john pfeiffer

Openssl certificate generation signing 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/bin/bash
if [ $# -ne 1 ]; then
  echo "wrong number of parameters, correct usage: generate-key-signed-crt-pem.sh dhcp127.Example.MyCompany.com"
  exit 1
fi


COMMONNAME="$1"
KEY="$COMMONNAME.key"
if ! [ -s "./$KEY" ]; then
  echo "generating key for $1"
  openssl genrsa -out "$KEY" 2048
fi


REQUEST="$COMMONNAME.csr"
EMAIL="admin@$COMMONNAME"
SUBJECT="/C=US/ST=California/L=San Francisco/O=MyCompany/OU=ExampleServer/CN=$COMMONNAME/emailAddress=$EMAIL"
if ! [ -s "./$REQUEST" ]; then
  echo "generating request (csr) for $COMMONNAME"
  openssl req -new -key "$KEY" -out $REQUEST -days 3650 -subj "$SUBJECT"
fi


CERTIFICATE="$COMMONNAME.crt"
if ! [ -s "./$CERTIFICATE" ]; then
  echo "generating signed certificate (crt) for $COMMONNAME"
  openssl ca -config /root/CA/config.txt -batch -in "$REQUEST" -out "$CERTIFICATE"
fi

CERTHASH=`openssl x509 -noout -modulus -in "$CERTIFICATE" | openssl md5`
echo "Certificate hash: $CERTHASH"

KEYHASH=`openssl rsa -noout -modulus -in "$KEY" | openssl md5`
echo "Key hash: $KEYHASH"


if ! [ "$CERTHASH" == "$KEYHASH" ]; then
  echo "ERROR: hashes do not match"
  exit 1
else
  PEM="$COMMONNAME.pem"
  cat "$CERTIFICATE" "$KEY" > "$PEM"
  echo "successfully generated .pem with certificate and key: $PEM"
fi

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash

STG="/tmp/.x509survey"
key=$1
if [ -z $key ] ; then key="/chef-repo/cookbooks/Example/files/default/Example_com.key" ; fi
crt=$2
if [ -z $crt ] ; then crt="/chef-repo/cookbooks/Example/files/default/Example_com_chain.crt" ; fi
csr=$3
if [ -z $csr ] ; then csr="/chef-repo/cookbooks/Example/files/default/Example_com.csr" ; fi



# defaults
if [ ${#countryCode} -gt 2 ] ; then countryCode="US" ; fi
if [ -z $prettyName ]   ; then prettyName="My Company, Inc."             ; fi
if [ -z $cn ]           ; then cn=$fqdn                                  ; fi
if [ -z $cn ]           ; then cn="$host.$domain"                        ; fi
if [ -z $host ]         ; then host="chat"                               ; fi
if [ -z $domain ]       ; then domain="example.mycompany.com"            ; fi
if [ -z $countryCode ]  ; then countryCode="US"                          ; fi
if [ -z $stateCode ]    ; then stateCode="California"                    ; fi
if [ -z $emailContact ] ; then emailContact="nobody@$host.$domain"       ; fi
if [ -z $keyLength ]    ; then keyLength=2048                            ; fi
if [ -z $sslDuration ]  ; then sslDuration=3650                          ; fi



emailContact=''
rm -f $STG
printf "$countryCode\n$stateCode\n\n$prettyName\n\n$cn\n$emailContact\n\n\n\n" >$STG

# gen key/csr/cert
if [ ! -f $key ] ; then
  openssl genrsa -out $key $keyLength
  chown Example:Example $key
  chmod o-r $key
fi
openssl req -new -key $key -out $csr <$STG >/dev/null
chown Example:Example $csr
openssl x509 -req -days $sslDuration -in $csr -signkey $key -out $crt >/dev/null
chown Example:Example $crt
openssl x509 -in $crt -noout -text
cat $csr

Published

Category

linux

~374 words

Tags