This commit is contained in:
Andy 2018-06-30 21:14:44 +02:00
parent d52e0e7861
commit 4076c4b4ef
Signed by: arno
GPG Key ID: 9076D5E6B31AE99C

View File

@ -8,8 +8,8 @@
ME=$(printf '%s\n' "${0##*/}") ME=$(printf '%s\n' "${0##*/}")
function print_help() { print_help() {
echo -e "[${ME}] HELP: I accept following arguments: printf "[${ME}] HELP: I accept following arguments:
--help - show this message --help - show this message
--cn - certificate's CN name\t\t(MANDATORY) --cn - certificate's CN name\t\t(MANDATORY)
--key - server key name\t\t\t(default: private.key) --key - server key name\t\t\t(default: private.key)
@ -17,7 +17,7 @@ function print_help() {
--days - server cert expiration in days\t(default: 365) --days - server cert expiration in days\t(default: 365)
--cakey - CA key name\t\t\t(default: ca.key) --cakey - CA key name\t\t\t(default: ca.key)
--ca - CA cert name\t\t\t(default: ca.crt) --ca - CA cert name\t\t\t(default: ca.crt)
--cadays - CA cert expiration in days\t(default: 3650)" --cadays - CA cert expiration in days\t(default: 3650)\n"
} }
# A POSIX variable # A POSIX variable
@ -33,7 +33,7 @@ opts=$(getopt \
eval set --$opts eval set --$opts
while [[ $# -gt 0 ]]; do while [ $# -gt 0 ]; do
case "$1" in case "$1" in
--help) --help)
print_help; print_help;
@ -107,7 +107,7 @@ DAYS="${ARG_DAYS:-365}"
# set -x # set -x
set -e set -e
function gen_openssl_config() { gen_openssl_config() {
OPENSSL_CONFIG_CONTENT="[ req ] OPENSSL_CONFIG_CONTENT="[ req ]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
[req_distinguished_name] [req_distinguished_name]
@ -128,44 +128,57 @@ subjectAltName = @alt_names
echo "[${ME}] Found these IPs: " ${IPS} echo "[${ME}] Found these IPs: " ${IPS}
PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
echo -e "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}" > "${OPENSSL_CONFIG}" printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"
} }
function gen_ca() { gen_ca() {
echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..." echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..."
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}" 2>/dev/null openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}"
chmod 0600 "${CA_KEY}" chmod 0600 "${CA_KEY}"
openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \ openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \
-subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}" 2>/dev/null -subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}"
} }
function gen_server_x509() { gen_server_x509() {
echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..." echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..."
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}" 2>/dev/null openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}"
chmod 0600 "${SERVER_KEY}" chmod 0600 "${SERVER_KEY}"
openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${ARG_CN}" \ openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${ARG_CN}" \
| openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \ | openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \
-out ${SERVER_CERT} -days "${DAYS}" \ -out ${SERVER_CERT} -days "${DAYS}" \
-extensions v3_req_server -extfile "${OPENSSL_CONFIG}" 2>/dev/null -extensions v3_req_server -extfile "${OPENSSL_CONFIG}"
} }
function install_openssl() { install_openssl() {
if type -p openssl >/dev/null; then set +e
type openssl >/dev/null
if [ $? -eq 0 ]; then
return; return;
fi fi
if [ -f /etc/alpine-release ]; then grep -q Ubuntu /etc/lsb-release
apk add --update openssl if [ $? -eq 0 ]; then
elif [ -f /etc/centos-release ]; then echo "[${ME}] Installing openssl in Ubuntu"
yum -y install openssl
elif grep -q Ubuntu /etc/lsb-release; then
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get update apt-get update
apt-get -y install openssl apt-get -y install openssl
elif [ -f /etc/alpine-release ]; then
echo "[${ME}] Installing openssl in Alpine"
apk add --update openssl
elif [ -f /etc/centos-release ]; then
echo "[${ME}] Installing openssl in CentOS"
yum -y install openssl
fi fi
type openssl >/dev/null
if [ $? -ne 0 ]; then
echo "[${ME}] ERROR: Could not install openssl. Exitting."
exit 1
fi
set -e
} }
function start() { start() {
echo "[${ME}] Started in ${PWD} directory." echo "[${ME}] Started in ${PWD} directory."
install_openssl; install_openssl;
@ -176,11 +189,13 @@ function start() {
gen_ca; gen_ca;
fi fi
if ! openssl x509 -in "${CA_CERT}" -noout -checkend 2592000; then openssl x509 -in "${CA_CERT}" -noout -checkend 2592000 >/dev/null
if [ $? -ne 0 ]; then
echo "[${ME}] WARNING! Your CA certificate will expire in less than 30 days." echo "[${ME}] WARNING! Your CA certificate will expire in less than 30 days."
fi fi
if ! openssl x509 -in "${CA_CERT}" -noout -checkend 1; then openssl x509 -in "${CA_CERT}" -noout -checkend 1 >/dev/null
if [ $? -ne 0 ]; then
echo "[${ME}] WARNING! Your CA certificate has expired, so we will generate a new one." echo "[${ME}] WARNING! Your CA certificate has expired, so we will generate a new one."
gen_ca; gen_ca;
fi fi