-
Notifications
You must be signed in to change notification settings - Fork 54
/
gen-ssl.sh
executable file
·134 lines (112 loc) · 2.97 KB
/
gen-ssl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash
set -e
log () {
echo "$@" 1>&2
}
print_error () {
echo "$@" 1>&2
exit 1
}
print_usage () {
print_error "Usage: gen-ssl-cert-key <fqdn> <output-dir>"
}
gen_cert_subject () {
local fqdn="$1"
[[ "${fqdn}" != "" ]] || print_error "FQDN cannot be blank"
echo "/C=/ST=/O=/localityName=/CN=${fqdn}/organizationalUnitName=/emailAddress=/"
}
main () {
local fqdn="$1"
local sslDir="$2"
[[ "${fqdn}" != "" ]] || print_usage
[[ -d "${sslDir}" ]] || print_error "Directory does not exist: ${sslDir}"
local caCertFile="${sslDir}/ca.crt"
local caKeyFile="${sslDir}/ca.key"
local certFile="${sslDir}/server.crt"
local keyFile="${sslDir}/server.key"
local csrFile=$(mktemp)
local clientCertFile="${sslDir}/client.crt"
local clientKeyFile="${sslDir}/client.key"
local clientKeystoreFile="${sslDir}/client-keystore.jks"
local fullClientKeystoreFile="${sslDir}/fullclient-keystore.jks"
local tmpKeystoreFile=$(mktemp)
local pcks12FullKeystoreFile="${sslDir}/fullclient-keystore.p12"
local clientReqFile=$(mktemp)
log "Generating CA key"
openssl genrsa -out "${caKeyFile}" 2048
log "Generating CA certificate"
openssl req \
-sha1 \
-new \
-x509 \
-nodes \
-days 3650 \
-subj "$(gen_cert_subject ca.example.com)" \
-key "${caKeyFile}" \
-out "${caCertFile}"
log "Generating private key"
openssl genrsa -out "${keyFile}" 2048
log "Generating certificate signing request"
openssl req \
-new \
-batch \
-sha1 \
-subj "$(gen_cert_subject "$fqdn")" \
-set_serial 01 \
-key "${keyFile}" \
-out "${csrFile}" \
-nodes
log "Generating X509 certificate"
openssl x509 \
-req \
-sha1 \
-set_serial 01 \
-CA "${caCertFile}" \
-CAkey "${caKeyFile}" \
-days 3650 \
-in "${csrFile}" \
-signkey "${keyFile}" \
-out "${certFile}"
log "Generating client certificate"
openssl req \
-batch \
-newkey rsa:2048 \
-days 3600 \
-subj "$(gen_cert_subject "$fqdn")" \
-nodes \
-keyout "${clientKeyFile}" \
-out "${clientReqFile}"
openssl x509 \
-req \
-in "${clientReqFile}" \
-days 3600 \
-CA "${caCertFile}" \
-CAkey "${caKeyFile}" \
-set_serial 01 \
-out "${clientCertFile}"
# Now generate a keystore with the client cert & key
log "Generating client keystore"
openssl pkcs12 \
-export \
-in "${clientCertFile}" \
-inkey "${clientKeyFile}" \
-out "${tmpKeystoreFile}" \
-name "mysqlAlias" \
-passout pass:kspass
# Now generate a full keystore with the client cert & key + trust certificates
log "Generating full client keystore"
openssl pkcs12 \
-export \
-in "${clientCertFile}" \
-inkey "${clientKeyFile}" \
-out "${pcks12FullKeystoreFile}" \
-name "mysqlAlias" \
-passout pass:kspass
# Clean up CSR file:
rm "$csrFile"
rm "$clientReqFile"
rm "$tmpKeystoreFile"
log "Generated key file and certificate in: ${sslDir}"
ls -l "${sslDir}"
}
main "$@"