forked from mlebkowski/nassau-https-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmake-cert
executable file
·130 lines (96 loc) · 3.11 KB
/
make-cert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/env bash
export DATA_PATH=${DATA_PATH:-}
export CERT_PATH=${CERT_PATH:-"${DATA_PATH}/%s.crt"}
export KEY_PATH=${KEY_PATH:-"${DATA_PATH}/%s.key"}
export OPENSSL_CONFIG=${OPENSSL_CONFIG:-./openssl.conf}
if [[ -z "$DATA_PATH" ]]; then
echo "DATA_PATH is required" >&2
exit 1;
fi
export START_DATE=$(TZ=UTC date +"%y%m%d000000Z")
export SERIAL_PATH="$DATA_PATH/serial"
export DATABASE_PATH="$DATA_PATH/database"
create_openssl_config() {
declare target=$1
local source="${target%.conf}.tmpl"
sed \
-e s,\$ENV::SERIAL_PATH,"$SERIAL_PATH",g \
-e s,\$ENV::DATABASE_PATH,"$DATABASE_PATH",g \
-e s,\$ENV::CA_KEY,"$CA_KEY",g \
-e s,\$ENV::CA_CERT,"$CA_CERT",g \
-e s,\$ENV::START_DATE,"$START_DATE",g \
-e s,\$ENV::SUBJECT_ALT_NAME,"$SUBJECT_ALT_NAME",g \
"$source" > "$target"
}
init() {
mkdir -p "$DATA_PATH" "$(dirname "$CERT_PATH")" "$(dirname "$KEY_PATH")"
if [[ ! -f "$SERIAL_PATH" ]]; then
echo "0001" > "$SERIAL_PATH"
fi
if [[ ! -f "$DATABASE_PATH" ]]; then
> "$DATABASE_PATH"
fi
}
make_ca() {
local ca="$1" cert="$2" key="$3"
if [[ -f "$cert" ]] && [[ -f "$key" ]]; then
return;
fi
create_openssl_config "$OPENSSL_CONFIG"
openssl req -new -x509 -nodes -config "$OPENSSL_CONFIG" \
-keyout "$key" \
-out "temp_cert.crt" \
-subj "/CN=$ca" \
-extensions "standard_ca"
openssl req -new -nodes -config "$OPENSSL_CONFIG" \
-key "$key" \
-out "temp_csr.csr" \
-subj "/CN=$ca" \
-extensions "standard_ca"
openssl ca -config "$OPENSSL_CONFIG" \
-batch \
-cert "temp_cert.crt" \
-out "$cert" \
-in "temp_csr.csr" \
-extensions "standard_ca"
rm temp_* *.pem "$OPENSSL_CONFIG"
}
make_cert() {
local ca="$1"
local domain="$2"
local key_path="$(printf "$KEY_PATH" "$domain")" req_path="${domain}.csr" cert_path="$(printf "$CERT_PATH" "$domain")"
if [[ -f "$key_path" ]] && [[ -f "$cert_path" ]]; then
return;
fi
export SUBJECT_ALT_NAME="DNS:${domain}"
create_openssl_config "$OPENSSL_CONFIG"
openssl req -new -config "$OPENSSL_CONFIG" \
-keyout "$key_path" \
-out "$req_path" \
-subj "/CN=$domain" \
-nodes \
-extensions "standard"
openssl ca -config "$OPENSSL_CONFIG" \
-batch \
-noemailDN \
-in "$req_path" \
-out "$cert_path" \
-extensions "standard"
rm "$req_path" "$OPENSSL_CONFIG"
}
main() {
local ca="$1"
if [[ -z "$ca" ]]; then
echo "You need to specify the CA name as the first parameter" >&2
return 2;
fi
init
export CA_KEY="$(printf "$KEY_PATH" "$ca")"
export CA_CERT="$(printf "$CERT_PATH" "$ca")"
export SUBJECT_ALT_NAME="DNS:$ca"
make_ca "$ca" "$CA_CERT" "$CA_KEY"
for name in "${@:2}"; do
make_cert "$ca" "$name"
done
}
main "$@"