|
|
|
@ -2,7 +2,7 @@
|
|
|
|
|
# Filename: gencert.sh
|
|
|
|
|
# Description: This script generates x509 server certificate (with all IPs in
|
|
|
|
|
# SAN) signed by a self-signed CA.
|
|
|
|
|
# Version: 1.5 - 2018 October 12
|
|
|
|
|
# Version: 1.6 - 2018 December 27
|
|
|
|
|
# Author: Andrey Arapov <andrey.arapov@nixaid.com>
|
|
|
|
|
# License: GPLv3
|
|
|
|
|
|
|
|
|
@ -18,8 +18,9 @@ print_help() {
|
|
|
|
|
--cakey - CA key name\t\t\t(default: ca.key)
|
|
|
|
|
--ca - CA cert name\t\t\t(default: ca.crt)
|
|
|
|
|
--cadays - CA cert expiration in days\t(default: 3650)\n
|
|
|
|
|
--nosan - do not write SAN records\n
|
|
|
|
|
--san-ip - specify custom SAN IP records manually. Implies --nosan\n
|
|
|
|
|
--noautosan - do not automatically discover IPs for SAN records\n
|
|
|
|
|
--san-ip - specify custom SAN IP records manually. Implies --noautosan\n
|
|
|
|
|
--san-dns - specify custom SAN DNS records manually.\n
|
|
|
|
|
--debug - show extra information\n
|
|
|
|
|
--rsa - generate RSA keys instead of ECDSA\n
|
|
|
|
|
--rsa-size - set RSA key size\n"
|
|
|
|
@ -34,7 +35,7 @@ parse_arguments() {
|
|
|
|
|
|
|
|
|
|
# read arguments
|
|
|
|
|
opts=$(getopt \
|
|
|
|
|
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,san-ip:,debug,rsa,rsa-size:" \
|
|
|
|
|
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,noautosan,san-ip:,san-dns:,debug,rsa,rsa-size:" \
|
|
|
|
|
--name "$(basename "$0")" \
|
|
|
|
|
--options "" \
|
|
|
|
|
-- "$@"
|
|
|
|
@ -84,16 +85,22 @@ parse_arguments() {
|
|
|
|
|
shift 2
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
--nosan)
|
|
|
|
|
ARG_NOSAN=1
|
|
|
|
|
--noautosan)
|
|
|
|
|
ARG_NOAUTOSAN=1
|
|
|
|
|
shift 1
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
--san-ip)
|
|
|
|
|
ARG_NOAUTOSAN=1
|
|
|
|
|
ARG_SAN_IP=$2
|
|
|
|
|
shift 2
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
--san-dns)
|
|
|
|
|
ARG_SAN_DNS=$2
|
|
|
|
|
shift 2
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
--debug)
|
|
|
|
|
ARG_DEBUG=1
|
|
|
|
|
shift 1
|
|
|
|
@ -126,8 +133,9 @@ parse_arguments() {
|
|
|
|
|
SERVER_KEY="${ARG_KEY:-private.key}"
|
|
|
|
|
SERVER_CERT="${ARG_CERT:-public.crt}"
|
|
|
|
|
DAYS="${ARG_DAYS:-365}"
|
|
|
|
|
NOSAN="${ARG_NOSAN}"
|
|
|
|
|
NOAUTOSAN="${ARG_NOAUTOSAN}"
|
|
|
|
|
SAN_IP="${ARG_SAN_IP}"
|
|
|
|
|
SAN_DNS="${ARG_SAN_DNS}"
|
|
|
|
|
DEBUG="${ARG_DEBUG}"
|
|
|
|
|
RSA="${ARG_RSA}"
|
|
|
|
|
RSA_SIZE="${ARG_RSA_SIZE:-2048}"
|
|
|
|
@ -147,8 +155,9 @@ parse_arguments() {
|
|
|
|
|
echo CAKEY=$CAKEY
|
|
|
|
|
echo CA=$CA
|
|
|
|
|
echo CADAYS=$CADAYS
|
|
|
|
|
echo NOSAN=$NOSAN
|
|
|
|
|
echo NOAUTOSAN=$NOAUTOSAN
|
|
|
|
|
echo SAN_IP=$SAN_IP
|
|
|
|
|
echo SAN_DNS=$SAN_DNS
|
|
|
|
|
echo DEBUG=$DEBUG
|
|
|
|
|
echo RSA=$RSA
|
|
|
|
|
echo RSA_SIZE=$RSA_SIZE
|
|
|
|
@ -250,14 +259,22 @@ DNS.1=${CN}"
|
|
|
|
|
IFS=,
|
|
|
|
|
PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
unset IFS
|
|
|
|
|
elif [ -z "$NOSAN" ]; then
|
|
|
|
|
fi
|
|
|
|
|
if [ ! -z "$SAN_DNS" ]; then
|
|
|
|
|
echo "[${ME}] Using user-provided SAN records: " ${SAN_DNS}
|
|
|
|
|
i=1
|
|
|
|
|
IFS=,
|
|
|
|
|
PAYLOAD="${PAYLOAD}\n$(for DNS in $SAN_DNS; do echo "DNS.${i} = ${DNS}" ; i=$((i + 1)); done)"
|
|
|
|
|
unset IFS
|
|
|
|
|
fi
|
|
|
|
|
if [ -z "$NOAUTOSAN" ]; then
|
|
|
|
|
# Gather IPs for SAN
|
|
|
|
|
|
|
|
|
|
i=1
|
|
|
|
|
IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)"
|
|
|
|
|
|
|
|
|
|
echo "[${ME}] Found these IPs: " ${IPS}
|
|
|
|
|
PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
PAYLOAD="${PAYLOAD}\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"
|
|
|
|
|