hongkongkiwi · August 17, 2020 11:04
diff --git a/generate-x509.sh b/generate-x509.sh
 #!/bin/sh

 GOOGLE_KMS_BIN="./google-kms-x509-macos-amd64-v1.1.0"
 command -v "$GOOGLE_KMS_BIN" >/dev/null 2>&1 || { echo >&2 "I require $(basename "$GOOGLE_KMS_BIN") but it's not installed.  Aborting."; echo >&2 "You can install from: https://github.com/ericnorris/google-kms-x509"; exit 1; }

 [ -z "$GOOGLE_APPLICATION_CREDENTIALS" ] && { echo >&2 "Please set GOOGLE_APPLICATION_CREDENTIALS to point to service account JSON"; exit 1; }

 COUNTRY=${CA_COUNTRY:-"USA"}
 PROVINCE=${CA_PROVINCE:-""}
 ORGANIZATION=${CA_ORGANIZATION:-"Widgets Inc"}
 ORGANIZATIONAL_UNIT=${CA_ORGANIZATIONAL_UNIT:-""}
 EMAIL_ADDRESS=${CA_EMAIL_ADDRESS:-"[email protected]"}
 ROOT_CA_VALIDITY=${ROOT_CA_VALIDITY:-7300}
 INT_CA_VALIDITY=${INT_CA_VALIDITY:-3650}
 ROOT_CA_CERT_FILE=${ROOT_CA_CERT_FILE:-"./root-ca.crt"}
 INT_CA_CERT_FILE=${INT_CA_CERT_FILE:-"./int-ca.crt"}
 KMS_KEY_PATH=${KMS_KEY_PATH:-"projects/<GCLOUD_PROJECT>/locations/global/keyRings/<KMS_KEYRING>/cryptoKeys"}
 KMS_ROOT_NMAE=${KMS_ROOT_NMAE:-"root"}
 KMS_ROOT_VER=${KMS_ROOT_VER:-4}
 KMS_INT_NAME=${KMS_INT_NAME:-"intermediate"}
 KMS_INT_VER=${KMS_INT_VER:-4}
 INT_PATH_LEN=${INT_PATH_LEN:-0}
 INT_CA_CSR_FILE=`mktemp "${TMPDIR:-/tmp/}$(basename $0).XXXXXXXXXXXX"`

 [ -z "$ORGANIZATIONAL_UNIT" ] && CERT_NAME="${ORGANIZATION} " || CERT_NAME="${ORGANIZATION} ${ORGANIZATIONAL_UNIT} "
 [ -z "$ENABLE_COMMENT" ] && COMMENT_ARG="--generate-comment=false" || COMMENT_ARG="--generate-comment=true"
 [ -z "$PROVINCE" ] && PROVINCE_ARG="" || PROVINCE_ARG="--province='${PROVINCE}'"
 [ -z "$ORGANIZATIONAL_UNIT" ] && ORGANIZATIONAL_UNIT_ARG="" || ORGANIZATIONAL_UNIT_ARG="--organizationalUnit='${ORGANIZATIONAL_UNIT}'"

 #--permitted-dns-domains strings

 printf "Generating Root CA: "
 ROOT_CA_CERT=`"${GOOGLE_KMS_BIN}" \
  generate \
  root-ca \
  ${COMMENT_ARG} \
  --common-name="${CERT_NAME}Root CA" \
  --days=${ROOT_CA_VALIDITY} \
  --country="${COUNTRY}" \
  ${PROVINCE_ARG} \
  ${ORGANIZATIONAL_UNIT_ARG} \
  --emailAddress="${EMAIL_ADDRESS}" \
  --organization="${ORGANIZATION}" \
  --kms-key="${KMS_KEY_PATH}/${KMS_ROOT_NMAE}/cryptoKeyVersions/${KMS_ROOT_VER}"` \
 && { echo "${ROOT_CA_CERT}" > "${ROOT_CA_CERT_FILE}"; echo "Complete"; } \
 || { echo >&2 "Failed"; echo >&2 "Failed to generate Root CA!"; exit 1; }
 echo "Saved Root CA Public Key to ${ROOT_CA_CERT_FILE}"

 printf "Generating Intermediate CA CSR: "
 INT_CA_CSR=`"${GOOGLE_KMS_BIN}" \
  generate \
  csr \
  --common-name="${CERT_NAME}Intermediate CA" \
  --kms-key="${KMS_KEY_PATH}/${KMS_INT_NAME}/cryptoKeyVersions/${KMS_INT_VER}"` \
 && { echo "${INT_CA_CSR}" > "${INT_CA_CSR_FILE}"; echo "Complete"; } \
 || { echo >&2 "Failed"; echo >&2 "Failed to generate Intermediate CA CSR!"; exit 2; }

 printf "Signing Intermediate CA CSR: "
 INT_CA_CERT=`"${GOOGLE_KMS_BIN}" \
  sign \
  intermediate-ca \
  ${COMMENT_ARG} \
  --common-name="${CERT_NAME}Intermediate CA" \
  --child-csr="${INT_CA_CSR_FILE}" \
  --parent-cert="${ROOT_CA_CERT_FILE}" \
  --days=${INT_CA_VALIDITY} \
  --country="${COUNTRY}" \
  ${PROVINCE_ARG} \
  ${ORGANIZATIONAL_UNIT_ARG} \
  --emailAddress="${EMAIL_ADDRESS}" \
  --organization="${ORGANIZATION}" \
  --kms-key="${KMS_KEY_PATH}/intermediate/cryptoKeyVersions/${KMS_INT_VER}" \
  --path-len=${INT_PATH_LEN}` \
  && { rm "${INT_CA_CSR_FILE}"; echo "${INT_CA_CERT}" > "${INT_CA_CERT_FILE}"; echo "Complete"; } \
  || { echo >&2 "Failed"; echo >&2 "Failed to sign Intermediate CA!"; exit 2; }
 echo "Saved Intermediate CA Public Key to ${INT_CA_CERT_FILE}"
	#!/bin/sh

	GOOGLE_KMS_BIN="./google-kms-x509-macos-amd64-v1.1.0"
	command -v "$GOOGLE_KMS_BIN" >/dev/null 2>&1 \|\| { echo >&2 "I require $(basename "$GOOGLE_KMS_BIN") but it's not installed. Aborting."; echo >&2 "You can install from: https://github.com/ericnorris/google-kms-x509"; exit 1; }

	[ -z "$GOOGLE_APPLICATION_CREDENTIALS" ] && { echo >&2 "Please set GOOGLE_APPLICATION_CREDENTIALS to point to service account JSON"; exit 1; }

	COUNTRY=${CA_COUNTRY:-"USA"}
	PROVINCE=${CA_PROVINCE:-""}
	ORGANIZATION=${CA_ORGANIZATION:-"Widgets Inc"}
	ORGANIZATIONAL_UNIT=${CA_ORGANIZATIONAL_UNIT:-""}
	EMAIL_ADDRESS=${CA_EMAIL_ADDRESS:-"[email protected]"}
	ROOT_CA_VALIDITY=${ROOT_CA_VALIDITY:-7300}
	INT_CA_VALIDITY=${INT_CA_VALIDITY:-3650}
	ROOT_CA_CERT_FILE=${ROOT_CA_CERT_FILE:-"./root-ca.crt"}
	INT_CA_CERT_FILE=${INT_CA_CERT_FILE:-"./int-ca.crt"}
	KMS_KEY_PATH=${KMS_KEY_PATH:-"projects/<GCLOUD_PROJECT>/locations/global/keyRings/<KMS_KEYRING>/cryptoKeys"}
	KMS_ROOT_NMAE=${KMS_ROOT_NMAE:-"root"}
	KMS_ROOT_VER=${KMS_ROOT_VER:-4}
	KMS_INT_NAME=${KMS_INT_NAME:-"intermediate"}
	KMS_INT_VER=${KMS_INT_VER:-4}
	INT_PATH_LEN=${INT_PATH_LEN:-0}
	INT_CA_CSR_FILE=`mktemp "${TMPDIR:-/tmp/}$(basename $0).XXXXXXXXXXXX"`

	[ -z "$ORGANIZATIONAL_UNIT" ] && CERT_NAME="${ORGANIZATION} " \|\| CERT_NAME="${ORGANIZATION} ${ORGANIZATIONAL_UNIT} "
	[ -z "$ENABLE_COMMENT" ] && COMMENT_ARG="--generate-comment=false" \|\| COMMENT_ARG="--generate-comment=true"
	[ -z "$PROVINCE" ] && PROVINCE_ARG="" \|\| PROVINCE_ARG="--province='${PROVINCE}'"
	[ -z "$ORGANIZATIONAL_UNIT" ] && ORGANIZATIONAL_UNIT_ARG="" \|\| ORGANIZATIONAL_UNIT_ARG="--organizationalUnit='${ORGANIZATIONAL_UNIT}'"

	#--permitted-dns-domains strings

	printf "Generating Root CA: "
	ROOT_CA_CERT=`"${GOOGLE_KMS_BIN}" \
	generate \
	root-ca \
	${COMMENT_ARG} \
	--common-name="${CERT_NAME}Root CA" \
	--days=${ROOT_CA_VALIDITY} \
	--country="${COUNTRY}" \
	${PROVINCE_ARG} \
	${ORGANIZATIONAL_UNIT_ARG} \
	--emailAddress="${EMAIL_ADDRESS}" \
	--organization="${ORGANIZATION}" \
	--kms-key="${KMS_KEY_PATH}/${KMS_ROOT_NMAE}/cryptoKeyVersions/${KMS_ROOT_VER}"` \
	&& { echo "${ROOT_CA_CERT}" > "${ROOT_CA_CERT_FILE}"; echo "Complete"; } \
	\|\| { echo >&2 "Failed"; echo >&2 "Failed to generate Root CA!"; exit 1; }
	echo "Saved Root CA Public Key to ${ROOT_CA_CERT_FILE}"

	printf "Generating Intermediate CA CSR: "
	INT_CA_CSR=`"${GOOGLE_KMS_BIN}" \
	generate \
	csr \
	--common-name="${CERT_NAME}Intermediate CA" \
	--kms-key="${KMS_KEY_PATH}/${KMS_INT_NAME}/cryptoKeyVersions/${KMS_INT_VER}"` \
	&& { echo "${INT_CA_CSR}" > "${INT_CA_CSR_FILE}"; echo "Complete"; } \
	\|\| { echo >&2 "Failed"; echo >&2 "Failed to generate Intermediate CA CSR!"; exit 2; }

	printf "Signing Intermediate CA CSR: "
	INT_CA_CERT=`"${GOOGLE_KMS_BIN}" \
	sign \
	intermediate-ca \
	${COMMENT_ARG} \
	--common-name="${CERT_NAME}Intermediate CA" \
	--child-csr="${INT_CA_CSR_FILE}" \
	--parent-cert="${ROOT_CA_CERT_FILE}" \
	--days=${INT_CA_VALIDITY} \
	--country="${COUNTRY}" \
	${PROVINCE_ARG} \
	${ORGANIZATIONAL_UNIT_ARG} \
	--emailAddress="${EMAIL_ADDRESS}" \
	--organization="${ORGANIZATION}" \
	--kms-key="${KMS_KEY_PATH}/intermediate/cryptoKeyVersions/${KMS_INT_VER}" \
	--path-len=${INT_PATH_LEN}` \
	&& { rm "${INT_CA_CSR_FILE}"; echo "${INT_CA_CERT}" > "${INT_CA_CERT_FILE}"; echo "Complete"; } \
	\|\| { echo >&2 "Failed"; echo >&2 "Failed to sign Intermediate CA!"; exit 2; }
	echo "Saved Intermediate CA Public Key to ${INT_CA_CERT_FILE}"