jmhertlein · June 18, 2024 19:30
diff --git a/gen_ca.sh b/gen_ca.sh
 #!/bin/bash

 ##################################################
 # for generating your root CA private key and cert
 ##################################################

 ca_name="jmhca"
 ca_key_bits="4096"
 ca_cert_expire_days="365"

 mkdir ca
 cd ca

 clear
 echo "### Generating root CA private key"
 echo "[Enter] to continue"
 read

 # generate new rsa private key for CA
 openssl genpkey -algorithm rsa -out "$ca_name".key -AES-256-CBC -pkeyopt rsa_keygen_bits:"$ca_key_bits"

 clear
 echo "### Signing root CA certificate"
 echo "[Enter] to continue"
 read
 # create the root CA certificate (this is what you will install in your browser if you are not using intermediary signing keys)
 openssl req -x509 -new -key "$ca_name".key -days "$ca_cert_expire_days" -out "$ca_name".pem -sha512

 cd ..


 ################################################################
 #
 # If you want to use intermediate/signing keys
 # (so your root CA's private key can stay in offline 
 # storage except for when you re-sign your signing keys)...
 #
 # ...then generate them here.
 #
 ################################################################

 mkdir signing

 cd signing

 clear
 echo "### Generating signing private key"
 echo "[Enter] to continue"
 read
 openssl genpkey -algorithm rsa -out "$ca_name".sign.key -AES-256-CBC -pkeyopt rsa_keygen_bits:"$ca_key_bits"

 clear
 echo "### Generating signing cert request"
 echo "[Enter] to continue"
 read
 openssl req -new -key "$ca_name".sign.key -out "$ca_name".sign.csr

 clear
 echo "### Fulfilling signing cert request"
 echo "[Enter] to continue"
 read
 openssl x509 -req -in "$ca_name".sign.csr -CA ../ca/"$ca_name".pem -CAkey ../ca/"$ca_name".key -out "$ca_name".sign.pem -days 365 -sha512 -CAcreateserial
 cat "$ca_name".sign.pem ../ca/"$ca_name".pem > "$ca_name".sign.chain.pem

 cd ..


 #######################################
 # for generating and signing host certs
 #######################################

 mkdir host
 cd host

 clear
 echo "### Generating host private key"
 echo "[Enter] to continue"
 read
 read -p "Filename for device CA key and cert: " device_name
 # gen new device private key
 openssl genrsa -out "$device_name".key 2048

 clear
 echo "### Generating host cert request"
 echo "[Enter] to continue"
 read
 # gen signature request
 openssl req -new -key "$device_name".key -out "$device_name".csr

 clear
 echo "### Fulfilling host cert request"
 echo "[Enter] to continue"
 read
 # fulfill request with CA root private key
 openssl x509 -req -in "$device_name".csr -CA ../signing/"$ca_name".sign.pem -CAkey ../signing/"$ca_name".sign.key -out "$device_name".crt -days 365 -sha512 -CAcreateserial

 cat ../signing/"$ca_name".sign.pem ./"$device_name".crt > "$device_name".chain.crt

 cd ..
	#!/bin/bash

	##################################################
	# for generating your root CA private key and cert
	##################################################

	ca_name="jmhca"
	ca_key_bits="4096"
	ca_cert_expire_days="365"

	mkdir ca
	cd ca

	clear
	echo "### Generating root CA private key"
	echo "[Enter] to continue"
	read

	# generate new rsa private key for CA
	openssl genpkey -algorithm rsa -out "$ca_name".key -AES-256-CBC -pkeyopt rsa_keygen_bits:"$ca_key_bits"

	clear
	echo "### Signing root CA certificate"
	echo "[Enter] to continue"
	read
	# create the root CA certificate (this is what you will install in your browser if you are not using intermediary signing keys)
	openssl req -x509 -new -key "$ca_name".key -days "$ca_cert_expire_days" -out "$ca_name".pem -sha512

	cd ..


	################################################################
	#
	# If you want to use intermediate/signing keys
	# (so your root CA's private key can stay in offline
	# storage except for when you re-sign your signing keys)...
	#
	# ...then generate them here.
	#
	################################################################

	mkdir signing

	cd signing

	clear
	echo "### Generating signing private key"
	echo "[Enter] to continue"
	read
	openssl genpkey -algorithm rsa -out "$ca_name".sign.key -AES-256-CBC -pkeyopt rsa_keygen_bits:"$ca_key_bits"

	clear
	echo "### Generating signing cert request"
	echo "[Enter] to continue"
	read
	openssl req -new -key "$ca_name".sign.key -out "$ca_name".sign.csr

	clear
	echo "### Fulfilling signing cert request"
	echo "[Enter] to continue"
	read
	openssl x509 -req -in "$ca_name".sign.csr -CA ../ca/"$ca_name".pem -CAkey ../ca/"$ca_name".key -out "$ca_name".sign.pem -days 365 -sha512 -CAcreateserial
	cat "$ca_name".sign.pem ../ca/"$ca_name".pem > "$ca_name".sign.chain.pem

	cd ..


	#######################################
	# for generating and signing host certs
	#######################################

	mkdir host
	cd host

	clear
	echo "### Generating host private key"
	echo "[Enter] to continue"
	read
	read -p "Filename for device CA key and cert: " device_name
	# gen new device private key
	openssl genrsa -out "$device_name".key 2048

	clear
	echo "### Generating host cert request"
	echo "[Enter] to continue"
	read
	# gen signature request
	openssl req -new -key "$device_name".key -out "$device_name".csr

	clear
	echo "### Fulfilling host cert request"
	echo "[Enter] to continue"
	read
	# fulfill request with CA root private key
	openssl x509 -req -in "$device_name".csr -CA ../signing/"$ca_name".sign.pem -CAkey ../signing/"$ca_name".sign.key -out "$device_name".crt -days 365 -sha512 -CAcreateserial

	cat ../signing/"$ca_name".sign.pem ./"$device_name".crt > "$device_name".chain.crt

	cd ..