make-cert.sh (3806B)
1 #!/bin/sh 2 3 TYPE="$1" 4 DOMAIN="$2" 5 shift 2 6 7 EXTRA="$(echo $@ | xargs printf '%s\n' | paste -s -d '/' -)" 8 9 ECC="${ECC:-1}" 10 PKCSPASS="${PKCSPASS:-password}" 11 DAYS="${DAYS:-730}" 12 13 case "$TYPE" in 14 client|server) 15 ;; 16 17 *) 18 echo "Usage: $0 <server|client> <fqdn> <x509-subj-extra>..." 19 exit 1 20 ;; 21 esac 22 23 if [ -z "$DOMAIN" ]; then 24 echo "Usage: $0 <server|client> <fqdn> <x509-subj-extra>..." 25 exit 1 26 fi 27 28 set -ex 29 30 mkdir -p certs certs/$TYPE "certs/$TYPE/$DOMAIN" 31 32 C=$(cat ca.country.txt) 33 ST=$(cat ca.state.txt) 34 O=$(cat ca.organization.txt) 35 36 [ "${C:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 37 echo "Please fill in ca.country.txt!" && exit 1 38 39 [ "${ST:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 40 echo "Please fill in ca.state.txt!" && exit 1 41 42 [ "${O:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 43 echo "Please fill in ca.organization.txt!" && exit 1 44 45 # generate keys 46 47 openssl genrsa \ 48 -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" 4096 49 50 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \ 51 -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem" 52 53 chmod 600 \ 54 "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" \ 55 "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem" 56 57 # generate the certificate 58 59 if [ "${ECC}" = "1" ]; then 60 openssl req -config ca/intermediate/current/openssl_usr.cnf \ 61 -new -subj "/C=$C/ST=$ST/O=$O/CN=${DOMAIN}/${EXTRA}" \ 62 -key "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem" \ 63 -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.csr.pem" 64 65 openssl ca -config ca/intermediate/current/openssl_usr.cnf \ 66 -cert ca/intermediate/current/cert/intermediate.ecc.crt.pem \ 67 -keyfile ca/intermediate/current/priv/intermediate.ecc.key.pem \ 68 -days $DAYS -notext -extensions ${TYPE}_cert \ 69 -in "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.csr.pem" \ 70 -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem" 71 72 chmod 644 "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem" 73 74 openssl pkcs12 -export -passout "pass:$PKCSPASS" \ 75 -inkey "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem" \ 76 -in "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem" \ 77 -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.pfx.p12" 78 else 79 openssl req -config ca/intermediate/current/openssl_usr.cnf \ 80 -new -subj "/C=$C/ST=$ST/O=$O/CN=${DOMAIN}/${EXTRA}" \ 81 -key "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" \ 82 -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.csr.pem" 83 84 openssl ca -config ca/intermediate/current/openssl_usr.cnf \ 85 -cert ca/intermediate/current/cert/intermediate.rsa.crt.pem \ 86 -keyfile ca/intermediate/current/priv/intermediate.rsa.key.pem \ 87 -days $DAYS -notext -extensions ${TYPE}_cert \ 88 -in "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.csr.pem" \ 89 -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem" 90 91 chmod 644 "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem" 92 93 openssl pkcs12 -export -passout "pass:$PKCSPASS" \ 94 -inkey "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" \ 95 -in "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem" \ 96 -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.pfx.p12" 97 fi 98 99 # verify the certificate 100 if [ "${ECC}" = "1" ]; then 101 openssl x509 -noout -text -in "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem" 102 openssl verify -CAfile ca/intermediate/current/cert/ca-chain.pem \ 103 "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem" 104 else 105 openssl x509 -noout -text -in "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem" 106 openssl verify -CAfile ca/intermediate/current/cert/ca-chain.pem \ 107 "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem" 108 fi 109 110 # publish certificate 111 if [ "${ECC}" = "1" ]; then 112 echo "NOTE: ECC key is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem'" 113 echo "NOTE: ECC certificate is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem'" 114 echo "NOTE: PKCS#12 file is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.ecc.pfx.p12'" 115 else 116 echo "NOTE: RSA key is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem'" 117 echo "NOTE: RSA certificate is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem'" 118 echo "NOTE: PKCS#12 file is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.rsa.pfx.p12'" 119 fi