eloycoto · November 11, 2021 11:01
diff --git a/create_certs.sh b/create_certs.sh
 echo "*****************  Certs creation  *************************"

 function echo {
  COLOR="\e[93m";
  ENDCOLOR="\e[0m";
  printf "$COLOR%b$ENDCOLOR\n" "$1";
 }

 export CERT_FOLDER="$(pwd)/certs"
 export DOMAIN="test.com"

 mkdir -p $CERT_FOLDER
 sudo rm $CERT_FOLDER/*
 cd $CERT_FOLDER

 echo "Certs creation on folder: $CERT_FOLDER"

 echo ">> SSL create CA cert"
 openssl genrsa -out rootCA.key 2048
 openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

 echo ">> SSL listen certificates"

 openssl req \
    -subj "/CN=*"\
    -newkey rsa:4096 -nodes \
 		-sha256 \
 		-days 3650 \
 		-keyout $DOMAIN.key \
 		-out $DOMAIN.csr
 	openssl x509 -req \
    -extfile <(printf "subjectAltName=DNS:test.com,DNS:test.lolca.com") \
    -in $DOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $DOMAIN.crt -days 500 -sha256

 echo ">> SSL create TPM client cert"
 sudo tpm2tss-genkey -a rsa -s 2048 client_tpm.key
 sudo openssl req -new -x509 \
  -engine tpm2tss \
  -subj "/CN=*"\
  -key client_tpm.key  \
  -keyform engine \
  -out client.crt

 echo ">> SSL create Certificate Signing Request"
 sudo openssl x509 -x509toreq \
  -engine tpm2tss \
  -keyform engine \
  -in client.crt \
  -out CSR.csr \
  -signkey client_tpm.key

 echo ">> SSL create client certificate"
 openssl x509 -req -in CSR.csr \
  -CA rootCA.pem -CAkey rootCA.key \
  -CAcreateserial -out client_signed.crt \
  -days 500 -sha256
diff --git a/nginx.conf b/nginx.conf
 worker_processes  1;
 master_process off;
 daemon off;
 error_log /dev/stdout debug;

 events {
  worker_connections 1024;
 }

 http {
  server {
    listen 8043 ssl;

    ssl_certificate /opt/certs/test.com.crt;
    ssl_certificate_key /opt/certs/test.com.key;

    ssl_client_certificate /opt/certs/rootCA.pem;
    ssl_verify_client on;
    ssl_verify_depth 1000;

    location / {
      return 200 'OK!';
    }
  }
 }
diff --git a/test.sh b/test.sh
 echo -e "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: Close\r\n\r\n"  | openssl s_client -connect 172.17.0.3:8043 \
  -cert certs/client_signed.crt \
  -key certs/client_tpm.key \
  -CAfile certs/rootCA.pem \
  -engine tpm2tss  \
  -keyform engine \
  -quiet
	echo "*************** Certs creation ***********************"

	function echo {
	COLOR="\e[93m";
	ENDCOLOR="\e[0m";
	printf "$COLOR%b$ENDCOLOR\n" "$1";
	}

	export CERT_FOLDER="$(pwd)/certs"
	export DOMAIN="test.com"

	mkdir -p $CERT_FOLDER
	sudo rm $CERT_FOLDER/*
	cd $CERT_FOLDER

	echo "Certs creation on folder: $CERT_FOLDER"

	echo ">> SSL create CA cert"
	openssl genrsa -out rootCA.key 2048
	openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

	echo ">> SSL listen certificates"

	openssl req \
	-subj "/CN=*"\
	-newkey rsa:4096 -nodes \
	-sha256 \
	-days 3650 \
	-keyout $DOMAIN.key \
	-out $DOMAIN.csr
	openssl x509 -req \
	-extfile <(printf "subjectAltName=DNS:test.com,DNS:test.lolca.com") \
	-in $DOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $DOMAIN.crt -days 500 -sha256

	echo ">> SSL create TPM client cert"
	sudo tpm2tss-genkey -a rsa -s 2048 client_tpm.key
	sudo openssl req -new -x509 \
	-engine tpm2tss \
	-subj "/CN=*"\
	-key client_tpm.key \
	-keyform engine \
	-out client.crt

	echo ">> SSL create Certificate Signing Request"
	sudo openssl x509 -x509toreq \
	-engine tpm2tss \
	-keyform engine \
	-in client.crt \
	-out CSR.csr \
	-signkey client_tpm.key

	echo ">> SSL create client certificate"
	openssl x509 -req -in CSR.csr \
	-CA rootCA.pem -CAkey rootCA.key \
	-CAcreateserial -out client_signed.crt \
	-days 500 -sha256
	worker_processes 1;
	master_process off;
	daemon off;
	error_log /dev/stdout debug;

	events {
	worker_connections 1024;
	}

	http {
	server {
	listen 8043 ssl;

	ssl_certificate /opt/certs/test.com.crt;
	ssl_certificate_key /opt/certs/test.com.key;

	ssl_client_certificate /opt/certs/rootCA.pem;
	ssl_verify_client on;
	ssl_verify_depth 1000;

	location / {
	return 200 'OK!';
	}
	}
	}
	echo -e "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: Close\r\n\r\n" \| openssl s_client -connect 172.17.0.3:8043 \
	-cert certs/client_signed.crt \
	-key certs/client_tpm.key \
	-CAfile certs/rootCA.pem \
	-engine tpm2tss \
	-keyform engine \
	-quiet