Quickly generate a CA and signed client/server keypairs

setup-ssl.sh

#!/usr/bin/env bash
set -e
set -o pipefail

FORCE=0
function ckfiles() { ck -f $@; }
function ckdirs() { ck -d $@; }
function ck() {
    local x
    local txt=" "
    if [[ "x$1" == "x-d" ]]; then
        txt=" directory "
    elif [[ "x$1" == "x-f" ]]; then
        txt=" file "
    fi
    for x in ${@:2}; do
        if [ $1 "$x" ]; then
            if [ $FORCE -eq 0 ]; then
                declare -l _rsp=y
                read -p "Overwrite${txt}'$(realpath "$x")'? [Y/n]: " _rsp
                if [[ "x$_rsp" == "xn" ]]; then
                    return 3
                fi
            fi
            rm -rf "$x"
        fi
    done
}

function ckexes() {
    _missing=0
    for _tool in realpath openssl pwgen; do
        if ! type $_tool &>/dev/null; then
            echo >&2 "Install $_tool"
            _missing=1
        fi
    done
    if [ $_missing -gt 0 ]; then
        return 1
    fi
}

function _sed() {
    if sed --version &>/dev/null; then  # GNU sed
        sed $@
    elif gsed --version &>/dev/null; then  # Homebrew GNU sed
        gsed $@
    else
        echo >&2 "Using BSD sed..."
        sed $@
    fi
}

ARGS=""
for _arg in $@; do
    if [[ "x$_arg" == "x-f" ]] || [[ "x$_arg" == "x--force" ]]; then
        FORCE=1
    else
        ARGS="$ARGS $_arg"
    fi
done

ckexes realpath openssl pwgen

THIS_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"

#DEST_DIR="$THIS_DIR/ssl"
#if [ -n "$DEST_DIR" ] && [ ! -d "$DEST_DIR" ]; then
#    echo >&2 "'$DEST_DIR' is not a directory"
#    exit 2
#fi
#if [ -z "$DEST_DIR" ]; then
#    DEST_DIR="$THIS_DIR"
#fi

DEST_DIR="$THIS_DIR/ssl"
rm -rf "$DEST_DIR"
mkdir "$DEST_DIR"

cd "$DEST_DIR"
echo "Using '$PWD'"
#for _D in certs crl newcerts private; do
#    ckdirs "$_D" && mkdir "$_D"
#done

#ckfiles openssl.cnf
#curl -s 'https://jamielinux.com/docs/openssl-certificate-authority/_downloads/root-config.txt' \
#    | sed -E "s;^([ \t]*dir[ \t]*=[ \t]*)([^ \t].*)$;\1${DEST_DIR};g"
#    > openssl.cnf

pwgen -s1 > capass

ckfiles ca-key.pem
openssl genrsa \
    -aes256 \
    -passout file:capass \
    -out ca-key.pem \
    2048
chmod 0400 ca-key.pem

ckfiles ca-cert.pem
#openssl req -config openssl.cnf -extensions v3_ca \
openssl req -subj "/C=AQ" \
    -passin file:capass \
    -key ca-key.pem \
    -new \
    -x509 \
    -days 1 \
    -sha256 \
    -out ca-cert.pem
chmod 0444 ca-cert.pem

openssl x509 \
    -noout \
    -text \
    -in ca-cert.pem

ckfiles server-key.pem
openssl genrsa \
    -out server-key.pem \
    2048
chmod 0400 server-key.pem

ckfiles server-csr.pem
openssl req -subj "/C=AQ" \
    -new \
    -key server-key.pem \
    -out server-csr.pem

openssl x509 \
    -req \
    -passin file:capass \
    -in server-csr.pem \
    -CA ca-cert.pem \
    -CAkey ca-key.pem \
    -CAcreateserial \
    -out server-cert.pem \
    -days 1 \
    -sha256

MK_CLIENT=1
if [ $MK_CLIENT -eq 1 ]; then

    ckfiles client-key.pem
    openssl genrsa \
        -out client-key.pem \
        2048
    chmod 0400 client-key.pem

    ckfiles client-csr.pem
    openssl req -subj "/C=AQ" \
        -new \
        -key client-key.pem \
        -out client-csr.pem

    openssl x509 \
        -passin file:capass \
        -req \
        -in client-csr.pem \
        -CA ca-cert.pem \
        -CAkey ca-key.pem \
        -CAcreateserial \
        -out client-cert.pem \
        -days 1 \
        -sha256
fi