Skip to content

Instantly share code, notes, and snippets.

@jtschichold

jtschichold/generate-certificate.sh

Last active November 3, 2017 15:54
Show Gist options
  • Save jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da to your computer and use it in GitHub Desktop.
Save jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da to your computer and use it in GitHub Desktop.
Download ZIP
Shell script to generate a new CA and a new certificate on MineMeld instances
Raw
generate-certificate.sh
#!/bin/bash
# set -x
set -e
if [ -z "$1" ]; then
echo "Usage: $0 <minemeld hostname>" 1>&2
exit 1
fi
if [ "$EUID" != "0" ]; then
echo "This script must be run with root privleges. Try with:" 1>&2
echo "sudo $0 $1" 1>&2
exit 1
fi
BASEDIR=$(dirname "$0")
export CA_DIR=$(mktemp -d)
echo ">> Using directory $CA_DIR"
function extract_config()
{
echo "Unpacking config to $BASEDIR/minemeld-temp-ca.cnf"
match=$(grep --text --line-number '^OPENSSL_CONFIG_FILE:$' $0 | cut -d ':' -f 1)
payload_start=$((match + 1))
tail -n +$payload_start $0 > $BASEDIR/minemeld-temp-ca.cnf
}
function extract_pem()
{
match=$(grep --text --line-number '^-----BEGIN CERTIFICATE' $1 | cut -d ':' -f 1)
tail -n +$match $1 >> $2
}
extract_config
# generate CA certificate and key
echo ">> Generating CA key and certificate"
openssl req -x509 -newkey rsa:4096 -sha256 -nodes \
-keyout $CA_DIR/CA.key -out $CA_DIR/CA.crt \
-subj "/C=IT/ST=PR/L=Parma/O=MineMeld/OU=TBD/CN=please use a real CA/[email protected]" \
-days 3650
# generate key and CSR for minemeld
echo ">> Generating MineMeld key and CSR"
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout $CA_DIR/minemeld.pem -out $CA_DIR/minemeld.csr \
-subj "/C=IT/ST=PR/L=Parma/O=MineMeld/OU=TBD/CN=$1"
# fake a CA
echo ">> Signing MineMeld CSR with CA"
touch $CA_DIR/index.txt
echo "01" > $CA_DIR/serial
openssl ca -batch -config $BASEDIR/minemeld-temp-ca.cnf -policy policy_loose -extensions server_cert -out $CA_DIR/minemeld.cer -infiles $CA_DIR/minemeld.csr
echo ">> Shredding and removing CA key"
# overwrites and delete the CA key
shred -vzn 3 $CA_DIR/CA.key || true
rm $CA_DIR/CA.key
if [[ "$2" -eq "--test" ]]; then
exit 0
fi
# copy the private key
mv $CA_DIR/minemeld.pem /etc/nginx/minemeld.pem
chmod 0600 /etc/nginx/minemeld.pem
# create the full chain
rm -f /etc/nginx/minemeld.cer
extract_pem $CA_DIR/minemeld.cer /etc/nginx/minemeld.cer
extract_pem $CA_DIR/CA.crt /etc/nginx/minemeld.cer
chmod 0600 /etc/nginx/minemeld.cer
cp $CA_DIR/CA.crt $BASEDIR/CA.crt
if [ -d /usr/share/minemeld ]; then
mv $CA_DIR/CA.crt /usr/share/minemeld/CA.crt
fi
# removes CA directory
rm -rf $CA_DIR
echo ">> Reloading nginx configuration"
service nginx reload || true
echo
echo "-------------------------------------------------------------------"
echo "New MineMeld WebUI private key and certificate installed !"
echo
echo "NOTE: Use CA.crt in the current directory to create a Certificate"
echo "Profile on PAN-OS 8.0."
echo "-------------------------------------------------------------------"
exit 0
OPENSSL_CONFIG_FILE:
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = $ENV::CA_DIR
new_certs_dir = $dir
database = $dir/index.txt
serial = $dir/serial
private_key = $dir/CA.key
certificate = $dir/CA.crt
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 1105
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "MineMeld Temporary Server Certificate - via OpenSSL"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
@jtschichold
Copy link
Author

jtschichold commented Feb 2, 2017
edited
Loading

generate-certificate.sh

This script:

  • creates a new private key and self-signed certificate to be used as a disposable CA
  • creates a new private key and CSR for MineMeld WebUI
  • signs the CSR with the newly created CA
  • securely deletes the CA private key
  • installs the new full chain and private key in the nginx directory
  • reloads the nginx config

Outputs

  • new private key and full chain installed under /etc/nginx/minemeld.pem and /etc/nginx/minemeld.cer
  • new CA certificate CA.crt in the current directory. This can be used for PAN-OS 8.0 Certificate Profiles

How To Use

$ wget https://gist.githubusercontent.com/jtschichold/f0977e5c1ec09b3ec7d66bf80687d9da/raw/7ec994a3a731637ffa335365adddddbfd92004f2/generate-certificate.sh
$ chmod a+x generate-certificate.sh
$ sudo ./generate-certificate.sh <minemeld hostname>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment