diff --git a/README.md b/README.md index 5b41d70..f14663f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # gencert -This script generates x509 server certificate (with all IPs in SAN) signed by a -self-signed CA. +This script generates x509 server certificate (with DNS and IP in SAN) signed +by a self-signed CA. ## Purpose @@ -17,8 +17,8 @@ to enable SSE-C (Server Side Encryption with Customer provided keys). ## How does this script work -This script will always produce a self-signed x509 certificate with the IP -addresses embedded to x509's SAN. +This script will always produce a self-signed x509 certificate with the DNS and +IP addresses embedded to x509's SAN. It will also produce a CA certificate and can be used by other services which may need to authenticate against this self-signed certificate. @@ -29,6 +29,7 @@ used by the client in order to validate the server's certificate. - generate CA certificate if does not find any - always generate server certificate on startup to ensure all IP addresses are in x509 SAN +- write CN to x509 SAN which is a must - warn if the CA certificate is about to expire (<30 days till expiration) - regenerate the CA certificate if it finds it has expired diff --git a/gencert.sh b/gencert.sh index a17c5ae..6d6c953 100755 --- a/gencert.sh +++ b/gencert.sh @@ -2,7 +2,7 @@ # Filename: gencert.sh # Description: This script generates x509 server certificate (with all IPs in # SAN) signed by a self-signed CA. -# Version: 1.3 - 2018 July 15 +# Version: 1.5 - 2018 October 12 # Author: Andrey Arapov # License: GPLv3 @@ -239,13 +239,16 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign [ v3_req_server ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth" +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[ alt_names ] +DNS.1=${CN}" if [ ! -z "$SAN_IP" ]; then echo "[${ME}] Using user-provided SAN records: " ${SAN_IP} i=1 IFS=, - PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" + PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" unset IFS elif [ -z "$NOSAN" ]; then # Gather IPs for SAN @@ -254,7 +257,7 @@ extendedKeyUsage = serverAuth" IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)" echo "[${ME}] Found these IPs: " ${IPS} - PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" + PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" fi printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}" @@ -324,7 +327,7 @@ start() { echo "[${ME}] The certificates have been generated in ${PWD} directory." CERT_INFO="$(openssl x509 -in "${SERVER_CERT}" -noout -text)" - echo "${CERT_INFO}" | grep -E "CN=|IP Address|Not\ " + echo "${CERT_INFO}" | grep -E "CN=|DNS:|IP Address|Not\ " } # script starts here