-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgen-certs.sh
executable file
·89 lines (67 loc) · 2.34 KB
/
gen-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash -e
# Generates all required TLS certificates and keys
cd $(dirname $0)
project_dir=$(realpath .)
# Give "regen" argument to regenerate
if [ "$1" == "regen" ]
then
echo "Cleaning old certs"
rm -r certs/
fi
# Give "check" to stop succesfully if the folder exists
if [ "$1" == "check" ]
then
[ -d "certs/" ] && echo "Output directory certs/ already exists" && exit 0
fi
# Create directories
mkdir certs
cd certs
mkdir ca_server ca_client
mkdir server
for d in ../gen-cert-conf/client* ; do # All clients specified in the config
b=$(basename $d)
mkdir "${b%%.*}"
done
# Generate server root CA
echo "Server root CA"
cd ca_server
openssl genrsa -out root-ca.key 4096
openssl req -x509 -new -nodes -subj '/CN=ServerRootCA/O=Server root CA./C=US' \
-key root-ca.key -sha256 -days 1024 -out root-ca.crt
openssl x509 -outform der -in root-ca.crt -out root-ca.der
cd ..
# Generate client root CA
echo "Client root CA"
cd ca_client
openssl genrsa -out root-ca.key 4096
openssl req -x509 -new -nodes -subj '/CN=ClientRootCA/O=Client root CA./C=US' \
-key root-ca.key -sha256 -days 1024 -out root-ca.crt
openssl x509 -outform der -in root-ca.crt -out root-ca.der
cd ..
# Generate server certificate
echo "Server"
cd server
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr \
-reqexts san -config $project_dir/gen-cert-conf/server.conf -extensions san
openssl x509 -req -in server.csr -CA ../ca_server/root-ca.crt -CAkey ../ca_server/root-ca.key \
-CAcreateserial -out server.crt -days 1024 -sha256 \
-extfile $project_dir/gen-cert-conf/server.conf -extensions san
openssl pkcs12 -export -inkey server.key -in server.crt -out server.p12 -password pass:
cd ..
# Generate client certificate
for d in client* ; do
echo "Client $d"
cd $d
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr \
-reqexts san -config $project_dir/gen-cert-conf/$d.conf -extensions san
openssl x509 -req -in client.csr -CA ../ca_client/root-ca.crt -CAkey ../ca_client/root-ca.key \
-CAcreateserial -out client.crt -days 1024 -sha256 \
-extfile $project_dir/gen-cert-conf/server.conf -extensions san
openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12 -password pass:
cd ..
done
# Cleanup
rm */*.csr */*.srl
echo "Done"