write CN as DNS in x509 SAN

README.md

@@ -1,7 +1,7 @@
 # gencert
 
-This script generates x509 server certificate (with all IPs in SAN) signed by a
-self-signed CA.
+This script generates x509 server certificate (with DNS and IP in SAN) signed
+by a self-signed CA.
 
 ## Purpose
 
@@ -17,8 +17,8 @@ to enable SSE-C (Server Side Encryption with Customer provided keys).
 
 ## How does this script work
 
-This script will always produce a self-signed x509 certificate with the IP
-addresses embedded to x509's SAN.
+This script will always produce a self-signed x509 certificate with the DNS and
+IP addresses embedded to x509's SAN.
 
 It will also produce a CA certificate and can be used by other services
 which may need to authenticate against this self-signed certificate.
@@ -29,6 +29,7 @@ used by the client in order to validate the server's certificate.
 - generate CA certificate if does not find any
 - always generate server certificate on startup to ensure all IP addresses
   are in x509 SAN
+- write CN to x509 SAN which is a must
 - warn if the CA certificate is about to expire (<30 days till expiration)
 - regenerate the CA certificate if it finds it has expired
 

gencert.sh

@@ -2,7 +2,7 @@
 # Filename: gencert.sh
 # Description: This script generates x509 server certificate (with all IPs in
 #              SAN) signed by a self-signed CA.
-# Version: 1.3 - 2018 July 15
+# Version: 1.5 - 2018 October 12
 # Author: Andrey Arapov <andrey.arapov@nixaid.com>
 # License: GPLv3
 
@@ -19,6 +19,7 @@ print_help() {
   --ca        - CA cert name\t\t\t(default: ca.crt)
   --cadays    - CA cert expiration in days\t(default: 3650)\n
   --nosan     - do not write SAN records\n
+  --san-ip    - specify custom SAN IP records manually. Implies --nosan\n
   --debug     - show extra information\n
   --rsa       - generate RSA keys instead of ECDSA\n
   --rsa-size  - set RSA key size\n"
@@ -33,7 +34,7 @@ parse_arguments() {
   
   # read arguments
   opts=$(getopt \
-      --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,debug,rsa,rsa-size:" \
+      --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,san-ip:,debug,rsa,rsa-size:" \
       --name "$(basename "$0")" \
       --options "" \
       -- "$@"
@@ -88,6 +89,11 @@ parse_arguments() {
         shift 1
         ;;
 
+      --san-ip)
+        ARG_SAN_IP=$2
+        shift 2
+        ;;
+
       --debug)
         ARG_DEBUG=1
         shift 1
@@ -108,28 +114,7 @@ parse_arguments() {
         ;;
     esac
   done
-  
-  if [ -z "${ARG_CN}" ]; then
-    echo "[${ME}] ERROR: Please specify CN, example \"--cn your.site.com\""
-    print_help;
-    exit 1
-  fi
-  
-  # For debugging purposes
-  if [ "${ARG_DEBUG}" -eq 1 ]; then
-    echo ARG_CN=$ARG_CN
-    echo ARG_KEY=$ARG_KEY
-    echo ARG_CERT=$ARG_CERT
-    echo ARG_DAYS=$ARG_DAYS
-    echo ARG_CAKEY=$ARG_CAKEY
-    echo ARG_CA=$ARG_CA
-    echo ARG_CADAYS=$ARG_CADAYS
-    echo ARG_NOSAN=$ARG_NOSAN
-    echo ARG_DEBUG=$ARG_DEBUG
-    echo ARG_RSA=$ARG_RSA
-    echo ARG_RSA_SIZE=$ARG_RSA_SIZE
-  fi
-  
+
   #  prepare common variables
   ##
   
@@ -141,9 +126,33 @@ parse_arguments() {
   SERVER_KEY="${ARG_KEY:-private.key}"
   SERVER_CERT="${ARG_CERT:-public.crt}"
   DAYS="${ARG_DAYS:-365}"
+  NOSAN="${ARG_NOSAN}"
+  SAN_IP="${ARG_SAN_IP}"
   DEBUG="${ARG_DEBUG}"
   RSA="${ARG_RSA}"
   RSA_SIZE="${ARG_RSA_SIZE:-2048}"
+
+  if [ -z "${CN}" ]; then
+    echo "[${ME}] ERROR: Please specify CN, example \"--cn your.site.com\""
+    print_help;
+    exit 1
+  fi
+
+  # For debugging purposes
+  if [ "${DEBUG}" -eq 1 ]; then
+    echo CN=$CN
+    echo KEY=$KEY
+    echo CERT=$CERT
+    echo DAYS=$DAYS
+    echo CAKEY=$CAKEY
+    echo CA=$CA
+    echo CADAYS=$CADAYS
+    echo NOSAN=$NOSAN
+    echo SAN_IP=$SAN_IP
+    echo DEBUG=$DEBUG
+    echo RSA=$RSA
+    echo RSA_SIZE=$RSA_SIZE
+  fi
 }
 
 #  install openssl
@@ -230,16 +239,25 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
 [ v3_req_server ]
 basicConstraints = CA:FALSE
 keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth"
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[ alt_names ]
+DNS.1=${CN}"
 
-  if [ -z "$ARG_NOSAN" ]; then
+  if [ ! -z "$SAN_IP" ]; then
+    echo "[${ME}] Using user-provided SAN records: " ${SAN_IP}
+    i=1
+    IFS=,
+    PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
+    unset IFS
+  elif [ -z "$NOSAN" ]; then
     # Gather IPs for SAN
     
     i=1
     IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)"
 
     echo "[${ME}] Found these IPs: " ${IPS}
-    PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
+    PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
   fi
   
   printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"
@@ -309,7 +327,7 @@ start() {
   echo "[${ME}] The certificates have been generated in ${PWD} directory."
 
   CERT_INFO="$(openssl x509 -in "${SERVER_CERT}" -noout -text)"
-  echo "${CERT_INFO}" | grep -E "CN=|IP Address|Not\ "
+  echo "${CERT_INFO}" | grep -E "CN=|DNS:|IP Address|Not\ "
 }
 
 #  script starts here