|
|
|
@ -2,7 +2,7 @@
|
|
|
|
|
# Filename: gencert.sh
|
|
|
|
|
# Description: This script generates x509 server certificate (with all IPs in
|
|
|
|
|
# SAN) signed by a self-signed CA.
|
|
|
|
|
# Version: 1.3 - 2018 July 15
|
|
|
|
|
# Version: 1.5 - 2018 October 12
|
|
|
|
|
# Author: Andrey Arapov <andrey.arapov@nixaid.com>
|
|
|
|
|
# License: GPLv3
|
|
|
|
|
|
|
|
|
@ -239,13 +239,16 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
|
|
|
|
|
[ v3_req_server ]
|
|
|
|
|
basicConstraints = CA:FALSE
|
|
|
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
|
|
|
extendedKeyUsage = serverAuth"
|
|
|
|
|
extendedKeyUsage = serverAuth
|
|
|
|
|
subjectAltName = @alt_names
|
|
|
|
|
[ alt_names ]
|
|
|
|
|
DNS.1=${CN}"
|
|
|
|
|
|
|
|
|
|
if [ ! -z "$SAN_IP" ]; then
|
|
|
|
|
echo "[${ME}] Using user-provided SAN records: " ${SAN_IP}
|
|
|
|
|
i=1
|
|
|
|
|
IFS=,
|
|
|
|
|
PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
unset IFS
|
|
|
|
|
elif [ -z "$NOSAN" ]; then
|
|
|
|
|
# Gather IPs for SAN
|
|
|
|
@ -254,7 +257,7 @@ extendedKeyUsage = serverAuth"
|
|
|
|
|
IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)"
|
|
|
|
|
|
|
|
|
|
echo "[${ME}] Found these IPs: " ${IPS}
|
|
|
|
|
PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"
|
|
|
|
@ -324,7 +327,7 @@ start() {
|
|
|
|
|
echo "[${ME}] The certificates have been generated in ${PWD} directory."
|
|
|
|
|
|
|
|
|
|
CERT_INFO="$(openssl x509 -in "${SERVER_CERT}" -noout -text)"
|
|
|
|
|
echo "${CERT_INFO}" | grep -E "CN=|IP Address|Not\ "
|
|
|
|
|
echo "${CERT_INFO}" | grep -E "CN=|DNS:|IP Address|Not\ "
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# script starts here
|
|
|
|
|