add ability to specify RSA key instead of ECDSA
This commit is contained in:
parent
6b47f6be4d
commit
63771f9837
GPG Key ID:
9076D5E6B31AE99C
40
gencert.sh
40
gencert.sh
@ -2,7 +2,7 @@
|
|||||||
# Filename: gencert.sh
|
# Filename: gencert.sh
|
||||||
# Description: This script generates x509 server certificate (with all IPs in
|
# Description: This script generates x509 server certificate (with all IPs in
|
||||||
# SAN) signed by a self-signed CA.
|
# SAN) signed by a self-signed CA.
|
||||||
# Version: 1.2 - 2018 July 15
|
# Version: 1.3 - 2018 July 15
|
||||||
# Author: Andrey Arapov <andrey.arapov@nixaid.com>
|
# Author: Andrey Arapov <andrey.arapov@nixaid.com>
|
||||||
# License: GPLv3
|
# License: GPLv3
|
||||||
|
|
||||||
@ -19,7 +19,9 @@ print_help() {
|
|||||||
--ca - CA cert name\t\t\t(default: ca.crt)
|
--ca - CA cert name\t\t\t(default: ca.crt)
|
||||||
--cadays - CA cert expiration in days\t(default: 3650)\n
|
--cadays - CA cert expiration in days\t(default: 3650)\n
|
||||||
--nosan - do not write SAN records\n
|
--nosan - do not write SAN records\n
|
||||||
--debug - show extra information\n"
|
--debug - show extra information\n
|
||||||
|
--rsa - generate RSA keys instead of ECDSA\n
|
||||||
|
--rsa-size - set RSA key size\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Parse command line arguments
|
# Parse command line arguments
|
||||||
@ -31,7 +33,7 @@ parse_arguments() {
|
|||||||
|
|
||||||
# read arguments
|
# read arguments
|
||||||
opts=$(getopt \
|
opts=$(getopt \
|
||||||
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,debug" \
|
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,debug,rsa,rsa-size:" \
|
||||||
--name "$(basename "$0")" \
|
--name "$(basename "$0")" \
|
||||||
--options "" \
|
--options "" \
|
||||||
-- "$@"
|
-- "$@"
|
||||||
@ -83,11 +85,21 @@ parse_arguments() {
|
|||||||
|
|
||||||
--nosan)
|
--nosan)
|
||||||
ARG_NOSAN=1
|
ARG_NOSAN=1
|
||||||
shift 2
|
shift 1
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--debug)
|
--debug)
|
||||||
ARG_DEBUG=1
|
ARG_DEBUG=1
|
||||||
|
shift 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--rsa)
|
||||||
|
ARG_RSA=1
|
||||||
|
shift 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--rsa-size)
|
||||||
|
ARG_RSA_SIZE=$2
|
||||||
shift 2
|
shift 2
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@ -104,7 +116,7 @@ parse_arguments() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# For debugging purposes
|
# For debugging purposes
|
||||||
if [ $ARG_DEBUG -eq 1 ]; then
|
if [ "${ARG_DEBUG}" -eq 1 ]; then
|
||||||
echo ARG_CN=$ARG_CN
|
echo ARG_CN=$ARG_CN
|
||||||
echo ARG_KEY=$ARG_KEY
|
echo ARG_KEY=$ARG_KEY
|
||||||
echo ARG_CERT=$ARG_CERT
|
echo ARG_CERT=$ARG_CERT
|
||||||
@ -114,18 +126,24 @@ parse_arguments() {
|
|||||||
echo ARG_CADAYS=$ARG_CADAYS
|
echo ARG_CADAYS=$ARG_CADAYS
|
||||||
echo ARG_NOSAN=$ARG_NOSAN
|
echo ARG_NOSAN=$ARG_NOSAN
|
||||||
echo ARG_DEBUG=$ARG_DEBUG
|
echo ARG_DEBUG=$ARG_DEBUG
|
||||||
|
echo ARG_RSA=$ARG_RSA
|
||||||
|
echo ARG_RSA_SIZE=$ARG_RSA_SIZE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# prepare common variables
|
# prepare common variables
|
||||||
##
|
##
|
||||||
|
|
||||||
OPENSSL_CONFIG="openssl.cnf"
|
OPENSSL_CONFIG="openssl.cnf"
|
||||||
|
CN="${ARG_CN}"
|
||||||
CA_KEY="${ARG_CAKEY:-ca.key}"
|
CA_KEY="${ARG_CAKEY:-ca.key}"
|
||||||
CA_CERT="${ARG_CA:-ca.crt}"
|
CA_CERT="${ARG_CA:-ca.crt}"
|
||||||
CA_DAYS="${ARG_CADAYS:-3650}"
|
CA_DAYS="${ARG_CADAYS:-3650}"
|
||||||
SERVER_KEY="${ARG_KEY:-private.key}"
|
SERVER_KEY="${ARG_KEY:-private.key}"
|
||||||
SERVER_CERT="${ARG_CERT:-public.crt}"
|
SERVER_CERT="${ARG_CERT:-public.crt}"
|
||||||
DAYS="${ARG_DAYS:-365}"
|
DAYS="${ARG_DAYS:-365}"
|
||||||
|
DEBUG="${ARG_DEBUG}"
|
||||||
|
RSA="${ARG_RSA}"
|
||||||
|
RSA_SIZE="${ARG_RSA_SIZE:-2048}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# install openssl
|
# install openssl
|
||||||
@ -214,7 +232,7 @@ basicConstraints = CA:FALSE
|
|||||||
keyUsage = critical, digitalSignature, keyEncipherment
|
keyUsage = critical, digitalSignature, keyEncipherment
|
||||||
extendedKeyUsage = serverAuth"
|
extendedKeyUsage = serverAuth"
|
||||||
|
|
||||||
if [ -z $ARG_NOSAN ]; then
|
if [ -z "$ARG_NOSAN" ]; then
|
||||||
# Gather IPs for SAN
|
# Gather IPs for SAN
|
||||||
|
|
||||||
i=1
|
i=1
|
||||||
@ -232,7 +250,11 @@ extendedKeyUsage = serverAuth"
|
|||||||
|
|
||||||
gen_ca() {
|
gen_ca() {
|
||||||
echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..."
|
echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..."
|
||||||
|
if [ -z "${RSA}" ]; then
|
||||||
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}"
|
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}"
|
||||||
|
else
|
||||||
|
openssl genrsa -out "${CA_KEY}" "${RSA_SIZE}"
|
||||||
|
fi
|
||||||
chmod 0600 "${CA_KEY}"
|
chmod 0600 "${CA_KEY}"
|
||||||
openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \
|
openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \
|
||||||
-subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}"
|
-subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}"
|
||||||
@ -243,9 +265,13 @@ gen_ca() {
|
|||||||
|
|
||||||
gen_server_x509() {
|
gen_server_x509() {
|
||||||
echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..."
|
echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..."
|
||||||
|
if [ -z "${RSA}" ]; then
|
||||||
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}"
|
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}"
|
||||||
|
else
|
||||||
|
openssl genrsa -out "${SERVER_KEY}" "${RSA_SIZE}"
|
||||||
|
fi
|
||||||
chmod 0600 "${SERVER_KEY}"
|
chmod 0600 "${SERVER_KEY}"
|
||||||
openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${ARG_CN}" \
|
openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${CN}" \
|
||||||
| openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \
|
| openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \
|
||||||
-out ${SERVER_CERT} -days "${DAYS}" \
|
-out ${SERVER_CERT} -days "${DAYS}" \
|
||||||
-extensions v3_req_server -extfile "${OPENSSL_CONFIG}"
|
-extensions v3_req_server -extfile "${OPENSSL_CONFIG}"
|
||||||
|
|||||||
22
testme.sh
22
testme.sh
@ -1,5 +1,19 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -e
|
|
||||||
|
trap handle_term SIGINT SIGTERM
|
||||||
|
|
||||||
|
handle_term() {
|
||||||
|
echo "** Received SIGINT/SIGTERM signal"
|
||||||
|
cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
echo "** Cleaning up ..."
|
||||||
|
echo "WARNING, I am going to remove ${TMPDIR} entirely in 5 seconds!"
|
||||||
|
sleep 5
|
||||||
|
rm -rf "${TMPDIR}"
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
|
||||||
TMPDIR="$(mktemp -d)"
|
TMPDIR="$(mktemp -d)"
|
||||||
cp -v gencert.sh "${TMPDIR}/"
|
cp -v gencert.sh "${TMPDIR}/"
|
||||||
@ -8,11 +22,9 @@ pushd "${TMPDIR}"
|
|||||||
for DISTRO in alpine:3.4 alpine:3.7 ubuntu:bionic debian:stretch centos:7; do
|
for DISTRO in alpine:3.4 alpine:3.7 ubuntu:bionic debian:stretch centos:7; do
|
||||||
printf "\n\n\nTesting the script with ${DISTRO} ...\n\n\n"
|
printf "\n\n\nTesting the script with ${DISTRO} ...\n\n\n"
|
||||||
rm -vf openssl.cnf private.key public.crt ca.crt ca.key ca.srl
|
rm -vf openssl.cnf private.key public.crt ca.crt ca.key ca.srl
|
||||||
docker run --rm -ti -v ${PWD}:/w -w /w ${DISTRO} sh gencert.sh --cn test.example.com --debug
|
docker run --rm -t -v ${PWD}:/w -w /w ${DISTRO} sh gencert.sh --cn test.example.com $@
|
||||||
printf "\n\n\n"
|
printf "\n\n\n"
|
||||||
done
|
done
|
||||||
|
|
||||||
popd
|
popd
|
||||||
echo "WARNING, I am going to remove ${TMPDIR} entirely in 5 seconds!"
|
cleanup;
|
||||||
sleep 5
|
|
||||||
rm -rf "${TMPDIR}"
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user