nnsense · August 28, 2021 17:16
diff --git a/cert-gen.sh b/cert-gen.sh
 # Generate certificates suitable for a local deployment including .p12 and base64 for k8s usage
 # It can also creates java keystore certs, delete/comment out related lines at the end of main to remove it. Make sure java is installed.
 # To make this a bit more silent some command has stdout/stderr redirected to /dev/null, remove it to get full output

 # Uncomment to get debug info
 # set -Eexuo pipefail

 trap 'declare rc=$?; >&2 echo "Unexpected error executing $BASH_COMMAND at ${BASH_SOURCE[0]} line $LINENO"; exit $rc' ERR

 cert_extfile () {
    declare ADDRESS=$1
    declare IPADDR=$(hostname -I | cut -d " " -f1)

    cat <<EOF
 [ req ]
 default_bits = 2048
 prompt = no
 default_md = sha256
 req_extensions = req_ext
 distinguished_name = dn

 [ dn ]
 C = GB
 ST = UK
 L = Cambridge
 O = Dev
 OU = Engineering
 CN = ${ADDRESS}

 [ req_ext ]
 subjectAltName = @alt_names

 [ alt_names ]
 DNS.1 = ${ADDRESS}
 DNS.2 = ${HOSTNAME}
 IP.1 = 127.0.0.1
 IP.2 = ${IPADDR}

 [ v3_ext ]
 authorityKeyIdentifier=keyid,issuer:always
 basicConstraints=CA:FALSE
 keyUsage=keyEncipherment,dataEncipherment
 extendedKeyUsage=serverAuth,clientAuth
 subjectAltName=@alt_names
 EOF
 }

 main () {
    CA_NAME="${HOSTNAME} CA"
    ADDRESS=$1
    CERT_DIR=$2

    mkdir -p $CERT_DIR

    openssl genrsa -out ${CERT_DIR}/srv_ca.key 2048 >/dev/null 2>&1
    openssl req -x509 -new -days 3650 -nodes -key ${CERT_DIR}/srv_ca.key -subj "/C=GB/ST=UK/L=Cambridge/O=Dev/OU=Engineering/CN=${ADDRESS}" -out ${CERT_DIR}/srv_ca.crt
    openssl genrsa -out ${CERT_DIR}/"${ADDRESS}".key 2048 >/dev/null 2>&1
    openssl req -new -key "${CERT_DIR}/${ADDRESS}".key -out "${CERT_DIR}/${ADDRESS}".csr -config <(cert_extfile "${ADDRESS}")
    openssl x509 -req -days 3650 -CA ${CERT_DIR}/srv_ca.crt -CAkey ${CERT_DIR}/srv_ca.key -CAcreateserial -in "${CERT_DIR}/${ADDRESS}".csr -out "${CERT_DIR}/${ADDRESS}".crt -extensions v3_ext -extfile <(cert_extfile "${ADDRESS}")
    openssl req  -noout -text -in ${CERT_DIR}/"${ADDRESS}".csr 1>/dev/null
    openssl x509  -noout -text -in ${CERT_DIR}/"${ADDRESS}".crt 1>/dev/null

    openssl pkcs12 -export -name "${ADDRESS}" -caname "${CA_NAME}" -in "${CERT_DIR}/${ADDRESS}".crt -inkey "${CERT_DIR}/${ADDRESS}".key -CAfile ${CERT_DIR}/srv_ca.crt -out "${CERT_DIR}/${ADDRESS}".p12 -passout pass:notimportant 1>/dev/null

    openssl verify -CAfile ${CERT_DIR}/srv_ca.crt "${CERT_DIR}/${ADDRESS}".crt

    base64 -w0 "${CERT_DIR}/${ADDRESS}".key > "${CERT_DIR}/${ADDRESS}".key-b64
    base64 -w0 "${CERT_DIR}/${ADDRESS}".crt > "${CERT_DIR}/${ADDRESS}".crt-b64

    keytool -importkeystore -alias "${ADDRESS}" -deststorepass changeit -destkeystore ${CERT_DIR}/"${ADDRESS}"_keystore.jks -srckeystore "${CERT_DIR}/${ADDRESS}".p12 -srcstoretype PKCS12 -srcstorepass notimportant -destkeypass changeit 2>/dev/null

    # Clean-up unneeded files
    rm -f ${CERT_DIR}/srv_ca.key ${CERT_DIR}/*.csr ${CERT_DIR}/*.srl

 }

 main "$@"
	# Generate certificates suitable for a local deployment including .p12 and base64 for k8s usage
	# It can also creates java keystore certs, delete/comment out related lines at the end of main to remove it. Make sure java is installed.
	# To make this a bit more silent some command has stdout/stderr redirected to /dev/null, remove it to get full output

	# Uncomment to get debug info
	# set -Eexuo pipefail

	trap 'declare rc=$?; >&2 echo "Unexpected error executing $BASH_COMMAND at ${BASH_SOURCE[0]} line $LINENO"; exit $rc' ERR

	cert_extfile () {
	declare ADDRESS=$1
	declare IPADDR=$(hostname -I \| cut -d " " -f1)

	cat <<EOF
	[ req ]
	default_bits = 2048
	prompt = no
	default_md = sha256
	req_extensions = req_ext
	distinguished_name = dn

	[ dn ]
	C = GB
	ST = UK
	L = Cambridge
	O = Dev
	OU = Engineering
	CN = ${ADDRESS}

	[ req_ext ]
	subjectAltName = @alt_names

	[ alt_names ]
	DNS.1 = ${ADDRESS}
	DNS.2 = ${HOSTNAME}
	IP.1 = 127.0.0.1
	IP.2 = ${IPADDR}

	[ v3_ext ]
	authorityKeyIdentifier=keyid,issuer:always
	basicConstraints=CA:FALSE
	keyUsage=keyEncipherment,dataEncipherment
	extendedKeyUsage=serverAuth,clientAuth
	subjectAltName=@alt_names
	EOF
	}

	main () {
	CA_NAME="${HOSTNAME} CA"
	ADDRESS=$1
	CERT_DIR=$2

	mkdir -p $CERT_DIR

	openssl genrsa -out ${CERT_DIR}/srv_ca.key 2048 >/dev/null 2>&1
	openssl req -x509 -new -days 3650 -nodes -key ${CERT_DIR}/srv_ca.key -subj "/C=GB/ST=UK/L=Cambridge/O=Dev/OU=Engineering/CN=${ADDRESS}" -out ${CERT_DIR}/srv_ca.crt
	openssl genrsa -out ${CERT_DIR}/"${ADDRESS}".key 2048 >/dev/null 2>&1
	openssl req -new -key "${CERT_DIR}/${ADDRESS}".key -out "${CERT_DIR}/${ADDRESS}".csr -config <(cert_extfile "${ADDRESS}")
	openssl x509 -req -days 3650 -CA ${CERT_DIR}/srv_ca.crt -CAkey ${CERT_DIR}/srv_ca.key -CAcreateserial -in "${CERT_DIR}/${ADDRESS}".csr -out "${CERT_DIR}/${ADDRESS}".crt -extensions v3_ext -extfile <(cert_extfile "${ADDRESS}")
	openssl req -noout -text -in ${CERT_DIR}/"${ADDRESS}".csr 1>/dev/null
	openssl x509 -noout -text -in ${CERT_DIR}/"${ADDRESS}".crt 1>/dev/null

	openssl pkcs12 -export -name "${ADDRESS}" -caname "${CA_NAME}" -in "${CERT_DIR}/${ADDRESS}".crt -inkey "${CERT_DIR}/${ADDRESS}".key -CAfile ${CERT_DIR}/srv_ca.crt -out "${CERT_DIR}/${ADDRESS}".p12 -passout pass:notimportant 1>/dev/null

	openssl verify -CAfile ${CERT_DIR}/srv_ca.crt "${CERT_DIR}/${ADDRESS}".crt

	base64 -w0 "${CERT_DIR}/${ADDRESS}".key > "${CERT_DIR}/${ADDRESS}".key-b64
	base64 -w0 "${CERT_DIR}/${ADDRESS}".crt > "${CERT_DIR}/${ADDRESS}".crt-b64

	keytool -importkeystore -alias "${ADDRESS}" -deststorepass changeit -destkeystore ${CERT_DIR}/"${ADDRESS}"_keystore.jks -srckeystore "${CERT_DIR}/${ADDRESS}".p12 -srcstoretype PKCS12 -srcstorepass notimportant -destkeypass changeit 2>/dev/null

	# Clean-up unneeded files
	rm -f ${CERT_DIR}/srv_ca.key ${CERT_DIR}/.csr ${CERT_DIR}/.srl

	}

	main "$@"