Skip to content

Instantly share code, notes, and snippets.

@pmuir

pmuir/ca.sh

Created December 7, 2023 15:31
Show Gist options
  • Save pmuir/2fc0b878e7a49b379e0941deaa425e94 to your computer and use it in GitHub Desktop.
Save pmuir/2fc0b878e7a49b379e0941deaa425e94 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ca.sh
#!/bin/bash
mkdir CA
openssl genrsa -aes256 -out CA/rootCA.key 4096
openssl req -x509 -new -nodes -key CA/rootCA.key -sha256 -days 3650 -out CA/rootCA.crt
Raw
cert.sh
if [ -z "$1" ]
then
echo "Please supply a domain to create a certificate for";
echo "Usage:"
echo "$0 device4711.network.my"
exit;
fi
openssl req -new -nodes -keyout domain.key -out domain.csr -days 3650 -subj "/C=DE/L=Some/O=Acme, Inc./CN=$1"
openssl x509 -req -days 3650 -sha256 -in domain.csr -CA CA/rootCA.crt -CAkey CA/rootCA.key -CAcreateserial -out domain.crt -extensions v3_ca -extfile <(
cat <<-EOF
[ v3_ca ]
subjectAltName = DNS:$1
EOF
)
openssl pkcs12 -export -out fully-remote-admin-ca.p12 -inkey domain.key -in domain.crt -passout pass:fully
echo Generated self signed CA for $1 in fully-remote-admin-ca.p12
openssl pkcs12 -in fully-remote-admin-ca.p12 -nodes -passin pass:"fully" | openssl x509 -noout -text
Raw
commands.sh
export HOST=<HOST>
./ca.sh
./cert.sh ${HOST}
adb connect ${HOST}
adb push fully-remote-admin-ca.p12 /sdcard/
# Restart Fully Kiosk
curl -v https://${HOST}:2323
Raw
transcript.txt
12:18 $ cat ca.sh
#!/bin/bash
mkdir CA
openssl genrsa -aes256 -out CA/rootCA.key 4096
openssl req -x509 -new -nodes -key CA/rootCA.key -sha256 -days 3650 -out CA/rootCA.crt
✔ ~/fullyssl
12:18 $ cat cert.sh
#!/bin/bash
if [ -z "$1" ]
then
echo "Please supply a domain to create a certificate for";
echo "Usage:"
echo "$0 device4711.network.my"
exit;
fi
openssl req -new -nodes -keyout domain.key -out domain.csr -days 3650 -subj "/C=DE/L=Some/O=Acme, Inc./CN=$1"
openssl x509 -req -days 3650 -sha256 -in domain.csr -CA CA/rootCA.crt -CAkey CA/rootCA.key -CAcreateserial -out domain.crt -extensions v3_ca -extfile <(
cat <<-EOF
[ v3_ca ]
subjectAltName = DNS:$1
EOF
)
openssl pkcs12 -export -out fully-remote-admin-ca.p12 -inkey domain.key -in domain.crt -passout pass:fully
echo Generated self signed CA for $1 in fully-remote-admin-ca.p12
openssl pkcs12 -in fully-remote-admin-ca.p12 -nodes -passin pass:"fully" | openssl x509 -noout -text
✔ ~/fullyssl
12:18 $ rm -rf CA
✔ ~/fullyssl
12:19 $ rm domain.*
✔ ~/fullyssl
12:19 $ rm fully-remote-admin-ca.p12
✔ ~/fullyssl
12:19 $ ls
ca.sh cert.sh
✔ ~/fullyssl
12:19 $ ./ca.sh
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter pass phrase for CA/rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
✔ ~/fullyssl
12:19 $ ls
CA ca.sh cert.sh
✔ ~/fullyssl
12:19 $ ls CA/
rootCA.crt rootCA.key
✔ ~/fullyssl
12:19 $ ls CA/^C
✘-INT ~/fullyssl
12:19 $ ./cert.sh npb.h.bleepbleep.org.uk
Ignoring -days without -x509; not generating a certificate
.+...+.+...........+...............+....+...+..+....+.....+++++++++++++++++++++++++++++++++++++++*......+..........+...+.....+.................................+.........+.+..+....+...+...+.........+.....+.+...+.....+....+..+.+..+......+.......+...+................................+.......+.....+.+..+.........+.+...+.....+......+.+.....+...............+.......+..+.+.....+...+..........+......+...+..................+..+++++++++++++++++++++++++++++++++++++++*...+..+.......+...+.....+.........+....+.....+....+...+...+..+............+...+..........+..+...+...+......++++++
..+..+.+........+...............+.......+..+...+...+....+...........+.........+.......+.....+...+..........+...+............+..+...+.+......+......+..+.+............+.........+.........+...........+.+..+................+......+...+++++++++++++++++++++++++++++++++++++++*..+...+...+...........+.+..+......+....+...+..+.......+.....+.....................+....+...........+...+++++++++++++++++++++++++++++++++++++++*.+....+...+...+.....+.........+.......+.....+.+..+......+.+...+.....+...+.............+..+...................+........+.+.....+.......+..+............+.+..............+.+...+.....+....+...+.........+.....+....+............+..+..........+.....+.+..+...+....+.....++++++
-----
Certificate request self-signature ok
subject=C=DE, L=Some, O=Acme, Inc., CN=npb.h.bleepbleep.org.uk
Enter pass phrase for CA/rootCA.key:
Generated self signed CA for npb.h.bleepbleep.org.uk in fully-remote-admin-ca.p12
Warning: Reading certificate from stdin since no -in or -new option is given
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
24:fc:c1:5f:39:07:57:d7:1c:a6:ac:3b:8a:00:68:7e:fe:00:2b:d5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Validity
Not Before: Dec 7 12:19:59 2023 GMT
Not After : Dec 4 12:19:59 2033 GMT
Subject: C=DE, L=Some, O=Acme, Inc., CN=npb.h.bleepbleep.org.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:88:af:b0:e4:57:b8:47:ca:8e:a4:8e:b2:2d:47:
3d:76:bb:1e:1e:2e:88:24:92:9f:df:aa:b7:de:2b:
7b:59:c8:e5:eb:51:38:a4:33:e3:0a:88:28:dc:95:
b3:2b:ca:62:5f:93:df:9a:5a:4d:51:7a:d3:e8:86:
b0:a5:00:f2:a7:ac:44:7f:34:ed:6a:83:f7:69:59:
00:28:1b:72:51:52:1d:5f:7f:76:bc:2f:78:80:a6:
95:bd:30:8b:af:f2:21:ba:4c:4d:ce:6f:6e:7a:9e:
74:1e:85:4e:73:22:0f:1c:a7:91:98:ca:0e:66:74:
d9:bb:49:4e:0a:7b:b2:c4:e3:21:69:5d:d1:17:d6:
29:37:02:3e:88:48:34:20:49:e3:8d:18:0c:f2:54:
87:6a:15:2c:b8:67:13:e7:af:3d:ec:91:8c:9a:47:
09:a1:ea:86:60:61:58:07:e5:e3:80:4f:ef:12:b1:
33:b4:bc:9a:d0:21:ef:ca:ba:ea:1f:ef:c6:0e:99:
14:d0:3e:b4:e0:97:20:f3:41:fd:e7:d2:3b:9c:f3:
4f:2e:3e:fc:2e:05:2c:9d:83:2d:a9:eb:30:0a:20:
5a:cc:96:75:e5:b4:30:49:92:77:33:af:5b:a7:ef:
4d:0c:90:53:1a:68:f0:42:fa:6c:d4:af:d3:7c:2e:
27:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:npb.h.bleepbleep.org.uk
X509v3 Subject Key Identifier:
1E:38:F1:54:99:93:61:E5:57:A1:B7:63:44:60:D3:19:BC:50:B4:51
X509v3 Authority Key Identifier:
5E:F4:CF:6A:3A:C2:E7:30:E2:36:4C:64:80:4A:5A:D8:FA:77:6E:F9
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
16:b5:87:36:32:dc:fb:56:ec:d4:bc:c3:59:8f:fa:7f:fa:25:
33:95:38:10:71:53:77:0a:50:ed:7d:1f:de:f3:0d:44:f6:64:
33:1e:52:73:f2:83:a9:08:64:ac:f4:d5:1e:67:1f:d4:c7:d3:
80:7f:71:d6:07:43:b7:7d:90:74:36:46:91:dd:85:1c:12:f9:
5d:74:24:a3:89:e4:f9:3c:68:33:19:59:e9:e9:b4:70:37:48:
81:93:6d:ac:e0:46:90:dd:c4:72:2d:4e:bd:f5:f1:4e:7e:bc:
c7:29:f6:cd:7a:6c:f1:40:81:78:b0:e8:c3:2e:89:b5:07:b8:
8c:d8:e7:5b:34:6c:98:19:45:fe:a1:75:a3:2f:6f:64:56:9b:
6e:37:ed:36:ff:40:90:35:0c:4e:0c:81:20:c4:08:da:b3:85:
ad:44:b4:dd:4f:8a:db:84:c0:93:a7:4c:a6:33:f7:3a:f4:43:
df:98:f8:93:68:03:19:a8:c0:3e:db:d7:c0:76:c2:c4:26:4b:
a5:61:bc:8f:8d:6c:ea:89:75:08:0b:15:ca:40:59:bc:2a:62:
df:a6:2a:b6:ff:9e:b1:4a:80:1f:79:e1:91:1c:f1:f2:2f:a1:
72:d2:0c:5b:51:f8:e0:96:63:87:f2:10:f9:60:4c:8f:24:db:
94:40:30:ae:c1:d3:03:bd:91:f3:2f:0e:ac:a3:b4:b3:f8:01:
de:cf:0f:8f:de:d7:cc:40:15:ea:f7:29:5c:d0:88:a6:6b:5e:
9e:4d:60:7c:ea:d4:18:22:1a:1f:ff:3c:97:30:86:71:8b:e4:
0f:ac:c1:31:97:cd:cf:09:06:c4:a1:f6:0c:d7:ed:c9:3f:b4:
ca:10:64:58:d1:10:68:a6:34:34:74:04:17:f7:e9:13:87:bf:
a9:6f:ed:89:99:51:37:9f:ea:54:bc:6a:88:d5:d0:30:f4:2f:
0e:35:89:a7:74:31:9d:a9:61:6b:f3:3f:3f:83:95:46:a5:3f:
d7:f8:f0:e2:6c:50:f2:b2:d7:11:e1:59:77:55:7e:de:e6:df:
e2:fa:eb:35:be:c0:dc:84:cd:d6:fb:d4:2a:ca:86:63:6a:00:
16:2f:0b:e8:57:a9:22:f0:cc:08:2d:82:c0:45:62:17:85:9d:
11:ce:68:b5:00:65:ac:81:c5:86:2e:80:a2:80:4b:93:25:f4:
9d:e6:ee:54:ef:23:75:09:8e:10:e7:c4:ed:f6:a3:aa:ec:b7:
77:e0:30:8d:de:dc:ac:77:fc:f3:5a:74:ef:13:3e:7f:46:ca:
4b:e4:41:b7:af:a1:d7:f4:c9:2b:6b:03:d0:28:73:f6:76:7b:
b5:c4:6d:6b:d5:e8:f4:dd
✔ ~/fullyssl
12:20 $ ls
CA ca.sh cert.sh domain.crt domain.csr domain.key fully-remote-admin-ca.p12
✔ ~/fullyssl
12:20 $ adb connect
adb: usage: adb connect HOST[:PORT]
✘-1 ~/fullyssl
12:20 $ adb shell
px30_evb:/ $ su
px30_evb:/ # rm -rf /sdcard/fu
fully-deviceID-b0e45b2c-70292860.txt fully-remote-admin-ca.p12
px30_evb:/ # rm -rf /sdcard/fully-remote-admin-ca.p12
px30_evb:/ # adb push
130|px30_evb:/ # ^D
130|px30_evb:/ $ ^D
✘-INT ~/fullyssl
12:20 $ adb push fully-remote-admin-ca.p12 /sdcard/
fully-remote-admin-ca.p12: 1 file pushed, 0 skipped. 15.3 MB/s (2931 bytes in 0.000s)
✔ ~/fullyssl
12:20 $ adb shell
px30_evb:/ $ ls /sdcard/ful
fully-deviceID-b0e45b2c-70292860.txt fully-remote-admin-ca.p12
px30_evb:/ $ ls /sdcard/fully-remote-admin-ca.p12
/sdcard/fully-remote-admin-ca.p12
px30_evb:/ $ ^D
✔ ~/fullyssl
12:21 $ curl -v https://npb.h.bleepbleep.org.uk:2323
* Trying [fe80::b693:6680:ba82:8569]:2323...
* Immediate connect fail for fe80::b693:6680:ba82:8569: No route to host
* Trying 192.168.1.143:2323...
* Connected to npb.h.bleepbleep.org.uk (192.168.1.143) port 2323 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to npb.h.bleepbleep.org.uk:2323
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to npb.h.bleepbleep.org.uk:2323
✘-35 ~/fullyssl
12:22 $ openssl -version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
✔ ~/fullyssl
12:22 $
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment