617 lines
17 KiB
Bash
617 lines
17 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
# Source: https://jamielinux.com/docs/openssl-certificate-authority/index.html
|
||
|
|
||
|
if [ -z "$1" ]; then
|
||
|
echo "=x=> Path for your CA root is required!"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
CA_ROOT=$(realpath "$1")
|
||
|
|
||
|
# Intermediate directory
|
||
|
INTERMEDIATE_ROOT="$CA_ROOT/intermediate"
|
||
|
|
||
|
# Static config blanks
|
||
|
|
||
|
read -r -d '' OPENSSL_CA_CFG << EOM
|
||
|
# OpenSSL root CA configuration file.
|
||
|
# Auto-generated.
|
||
|
|
||
|
[ ca ]
|
||
|
# \`man ca\`
|
||
|
default_ca = CA_default
|
||
|
|
||
|
[ CA_default ]
|
||
|
# Directory and file locations.
|
||
|
dir = $CA_ROOT
|
||
|
certs = \$dir/certs
|
||
|
crl_dir = \$dir/crl
|
||
|
new_certs_dir = \$dir/newcerts
|
||
|
database = \$dir/index.txt
|
||
|
serial = \$dir/serial
|
||
|
RANDFILE = \$dir/private/.rand
|
||
|
|
||
|
# The root key and root certificate.
|
||
|
private_key = \$dir/private/ca.key.pem
|
||
|
certificate = \$dir/certs/ca.cert.pem
|
||
|
|
||
|
# For certificate revocation lists.
|
||
|
crlnumber = \$dir/crlnumber
|
||
|
crl = \$dir/crl/ca.crl.pem
|
||
|
crl_extensions = crl_ext
|
||
|
default_crl_days = 30
|
||
|
|
||
|
# SHA-1 is deprecated, so use SHA-2 instead.
|
||
|
default_md = sha256
|
||
|
|
||
|
name_opt = ca_default
|
||
|
cert_opt = ca_default
|
||
|
default_days = 375
|
||
|
preserve = no
|
||
|
policy = policy_strict
|
||
|
|
||
|
[ policy_strict ]
|
||
|
# The root CA should only sign intermediate certificates that match.
|
||
|
# See the POLICY FORMAT section of \`man ca\`.
|
||
|
countryName = match
|
||
|
stateOrProvinceName = match
|
||
|
organizationName = match
|
||
|
organizationalUnitName = optional
|
||
|
commonName = supplied
|
||
|
emailAddress = optional
|
||
|
|
||
|
[ policy_loose ]
|
||
|
# Allow the intermediate CA to sign a more diverse range of certificates.
|
||
|
# See the POLICY FORMAT section of the \`ca\` man page.
|
||
|
countryName = optional
|
||
|
stateOrProvinceName = optional
|
||
|
localityName = optional
|
||
|
organizationName = optional
|
||
|
organizationalUnitName = optional
|
||
|
commonName = supplied
|
||
|
emailAddress = optional
|
||
|
|
||
|
[ req ]
|
||
|
# Options for the \`req\` tool (\`man req\`).
|
||
|
default_bits = 4096
|
||
|
distinguished_name = req_distinguished_name
|
||
|
string_mask = utf8only
|
||
|
|
||
|
# SHA-1 is deprecated, so use SHA-2 instead.
|
||
|
default_md = sha256
|
||
|
|
||
|
# Extension to add when the -x509 option is used.
|
||
|
x509_extensions = v3_ca
|
||
|
|
||
|
[ req_distinguished_name ]
|
||
|
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
|
||
|
countryName = Country Name (2 letter code)
|
||
|
stateOrProvinceName = State or Province Name
|
||
|
localityName = Locality Name
|
||
|
0.organizationName = Organization Name
|
||
|
organizationalUnitName = Organizational Unit Name
|
||
|
commonName = Common Name
|
||
|
emailAddress = Email Address
|
||
|
|
||
|
[ v3_ca ]
|
||
|
# Extensions for a typical CA (\`man x509v3_config\`).
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer
|
||
|
basicConstraints = critical, CA:true
|
||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||
|
|
||
|
[ v3_intermediate_ca ]
|
||
|
# Extensions for a typical intermediate CA (\`man x509v3_config\`).
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer
|
||
|
basicConstraints = critical, CA:true, pathlen:0
|
||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||
|
|
||
|
[ usr_cert ]
|
||
|
# Extensions for client certificates (\`man x509v3_config\`).
|
||
|
basicConstraints = CA:FALSE
|
||
|
nsCertType = client, email
|
||
|
nsComment = "OpenSSL Generated Client Certificate"
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid,issuer
|
||
|
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||
|
extendedKeyUsage = clientAuth, emailProtection
|
||
|
|
||
|
[ server_cert ]
|
||
|
# Extensions for server certificates (\`man x509v3_config\`).
|
||
|
basicConstraints = CA:FALSE
|
||
|
nsCertType = server
|
||
|
nsComment = "OpenSSL Generated Server Certificate"
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid,issuer:always
|
||
|
keyUsage = critical, digitalSignature, keyEncipherment
|
||
|
extendedKeyUsage = serverAuth
|
||
|
|
||
|
[ crl_ext ]
|
||
|
# Extension for CRLs (\`man x509v3_config\`).
|
||
|
authorityKeyIdentifier=keyid:always
|
||
|
|
||
|
[ ocsp ]
|
||
|
# Extension for OCSP signing certificates (\`man ocsp\`).
|
||
|
basicConstraints = CA:FALSE
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid,issuer
|
||
|
keyUsage = critical, digitalSignature
|
||
|
extendedKeyUsage = critical, OCSPSigning
|
||
|
|
||
|
EOM
|
||
|
|
||
|
read -r -d '' OPENSSL_INTERMEDIATE_CFG << EOM
|
||
|
# OpenSSL intermediate CA configuration file.
|
||
|
# Auto-generated.
|
||
|
|
||
|
[ ca ]
|
||
|
# \`man ca\`
|
||
|
default_ca = CA_default
|
||
|
|
||
|
[ CA_default ]
|
||
|
# Directory and file locations.
|
||
|
dir = $INTERMEDIATE_ROOT
|
||
|
certs = \$dir/certs
|
||
|
crl_dir = \$dir/crl
|
||
|
new_certs_dir = \$dir/newcerts
|
||
|
database = \$dir/index.txt
|
||
|
serial = \$dir/serial
|
||
|
RANDFILE = \$dir/private/.rand
|
||
|
|
||
|
# The root key and root certificate.
|
||
|
private_key = \$dir/private/intermediate.key.pem
|
||
|
certificate = \$dir/certs/intermediate.cert.pem
|
||
|
|
||
|
# For certificate revocation lists.
|
||
|
crlnumber = \$dir/crlnumber
|
||
|
crl = \$dir/crl/intermediate.crl.pem
|
||
|
crl_extensions = crl_ext
|
||
|
default_crl_days = 30
|
||
|
|
||
|
# SHA-1 is deprecated, so use SHA-2 instead.
|
||
|
default_md = sha256
|
||
|
|
||
|
name_opt = ca_default
|
||
|
cert_opt = ca_default
|
||
|
default_days = 375
|
||
|
preserve = no
|
||
|
policy = policy_loose
|
||
|
|
||
|
# Allow copying extensions from CSRs
|
||
|
copy_extensions = copy
|
||
|
|
||
|
[ policy_strict ]
|
||
|
# The root CA should only sign intermediate certificates that match.
|
||
|
# See the POLICY FORMAT section of \`man ca\`.
|
||
|
countryName = match
|
||
|
stateOrProvinceName = match
|
||
|
organizationName = match
|
||
|
organizationalUnitName = optional
|
||
|
commonName = supplied
|
||
|
emailAddress = optional
|
||
|
|
||
|
[ policy_loose ]
|
||
|
# Allow the intermediate CA to sign a more diverse range of certificates.
|
||
|
# See the POLICY FORMAT section of the \`ca\` man page.
|
||
|
countryName = optional
|
||
|
stateOrProvinceName = optional
|
||
|
localityName = optional
|
||
|
organizationName = optional
|
||
|
organizationalUnitName = optional
|
||
|
commonName = supplied
|
||
|
emailAddress = optional
|
||
|
|
||
|
[ req ]
|
||
|
# Options for the \`req\` tool (\`man req\`).
|
||
|
default_bits = 4096
|
||
|
distinguished_name = req_distinguished_name
|
||
|
string_mask = utf8only
|
||
|
|
||
|
# SHA-1 is deprecated, so use SHA-2 instead.
|
||
|
default_md = sha256
|
||
|
|
||
|
# Extension to add when the -x509 option is used.
|
||
|
x509_extensions = v3_intermediate_ca
|
||
|
|
||
|
[ req_distinguished_name ]
|
||
|
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
|
||
|
countryName = Country Name (2 letter code)
|
||
|
stateOrProvinceName = State or Province Name
|
||
|
localityName = Locality Name
|
||
|
0.organizationName = Organization Name
|
||
|
organizationalUnitName = Organizational Unit Name
|
||
|
commonName = Common Name
|
||
|
emailAddress = Email Address
|
||
|
|
||
|
[ v3_ca ]
|
||
|
# Extensions for a typical CA (\`man x509v3_config\`).
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer
|
||
|
basicConstraints = critical, CA:true
|
||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||
|
|
||
|
[ v3_intermediate_ca ]
|
||
|
# Extensions for a typical intermediate CA (\`man x509v3_config\`).
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid:always,issuer
|
||
|
basicConstraints = critical, CA:true, pathlen:0
|
||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||
|
|
||
|
[ usr_cert ]
|
||
|
# Extensions for client certificates (\`man x509v3_config\`).
|
||
|
basicConstraints = CA:FALSE
|
||
|
nsCertType = client, email
|
||
|
nsComment = "OpenSSL Generated Client Certificate"
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid,issuer
|
||
|
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||
|
extendedKeyUsage = clientAuth, emailProtection
|
||
|
|
||
|
[ server_cert ]
|
||
|
# Extensions for server certificates (\`man x509v3_config\`).
|
||
|
basicConstraints = CA:FALSE
|
||
|
nsCertType = server
|
||
|
nsComment = "OpenSSL Generated Server Certificate"
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid,issuer:always
|
||
|
keyUsage = critical, digitalSignature, keyEncipherment
|
||
|
extendedKeyUsage = serverAuth
|
||
|
|
||
|
[ crl_ext ]
|
||
|
# Extension for CRLs (\`man x509v3_config\`).
|
||
|
authorityKeyIdentifier=keyid:always
|
||
|
|
||
|
[ ocsp ]
|
||
|
# Extension for OCSP signing certificates (\`man ocsp\`).
|
||
|
basicConstraints = CA:FALSE
|
||
|
subjectKeyIdentifier = hash
|
||
|
authorityKeyIdentifier = keyid,issuer
|
||
|
keyUsage = critical, digitalSignature
|
||
|
extendedKeyUsage = critical, OCSPSigning
|
||
|
|
||
|
EOM
|
||
|
|
||
|
deployFiles () {
|
||
|
echo "Deploying a Certificate Authority to $CA_ROOT"
|
||
|
echo ''
|
||
|
|
||
|
if [ ! -d "$CA_ROOT" ]; then
|
||
|
# Create directory
|
||
|
mkdir -p "$CA_ROOT"
|
||
|
|
||
|
# Create sub-directories
|
||
|
mkdir -p "$CA_ROOT/private" "$CA_ROOT/csr" "$CA_ROOT/certs" "$CA_ROOT/newcerts"
|
||
|
touch "$CA_ROOT/index.txt"
|
||
|
echo 1000 > "$CA_ROOT/serial"
|
||
|
|
||
|
chmod 700 "$CA_ROOT/private"
|
||
|
echo "$OPENSSL_CA_CFG" > "$CA_ROOT/openssl.cfg"
|
||
|
fi
|
||
|
|
||
|
if [ ! -d "$INTERMEDIATE_ROOT" ]; then
|
||
|
mkdir -p "$INTERMEDIATE_ROOT/private" "$INTERMEDIATE_ROOT/csr" "$INTERMEDIATE_ROOT/certs" "$INTERMEDIATE_ROOT/newcerts"
|
||
|
touch "$INTERMEDIATE_ROOT/index.txt"
|
||
|
echo 1000 > "$INTERMEDIATE_ROOT/serial"
|
||
|
|
||
|
chmod 700 "$INTERMEDIATE_ROOT/private"
|
||
|
echo "$OPENSSL_INTERMEDIATE_CFG" > "$INTERMEDIATE_ROOT/openssl.cfg"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
generateRootPair () {
|
||
|
############################
|
||
|
# GENERATING ROOT KEY PAIR #
|
||
|
############################
|
||
|
|
||
|
echo '==> Starting the generation of the root key pair.'
|
||
|
echo '==> Please fill in the appropriate information asked.'
|
||
|
echo ''
|
||
|
|
||
|
# Set CWD
|
||
|
cd "$CA_ROOT"
|
||
|
|
||
|
# CA Root Private Key
|
||
|
if [ ! -e "$CA_ROOT/private/ca.key.pem" ]; then
|
||
|
echo '=> Generating CA key.. Please enter a strong passphrase.'
|
||
|
echo ''
|
||
|
openssl genrsa -aes256 -out private/ca.key.pem 4096
|
||
|
else
|
||
|
echo '=> Root CA key exists, skipping..'
|
||
|
fi
|
||
|
|
||
|
if [ ! -e "$CA_ROOT/private/ca.key.pem" ]; then
|
||
|
echo '=x=> Root CA key was not generated!'
|
||
|
return 1
|
||
|
fi
|
||
|
chmod 400 private/ca.key.pem
|
||
|
|
||
|
# CA Root Certificate
|
||
|
if [ ! -e "$CA_ROOT/certs/ca.cert.pem" ]; then
|
||
|
echo '=> Generating CA certificate..'
|
||
|
echo ''
|
||
|
openssl req -config "$CA_ROOT/openssl.cfg" \
|
||
|
-key private/ca.key.pem \
|
||
|
-new -x509 -days 7300 -sha256 -extensions v3_ca \
|
||
|
-out certs/ca.cert.pem
|
||
|
else
|
||
|
echo '=> Root certificate exists, skipping..'
|
||
|
fi
|
||
|
|
||
|
if [ ! -e "$CA_ROOT/certs/ca.cert.pem" ]; then
|
||
|
echo '=x=> Root certificate was not generated!'
|
||
|
return 1
|
||
|
fi
|
||
|
chmod 444 certs/ca.cert.pem
|
||
|
|
||
|
# Print info
|
||
|
openssl x509 -noout -text -in certs/ca.cert.pem
|
||
|
|
||
|
echo '==> Root key pair generated.'
|
||
|
echo ''
|
||
|
}
|
||
|
|
||
|
generateIntermediate () {
|
||
|
if [ ! -e "$CA_ROOT/certs/ca.cert.pem" ]; then
|
||
|
echo '=x=> Could not generate intermediate certificate.'
|
||
|
echo '=x=> CA certificate is missing!'
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
####################################
|
||
|
# GENERATING INTERMEDIATE KEY PAIR #
|
||
|
####################################
|
||
|
|
||
|
cd "$CA_ROOT"
|
||
|
|
||
|
echo '==> Starting the generation of the intermediate key pair.'
|
||
|
echo '==> This is used to sign server and user certificates.'
|
||
|
echo '==> Please fill in the appropriate information asked.'
|
||
|
echo ''
|
||
|
|
||
|
if [ ! -e "$CA_ROOT/intermediate/private/intermediate.key.pem" ]; then
|
||
|
# Key
|
||
|
echo '=> Generating intermediate key.. Please enter a strong passphrase.'
|
||
|
echo ''
|
||
|
openssl genrsa -aes256 \
|
||
|
-out intermediate/private/intermediate.key.pem 4096
|
||
|
else
|
||
|
echo '=> Intermediate certificate key exists, skipping..'
|
||
|
fi
|
||
|
|
||
|
if [ ! -e "$CA_ROOT/intermediate/private/intermediate.key.pem" ]; then
|
||
|
echo '=x=> Intermediate certificate key was not generated!'
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
chmod 400 intermediate/private/intermediate.key.pem
|
||
|
|
||
|
if [ -e "$CA_ROOT/intermediate/csr/intermediate.csr.pem" ]; then
|
||
|
rm -f intermediate/csr/intermediate.csr.pem
|
||
|
rm -f intermediate/certs/intermediate.cert.pem
|
||
|
fi
|
||
|
|
||
|
# Certificate Signing Request (CSR)
|
||
|
echo '=> Generating intermediate CSR..'
|
||
|
echo ''
|
||
|
openssl req -config "$INTERMEDIATE_ROOT/openssl.cfg" -new -sha256 \
|
||
|
-key intermediate/private/intermediate.key.pem \
|
||
|
-out intermediate/csr/intermediate.csr.pem
|
||
|
|
||
|
if [ ! -e "$CA_ROOT/intermediate/csr/intermediate.csr.pem" ]; then
|
||
|
echo '=x=> Intermediate signing request was not generated!'
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
echo '=> Singing the intermediate certificate. Please answer yes in order to continue.'
|
||
|
echo ''
|
||
|
openssl ca -config "$CA_ROOT/openssl.cfg" -extensions v3_intermediate_ca \
|
||
|
-days 3650 -notext -md sha256 \
|
||
|
-in intermediate/csr/intermediate.csr.pem \
|
||
|
-out intermediate/certs/intermediate.cert.pem
|
||
|
|
||
|
if [ ! -e "$CA_ROOT/intermediate/certs/intermediate.cert.pem" ]; then
|
||
|
echo '=x=> Intermediate certificate was not signed!'
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
chmod 444 intermediate/certs/intermediate.cert.pem
|
||
|
|
||
|
# Print info
|
||
|
openssl x509 -noout -text \
|
||
|
-in intermediate/certs/intermediate.cert.pem
|
||
|
|
||
|
openssl verify -CAfile certs/ca.cert.pem \
|
||
|
intermediate/certs/intermediate.cert.pem
|
||
|
|
||
|
# Generate Certificate Chain
|
||
|
cat intermediate/certs/intermediate.cert.pem \
|
||
|
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
|
||
|
|
||
|
chmod 444 intermediate/certs/ca-chain.cert.pem
|
||
|
|
||
|
echo '==> Intermediate key pair generated.'
|
||
|
echo "==> Your CA (Certificate Authority) is \"$INTERMEDIATE_ROOT/certs/ca-chain.cert.pem\""
|
||
|
}
|
||
|
|
||
|
createCertificate() {
|
||
|
if [ ! -e "$CA_ROOT" ]; then
|
||
|
echo "=x=> Certificate root was not found."
|
||
|
return 1
|
||
|
elif [ ! -e "$INTERMEDIATE_ROOT/openssl.cfg" ]; then
|
||
|
echo "=x=> Intermediate certificate configuration was not found."
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "$1" ]; then
|
||
|
echo "=x=> Please provide a name for this certificate."
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "$2" ] || [ "$2" != "server_cert" ] && [ "$2" != "usr_cert" ]; then
|
||
|
echo "=x=> Type must be one of server_cert or usr_cert. If you're unsure about this, use 'usr_cert'."
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
cd "$CA_ROOT"
|
||
|
|
||
|
# Custom configuration file
|
||
|
local CSRCFG="$INTERMEDIATE_ROOT/openssl.cfg"
|
||
|
if [ -n $3 ]; then
|
||
|
CSRCFG="$3"
|
||
|
fi
|
||
|
|
||
|
# Generate the key if it does not exist
|
||
|
if [ ! -e "$INTERMEDIATE_ROOT/private/$1.key.pem" ]; then
|
||
|
echo "==> Generating key for \"$1\""
|
||
|
echo ''
|
||
|
|
||
|
openssl genrsa -out "$INTERMEDIATE_ROOT/private/$1.key.pem" 4096
|
||
|
chmod 400 "$INTERMEDIATE_ROOT/private/$1.key.pem"
|
||
|
|
||
|
if [ ! -e "$INTERMEDIATE_ROOT/private/$1.key.pem" ]; then
|
||
|
echo "=x=> Key was not created!"
|
||
|
return 1
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
echo "==> Generating CSR for \"$1\""
|
||
|
echo ''
|
||
|
|
||
|
openssl req -config "$CSRCFG" \
|
||
|
-key "$INTERMEDIATE_ROOT/private/$1.key.pem" \
|
||
|
-new -sha256 -out "$INTERMEDIATE_ROOT/csr/$1.csr.pem"
|
||
|
|
||
|
if [ ! -e "$INTERMEDIATE_ROOT/csr/$1.csr.pem" ]; then
|
||
|
echo "=x=> CSR was not created!"
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
echo "==> Generating certificate for \"$1\""
|
||
|
echo ''
|
||
|
|
||
|
openssl ca -config "$INTERMEDIATE_ROOT/openssl.cfg" \
|
||
|
-extensions "$2" -days 375 -notext -md sha256 \
|
||
|
-in "$INTERMEDIATE_ROOT/csr/$1.csr.pem" \
|
||
|
-out "$INTERMEDIATE_ROOT/certs/$1.cert.pem"
|
||
|
|
||
|
if [ ! -e "$INTERMEDIATE_ROOT/certs/$1.cert.pem" ]; then
|
||
|
echo "=x=> Certificate was not created!"
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
chmod 444 "$INTERMEDIATE_ROOT/certs/$1.cert.pem"
|
||
|
|
||
|
echo "==> Done."
|
||
|
echo "==> Key: $INTERMEDIATE_ROOT/private/$1.key.pem"
|
||
|
echo "==> Cert: $INTERMEDIATE_ROOT/certs/$1.cert.pem"
|
||
|
}
|
||
|
|
||
|
revokeCertificate() {
|
||
|
if [ ! -e "$CA_ROOT" ]; then
|
||
|
echo "=x=> Certificate root was not found."
|
||
|
return 1
|
||
|
elif [ ! -e "$INTERMEDIATE_ROOT/openssl.cfg" ]; then
|
||
|
echo "=x=> Intermediate certificate configuration was not found."
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "$1" ]; then
|
||
|
echo "=x=> Please provide a name for a certificate to revoke."
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
cd "$CA_ROOT"
|
||
|
|
||
|
echo "==> Revoking certificate"
|
||
|
|
||
|
openssl ca -config "$INTERMEDIATE_ROOT/openssl.cfg" \
|
||
|
-revoke "$INTERMEDIATE_ROOT/certs/$1.cert.pem"
|
||
|
|
||
|
echo "==> Done."
|
||
|
}
|
||
|
|
||
|
printInfo () {
|
||
|
if [ ! -e "$CA_ROOT" ]; then
|
||
|
echo "=x=> Certificate root was not found."
|
||
|
return 1
|
||
|
elif [ ! -e "$INTERMEDIATE_ROOT/openssl.cfg" ]; then
|
||
|
echo "=x=> Intermediate certificate configuration was not found."
|
||
|
return 1
|
||
|
fi
|
||
|
|
||
|
if [ -n "$1" ]; then
|
||
|
openssl x509 -noout -text -in "$CA_ROOT/intermediate/certs/$1.cert.pem"
|
||
|
return 0
|
||
|
fi
|
||
|
|
||
|
echo "=> Root certificate"
|
||
|
openssl x509 -noout -text -in "$CA_ROOT/certs/ca.cert.pem"
|
||
|
|
||
|
echo "=> Intermediate certificate"
|
||
|
openssl x509 -noout -text \
|
||
|
-in "$CA_ROOT/intermediate/certs/intermediate.cert.pem"
|
||
|
|
||
|
openssl verify -CAfile "$CA_ROOT/certs/ca.cert.pem" \
|
||
|
"$CA_ROOT/intermediate/certs/intermediate.cert.pem"
|
||
|
|
||
|
echo ""
|
||
|
echo "==> Paths"
|
||
|
echo "Root: $CA_ROOT"
|
||
|
echo "Intermediate: $CA_ROOT/intermediate"
|
||
|
echo ""
|
||
|
|
||
|
echo "Root Key: $CA_ROOT/private/ca.key.pem"
|
||
|
echo "Root Cert: $CA_ROOT/certs/ca.cert.pem"
|
||
|
|
||
|
echo "CA Key: $CA_ROOT/intermediate/private/intermediate.key.pem"
|
||
|
echo "Chain: $CA_ROOT/intermediate/certs/ca-chain.cert.pem"
|
||
|
echo ""
|
||
|
}
|
||
|
|
||
|
printHelp () {
|
||
|
echo "Usage: ./ca <CA Path> info | wizard | root | intm | revoke [<name>] | new [<name>] [ server_cert | usr_cert ] [ openssl.cfg ]"
|
||
|
echo -e " info\t- Print information about your CA"
|
||
|
echo -e " wizard\t- Create a new CA"
|
||
|
echo -e " root\t- Generate root certificate. For use when wizard fails."
|
||
|
echo -e " intm\t- Generate intermediate certificate. For use when wizard fails."
|
||
|
echo -e " new \t- Create a new certificate signed with your CA. Can also be used for renewal."
|
||
|
echo -e " revoke\t- Revoke a certificate by name"
|
||
|
}
|
||
|
|
||
|
set -e
|
||
|
case "$2" in
|
||
|
"info")
|
||
|
printInfo $3
|
||
|
;;
|
||
|
"wizard" | "generate" | "newca")
|
||
|
echo "==> Proceeding with full generation for path $1"
|
||
|
deployFiles
|
||
|
generateRootPair
|
||
|
generateIntermediate
|
||
|
printInfo
|
||
|
;;
|
||
|
"files")
|
||
|
deployFiles
|
||
|
;;
|
||
|
"rootpair" | "root")
|
||
|
generateRootPair
|
||
|
;;
|
||
|
"intermediate" | "intm")
|
||
|
generateIntermediate
|
||
|
;;
|
||
|
"certificate" | "cert" | "new" | "renew")
|
||
|
createCertificate $3 $4 $5
|
||
|
;;
|
||
|
"revoke")
|
||
|
revokeCertificate $3
|
||
|
;;
|
||
|
"help")
|
||
|
printHelp
|
||
|
;;
|
||
|
*)
|
||
|
echo "Usage: ./ca <CA Path> info | wizard | root | intm | revoke [<name>] | new [<name>] [ server_cert | usr_cert ] [ openssl.cfg ]"
|
||
|
;;
|
||
|
esac
|