arno
/
gencert
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add ability to specify RSA key instead of ECDSA

Browse Source
master
Andy 6 years ago
parent 6b47f6be4d
commit 63771f9837
Signed by: arno
GPG Key ID: 9076D5E6B31AE99C
2 changed files with 61 additions and 23 deletions
Show Stats Download Patch File Download Diff File

62
gencert.sh
Unescape View File

@ -2,7 +2,7 @@
# Filename: gencert.sh # Filename: gencert.sh
# Description: This script generates x509 server certificate (with all IPs in # Description: This script generates x509 server certificate (with all IPs in
# SAN) signed by a self-signed CA. # SAN) signed by a self-signed CA.
# Version: 1.2 - 2018 July 15 # Version: 1.3 - 2018 July 15
# Author: Andrey Arapov <andrey.arapov@nixaid.com> # Author: Andrey Arapov <andrey.arapov@nixaid.com>
# License: GPLv3 # License: GPLv3
@ -10,16 +10,18 @@ ME=$(printf '%s\n' "${0##*/}")
print_help() { print_help() {
printf "[${ME}] HELP: I accept following arguments: printf "[${ME}] HELP: I accept following arguments:
--help - show this message --help - show this message
--cn - certificate's CN name\t\t(MANDATORY) --cn - certificate's CN name\t\t(MANDATORY)
--key - server key name\t\t\t(default: private.key) --key - server key name\t\t\t(default: private.key)
--cert - server cert name\t\t\t(default: public.crt) --cert - server cert name\t\t\t(default: public.crt)
--days - server cert expiration in days\t(default: 365) --days - server cert expiration in days\t(default: 365)
--cakey - CA key name\t\t\t(default: ca.key) --cakey - CA key name\t\t\t(default: ca.key)
--ca - CA cert name\t\t\t(default: ca.crt) --ca - CA cert name\t\t\t(default: ca.crt)
--cadays - CA cert expiration in days\t(default: 3650)\n --cadays - CA cert expiration in days\t(default: 3650)\n
--nosan - do not write SAN records\n --nosan - do not write SAN records\n
--debug - show extra information\n" --debug - show extra information\n
--rsa - generate RSA keys instead of ECDSA\n
--rsa-size - set RSA key size\n"
} }
# Parse command line arguments # Parse command line arguments
@ -31,7 +33,7 @@ parse_arguments() {
# read arguments # read arguments
opts=$(getopt \ opts=$(getopt \
--longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,debug" \ --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,debug,rsa,rsa-size:" \
--name "$(basename "$0")" \ --name "$(basename "$0")" \
--options "" \ --options "" \
-- "$@" -- "$@"
@ -83,11 +85,21 @@ parse_arguments() {
--nosan) --nosan)
ARG_NOSAN=1 ARG_NOSAN=1
shift 2 shift 1
;; ;;
--debug) --debug)
ARG_DEBUG=1 ARG_DEBUG=1
shift 1
;;
--rsa)
ARG_RSA=1
shift 1
;;
--rsa-size)
ARG_RSA_SIZE=$2
shift 2 shift 2
;; ;;
@ -104,7 +116,7 @@ parse_arguments() {
fi fi
# For debugging purposes # For debugging purposes
if [ $ARG_DEBUG -eq 1 ]; then if [ "${ARG_DEBUG}" -eq 1 ]; then
echo ARG_CN=$ARG_CN echo ARG_CN=$ARG_CN
echo ARG_KEY=$ARG_KEY echo ARG_KEY=$ARG_KEY
echo ARG_CERT=$ARG_CERT echo ARG_CERT=$ARG_CERT
@ -114,18 +126,24 @@ parse_arguments() {
echo ARG_CADAYS=$ARG_CADAYS echo ARG_CADAYS=$ARG_CADAYS
echo ARG_NOSAN=$ARG_NOSAN echo ARG_NOSAN=$ARG_NOSAN
echo ARG_DEBUG=$ARG_DEBUG echo ARG_DEBUG=$ARG_DEBUG
echo ARG_RSA=$ARG_RSA
echo ARG_RSA_SIZE=$ARG_RSA_SIZE
fi fi
# prepare common variables # prepare common variables
## ##
OPENSSL_CONFIG="openssl.cnf" OPENSSL_CONFIG="openssl.cnf"
CN="${ARG_CN}"
CA_KEY="${ARG_CAKEY:-ca.key}" CA_KEY="${ARG_CAKEY:-ca.key}"
CA_CERT="${ARG_CA:-ca.crt}" CA_CERT="${ARG_CA:-ca.crt}"
CA_DAYS="${ARG_CADAYS:-3650}" CA_DAYS="${ARG_CADAYS:-3650}"
SERVER_KEY="${ARG_KEY:-private.key}" SERVER_KEY="${ARG_KEY:-private.key}"
SERVER_CERT="${ARG_CERT:-public.crt}" SERVER_CERT="${ARG_CERT:-public.crt}"
DAYS="${ARG_DAYS:-365}" DAYS="${ARG_DAYS:-365}"
DEBUG="${ARG_DEBUG}"
RSA="${ARG_RSA}"
RSA_SIZE="${ARG_RSA_SIZE:-2048}"
} }
# install openssl # install openssl
@ -214,7 +232,7 @@ basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth" extendedKeyUsage = serverAuth"
if [ -z $ARG_NOSAN ]; then if [ -z "$ARG_NOSAN" ]; then
# Gather IPs for SAN # Gather IPs for SAN
i=1 i=1
@ -232,7 +250,11 @@ extendedKeyUsage = serverAuth"
gen_ca() { gen_ca() {
echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..." echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..."
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}" if [ -z "${RSA}" ]; then
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}"
else
openssl genrsa -out "${CA_KEY}" "${RSA_SIZE}"
fi
chmod 0600 "${CA_KEY}" chmod 0600 "${CA_KEY}"
openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \ openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \
-subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}" -subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}"
@ -243,9 +265,13 @@ gen_ca() {
gen_server_x509() { gen_server_x509() {
echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..." echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..."
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}" if [ -z "${RSA}" ]; then
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}"
else
openssl genrsa -out "${SERVER_KEY}" "${RSA_SIZE}"
fi
chmod 0600 "${SERVER_KEY}" chmod 0600 "${SERVER_KEY}"
openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${ARG_CN}" \ openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${CN}" \
| openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \ | openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \
-out ${SERVER_CERT} -days "${DAYS}" \ -out ${SERVER_CERT} -days "${DAYS}" \
-extensions v3_req_server -extfile "${OPENSSL_CONFIG}" -extensions v3_req_server -extfile "${OPENSSL_CONFIG}"

22
testme.sh
Unescape View File

@ -1,5 +1,19 @@
#!/bin/bash #!/bin/bash
set -e
trap handle_term SIGINT SIGTERM
handle_term() {
echo "** Received SIGINT/SIGTERM signal"
cleanup;
}
cleanup() {
echo "** Cleaning up ..."
echo "WARNING, I am going to remove ${TMPDIR} entirely in 5 seconds!"
sleep 5
rm -rf "${TMPDIR}"
exit 0;
}
TMPDIR="$(mktemp -d)" TMPDIR="$(mktemp -d)"
cp -v gencert.sh "${TMPDIR}/" cp -v gencert.sh "${TMPDIR}/"
@ -8,11 +22,9 @@ pushd "${TMPDIR}"
for DISTRO in alpine:3.4 alpine:3.7 ubuntu:bionic debian:stretch centos:7; do for DISTRO in alpine:3.4 alpine:3.7 ubuntu:bionic debian:stretch centos:7; do
printf "\n\n\nTesting the script with ${DISTRO} ...\n\n\n" printf "\n\n\nTesting the script with ${DISTRO} ...\n\n\n"
rm -vf openssl.cnf private.key public.crt ca.crt ca.key ca.srl rm -vf openssl.cnf private.key public.crt ca.crt ca.key ca.srl
docker run --rm -ti -v ${PWD}:/w -w /w ${DISTRO} sh gencert.sh --cn test.example.com --debug docker run --rm -t -v ${PWD}:/w -w /w ${DISTRO} sh gencert.sh --cn test.example.com $@
printf "\n\n\n" printf "\n\n\n"
done done
popd popd
echo "WARNING, I am going to remove ${TMPDIR} entirely in 5 seconds!" cleanup;
sleep 5
rm -rf "${TMPDIR}"

Write Preview
Loading…
Cancel
Save