sgnn7 · October 12, 2017 13:28
diff --git a/create_csr.sh b/create_csr.sh
 #!/bin/bash -e

 BITS=${BITS:-4096}
 KEY_ENCRYPTION_PASS=$(apg -a 1 -E '?|$%()\<>^!*`{}[],.' -m 16 -n 1)

 if [ $# -lt 2 ]; then
  echo "Usage $0 <FQDN> [ <subjAltName> ... ] <CSR challenge pass>"
  exit 1
 fi

 FQDN="${1}"
 shift

 arg_length=$(($#-1))
 SUBJ_ALT_NAMES=${@:1:$arg_length}
 CHALLENGE_PASSWORD="${!#}"

 echo "commonName: $FQDN"
 for alt_name in ${SUBJ_ALT_NAMES}; do
  echo "subjAltName: $alt_name"
 done
 echo "Challenge: $CHALLENGE_PASSWORD"

 SUBJECT_STRING="
 C=US
 ST=REPLACEME
 O=REPLACEME
 localityName=REPLACEME
 commonName=${FQDN}
 emailAddress=REPLACEME
 challengePassword=${CHALLENGE_PASSWORD}
 "

 PARSED_SUBJECT_STRING=$(echo -n "${SUBJECT_STRING}" | tr "\n" "/")

 echo "Creating ${BITS}-bit key..."
 openssl genrsa -out "${FQDN}".key ${BITS}

 echo "Creating CSR..."
 echo "Using subject: ${PARSED_SUBJECT_STRING}"

 # Always create CSRs with subjectAltName since firefox now requires it.
 # Likely any real CA handles this when generating the certificate, but
 # it doesn't hurt to have the CSR set it up as expected.
 san_string=
 for name in "${FQDN}" ${SUBJ_ALT_NAMES}; do
  [ -n "${san_string}" ] && san_string+=,
  san_string+="DNS:${name}"
 done
 echo "Using subjectAltName: ${san_string}"

 openssl req -new \
  -subj "${PARSED_SUBJECT_STRING}" -sha256 \
  -reqexts SAN \
  -key "${FQDN}".key -out "${FQDN}".csr \
  -config <(cat /etc/ssl/openssl.cnf \
          <(printf "[SAN]\nsubjectAltName=$san_string"))

 echo "Encrypting private key..."
 echo "${KEY_ENCRYPTION_PASS}" | gpg -c --passphrase-fd=0 --cipher-algo AES256 --force-mdc "${FQDN}".key

 echo "Verifying encryption on private key..."
 echo "${KEY_ENCRYPTION_PASS}" | gpg -d --passphrase-fd=0 -d --output "${FQDN}".key_tmp "${FQDN}".key.gpg
 echo "Encryption verified!"

 echo "Cleaning up..."
 rm -f "${FQDN}".key
 rm -f "${FQDN}".key_tmp

 echo "GPG key for ${FQDN} is: ${KEY_ENCRYPTION_PASS}"
	#!/bin/bash -e

	BITS=${BITS:-4096}
	KEY_ENCRYPTION_PASS=$(apg -a 1 -E '?\|$%()\<>^!*`{}[],.' -m 16 -n 1)

	if [ $# -lt 2 ]; then
	echo "Usage $0 <FQDN> [ <subjAltName> ... ] <CSR challenge pass>"
	exit 1
	fi

	FQDN="${1}"
	shift

	arg_length=$(($#-1))
	SUBJ_ALT_NAMES=${@:1:$arg_length}
	CHALLENGE_PASSWORD="${!#}"

	echo "commonName: $FQDN"
	for alt_name in ${SUBJ_ALT_NAMES}; do
	echo "subjAltName: $alt_name"
	done
	echo "Challenge: $CHALLENGE_PASSWORD"

	SUBJECT_STRING="
	C=US
	ST=REPLACEME
	O=REPLACEME
	localityName=REPLACEME
	commonName=${FQDN}
	emailAddress=REPLACEME
	challengePassword=${CHALLENGE_PASSWORD}
	"

	PARSED_SUBJECT_STRING=$(echo -n "${SUBJECT_STRING}" \| tr "\n" "/")

	echo "Creating ${BITS}-bit key..."
	openssl genrsa -out "${FQDN}".key ${BITS}

	echo "Creating CSR..."
	echo "Using subject: ${PARSED_SUBJECT_STRING}"

	# Always create CSRs with subjectAltName since firefox now requires it.
	# Likely any real CA handles this when generating the certificate, but
	# it doesn't hurt to have the CSR set it up as expected.
	san_string=
	for name in "${FQDN}" ${SUBJ_ALT_NAMES}; do
	[ -n "${san_string}" ] && san_string+=,
	san_string+="DNS:${name}"
	done
	echo "Using subjectAltName: ${san_string}"

	openssl req -new \
	-subj "${PARSED_SUBJECT_STRING}" -sha256 \
	-reqexts SAN \
	-key "${FQDN}".key -out "${FQDN}".csr \
	-config <(cat /etc/ssl/openssl.cnf \
	<(printf "[SAN]\nsubjectAltName=$san_string"))

	echo "Encrypting private key..."
	echo "${KEY_ENCRYPTION_PASS}" \| gpg -c --passphrase-fd=0 --cipher-algo AES256 --force-mdc "${FQDN}".key

	echo "Verifying encryption on private key..."
	echo "${KEY_ENCRYPTION_PASS}" \| gpg -d --passphrase-fd=0 -d --output "${FQDN}".key_tmp "${FQDN}".key.gpg
	echo "Encryption verified!"

	echo "Cleaning up..."
	rm -f "${FQDN}".key
	rm -f "${FQDN}".key_tmp

	echo "GPG key for ${FQDN} is: ${KEY_ENCRYPTION_PASS}"
No results found