey.pem $KEYARG $KEY -extensions v3_intermediate_ca -config ./settings/openssl-rsa.cnf -policy policy_match -out newcert-rsa.pem -infiles newreq-rsa.pem
$openssl ca -keyfile ./ROOT-ECDSA/private/cakey.pem $KEYARG $KEY -extensions v3_intermediate_ca -config ./settings/openssl-ecdsa.cnf -policy policy_match -out newcert-ecdsa.pem -infiles newreq-ecdsa.pem
$openssl pkcs12 -export -in newcert-rsa.pem -inkey cert-srv-key.pem -out cert-rsa.p12 -clcerts -passin pass:$PASSWORD -passout pass:$PASSWORD
$openssl pkcs12 -in cert-rsa.p12 -out cert-rsa.pem -passin pass:$PASSWORD -passout pass:$PASSWORD
$openssl x509 -inform PEM -outform DER -in cert-rsa.pem -out cert-rsa.der
/bin/mkdir -p ROOT-RSA/certs/$CERT_PATH
/bin/mv cert-rsa.pem cert-srv-key.pem newreq-rsa.pem ROOT-RSA/certs/$CERT_PATH
/bin/mv ROOT-RSA/certs/$CERT_PATH/newreq-rsa.pem ROOT-RSA/certs/$CERT_PATH/cert-rsa.csr
$openssl pkcs12 -export -in newcert-ecdsa.pem -inkey cert-ecsrv-key.pem -out cert-ecdsa.p12 -clcerts -passin pass:$PASSWORD -passout pass:$PASSWORD
$openssl pkcs12 -in cert-ecdsa.p12 -out cert-ecdsa.pem -passin pass:$PASSWORD -passout pass:$PASSWORD
$openssl x509 -inform PEM -outform DER -in cert-ecdsa.pem -out cert-ecdsa.der
/bin/mkdir -p ROOT-ECDSA/certs/$CERT_PATH
/bin/mv cert-ecdsa.pem cert-ecsrv-key.pem newreq-ecdsa.pem ROOT-ECDSA/certs/$CERT_PATH
/bin/mv ROOT-ECDSA/certs/$CERT_PATH/newreq-ecdsa.pem ROOT-ECDSA/certs/$CERT_PATH/cert-ecdsa.csr
echo DONT FORGET TO DELETE THE PRIVATE KEY OUT OF THE CERTS!
/bin/rm new* cert-ecdsa.der cert-ecdsa.p12 cert-rsa.der cert-rsa.p12
echo -e "\n\t\t##################\n"