Skip to content

Instantly share code, notes, and snippets.

@dcm
Created December 10, 2021 03:31
Show Gist options
  • Save dcm/1ee9ac70aff4134269c545b9ccc4eaf4 to your computer and use it in GitHub Desktop.
Save dcm/1ee9ac70aff4134269c545b9ccc4eaf4 to your computer and use it in GitHub Desktop.
Quickly generate a CA and signed client/server keypairs
#!/usr/bin/env bash
set -e
set -o pipefail
FORCE=0
function ckfiles() { ck -f $@; }
function ckdirs() { ck -d $@; }
function ck() {
local x
local txt=" "
if [[ "x$1" == "x-d" ]]; then
txt=" directory "
elif [[ "x$1" == "x-f" ]]; then
txt=" file "
fi
for x in ${@:2}; do
if [ $1 "$x" ]; then
if [ $FORCE -eq 0 ]; then
declare -l _rsp=y
read -p "Overwrite${txt}'$(realpath "$x")'? [Y/n]: " _rsp
if [[ "x$_rsp" == "xn" ]]; then
return 3
fi
fi
rm -rf "$x"
fi
done
}
function ckexes() {
_missing=0
for _tool in realpath openssl pwgen; do
if ! type $_tool &>/dev/null; then
echo >&2 "Install $_tool"
_missing=1
fi
done
if [ $_missing -gt 0 ]; then
return 1
fi
}
function _sed() {
if sed --version &>/dev/null; then # GNU sed
sed $@
elif gsed --version &>/dev/null; then # Homebrew GNU sed
gsed $@
else
echo >&2 "Using BSD sed..."
sed $@
fi
}
ARGS=""
for _arg in $@; do
if [[ "x$_arg" == "x-f" ]] || [[ "x$_arg" == "x--force" ]]; then
FORCE=1
else
ARGS="$ARGS $_arg"
fi
done
ckexes realpath openssl pwgen
THIS_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
#DEST_DIR="$THIS_DIR/ssl"
#if [ -n "$DEST_DIR" ] && [ ! -d "$DEST_DIR" ]; then
# echo >&2 "'$DEST_DIR' is not a directory"
# exit 2
#fi
#if [ -z "$DEST_DIR" ]; then
# DEST_DIR="$THIS_DIR"
#fi
DEST_DIR="$THIS_DIR/ssl"
rm -rf "$DEST_DIR"
mkdir "$DEST_DIR"
cd "$DEST_DIR"
echo "Using '$PWD'"
#for _D in certs crl newcerts private; do
# ckdirs "$_D" && mkdir "$_D"
#done
#ckfiles openssl.cnf
#curl -s 'https://jamielinux.com/docs/openssl-certificate-authority/_downloads/root-config.txt' \
# | sed -E "s;^([ \t]*dir[ \t]*=[ \t]*)([^ \t].*)$;\1${DEST_DIR};g"
# > openssl.cnf
pwgen -s1 > capass
ckfiles ca-key.pem
openssl genrsa \
-aes256 \
-passout file:capass \
-out ca-key.pem \
2048
chmod 0400 ca-key.pem
ckfiles ca-cert.pem
#openssl req -config openssl.cnf -extensions v3_ca \
openssl req -subj "/C=AQ" \
-passin file:capass \
-key ca-key.pem \
-new \
-x509 \
-days 1 \
-sha256 \
-out ca-cert.pem
chmod 0444 ca-cert.pem
openssl x509 \
-noout \
-text \
-in ca-cert.pem
ckfiles server-key.pem
openssl genrsa \
-out server-key.pem \
2048
chmod 0400 server-key.pem
ckfiles server-csr.pem
openssl req -subj "/C=AQ" \
-new \
-key server-key.pem \
-out server-csr.pem
openssl x509 \
-req \
-passin file:capass \
-in server-csr.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out server-cert.pem \
-days 1 \
-sha256
MK_CLIENT=1
if [ $MK_CLIENT -eq 1 ]; then
ckfiles client-key.pem
openssl genrsa \
-out client-key.pem \
2048
chmod 0400 client-key.pem
ckfiles client-csr.pem
openssl req -subj "/C=AQ" \
-new \
-key client-key.pem \
-out client-csr.pem
openssl x509 \
-passin file:capass \
-req \
-in client-csr.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out client-cert.pem \
-days 1 \
-sha256
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment