-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathmake-cert
executable file
·90 lines (79 loc) · 2.55 KB
/
make-cert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#! /bin/bash --posix
# make-cert: Make a signed certificate for a user/service that may be used to
# authenticate the user and grant access to methods.
#
# Usage: make-cert signing-key newkey serial username [methods]
umask 077
set -o noglob
set -o nounset
if [ "$#" -lt 4 ] || [ "$#" -gt 5 ]; then
echo 'Usage: make-cert signing-key newkey serial username [methods]'
echo ' methods: an optional filename of a file containing newline-separated'
echo ' method names or a comma-separated list of method names'
echo 'If serial="AUTO" then the serial numbers are auto-incremented and use'
echo 'the .serial file to maintain state.'
exit 1
fi
readonly signing_key="$1"
readonly newkey="$2"
KEY_LIFETIME=${KEY_LIFETIME:-1096}
if [ "$3" = "AUTO" ]; then
if [ -r .serial ]; then
old_serial=$(< .serial)
else
old_serial=1
fi
readonly serial=$(($old_serial + 1))
echo "$serial" > .serial
else
readonly serial="$3"
fi
readonly username="$4"
if [ "$#" -lt 5 ]; then
readonly methods=
else
readonly methods="$5"
fi
if [ ! -r "$signing_key.pem" ]; then
echo "Unable to read: $signing_key.pem"
exit 1
fi
if [ ! -r "$signing_key.key.pem" ]; then
echo "Unable to read: $signing_key.key.pem"
exit 1
fi
# First create methods extension file if appropriate.
tmpfile="$(mktemp)"
if [ -z "$methods" ]; then
readonly methods_args=
else
readonly methods_args="-extensions methods_extension"
counter=1
echo '[methods_extension]' > "$tmpfile"
echo '1.3.6.1.4.1.9586.100.7.1=ASN1:SEQUENCE:methods_sect' >> "$tmpfile"
echo '[methods_sect]' >> "$tmpfile"
if [ -r "$methods" ]; then
while read method || [ -n "$method" ]; do
echo "field$counter=UTF8:\"$method\"" >> "$tmpfile"
counter=$(($counter + 1))
done < "$methods"
else
for method in $(tr , '\n' <<< "$methods"); do
echo "field$counter=UTF8:\"$method\"" >> "$tmpfile"
counter=$(($counter + 1))
done
fi
fi
# Now generate the signed certificate.
openssl genpkey -algorithm RSA -out "$newkey.key.pem" \
-pkeyopt rsa_keygen_bits:2048
openssl req -new -key "$newkey.key.pem" -days "$KEY_LIFETIME" \
-extensions v3_ca \
-batch -out "$newkey.csr" -utf8 -subj "/CN=$username"
openssl x509 -req -sha256 -days "$KEY_LIFETIME" -in "$newkey.csr" \
-extfile "$tmpfile" $methods_args \
-CAkey "$signing_key.key.pem" -CA "$signing_key.pem" \
-set_serial "$serial" \
-out "$newkey.pem"
rm -f "$tmpfile"
chmod a+r "$newkey.pem"