Created
April 28, 2017 17:43
-
-
Save stanchan/c33f555c8e7dba211c587c0093fa2167 to your computer and use it in GitHub Desktop.
SSL Key Generator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| printusage() { | |
| echo | |
| echo "Usage: $0 [-c FQDN] [-p PREFIX] [-h HASHSIZE] [-k KEYSIZE] [-e EXPIRATION] [-src override.txt]" | |
| echo -e "\t\t\t [-f openssl.cnf] [-o /directory] [-nopass] [-noks] [-nots]" | |
| echo "---------------------------------" | |
| echo " -c FQDN Specify the common name for certificate" | |
| echo " -p PREFIX Set the filename prefix" | |
| echo " -h HASHSIZE Specify hash size (default: 512)" | |
| echo " -k KEYSIZE/CURVE Specify key size/type (default: 2048 for RSA and secp384r1 for ECC)" | |
| echo " -e EXPIRATION Set the certificate expiration (default: 365 days)" | |
| echo " -src FILENAME Source an environment file before executing any commands" | |
| echo " -f FILENAME Specify an openssl configuration file" | |
| echo " -o DIRECTORY Output to a target directory" | |
| echo " -ecc Generate a ECC private key (default: rsa)" | |
| echo " -nopass Generate keyfile without a password" | |
| echo " -noks Do not generate a java keystore" | |
| echo " -nots Do not generate a java truststore" | |
| echo " -csr Only generate a CSR" | |
| echo " -help | -h | -? Print this help" | |
| echo | |
| exit 99 | |
| } | |
| checkargs() { | |
| while [[ $# -ne 0 ]]; do | |
| case $1 in | |
| -c) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -c option requires a FQDN parameter!" | |
| printusage | |
| else | |
| FQDN="$1" | |
| fi | |
| ;; | |
| -p) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -p option requires a name parameter that will become the filename for all files generated by this script!" | |
| printusage | |
| else | |
| FILE_PREFIX="$1" | |
| fi | |
| ;; | |
| -h) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -h option requires a hash size parameter!" | |
| printusage | |
| else | |
| HASH_SIZE="$1" | |
| fi | |
| ;; | |
| -k) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -k option requires a key size parameter! RSA Examples: 2048, 4096 ECC Examples: secp256r1, secp384r1" | |
| echo "To list supported curves: openssl ecparam -list_curves" | |
| printusage | |
| else | |
| CIPHER="$1" | |
| fi | |
| ;; | |
| -e) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -e option requires an expiration date parameter in number of days!" | |
| printusage | |
| else | |
| EXPIRE_DAY="$1" | |
| fi | |
| ;; | |
| -o) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -o option requires an output directory parameter! The current directory is the default." | |
| printusage | |
| else | |
| DEST_DIRECTORY="$1/" | |
| fi | |
| ;; | |
| -f) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -conf option requires an config filename parameter!" | |
| printusage | |
| else | |
| CONFIG="$1" | |
| fi | |
| ;; | |
| -src) | |
| shift | |
| if [[ "$1" =~ ^-.* || "$1x" == "x" ]] ; then | |
| echo "The -f option requires an environment file parameter!" | |
| printusage | |
| else | |
| if [ -f "$1" ]; then | |
| echo "Sourcing environment file: $1" | |
| source "$1" | |
| else | |
| echo "Could not load override file: $1" | |
| printusage | |
| fi | |
| fi | |
| ;; | |
| -ecc) | |
| ECC=true | |
| ;; | |
| -nopass) | |
| NOPASS=true | |
| ;; | |
| -noks) | |
| NOKS=true | |
| ;; | |
| -nots) | |
| NOTS=true | |
| ;; | |
| -csr) | |
| CSR=true | |
| ;; | |
| -help|-h|-?) | |
| printusage | |
| ;; | |
| *) | |
| printusage | |
| ;; | |
| esac | |
| shift | |
| done | |
| } | |
| C="US" | |
| ST="California" | |
| L="San Francisco" | |
| O="Acme Corp." | |
| OU="Operations" | |
| EMAIL="[email protected]" | |
| EXPIRE_DAY=365 | |
| KEYSTORE_SUFFIX=keystore | |
| TRUSTSTORE_SUFFIX=truststore | |
| CERT_PASSWD="password" | |
| P12_PASSWD="password" | |
| JKS_PASSWD="password" | |
| JTS_PASSWD="password" | |
| CERT_EXT=".crt" | |
| checkargs "$@" | |
| OPENSSL_BIN=$(which openssl) | |
| if [ -z "${FQDN}" ]; then | |
| FQDN="$(hostname)" | |
| fi | |
| if [ -z "${FILE_PREFIX}" ]; then | |
| FILE_PREFIX="$(hostname)" | |
| fi | |
| if [ -z "${HASH_SIZE}" ]; then | |
| HASH_SIZE="512" | |
| fi | |
| if [ "${ECC}" == "true" ]; then | |
| if [ -z "${CIPHER}" ]; then | |
| CIPHER="secp384r1" | |
| fi | |
| openssl ecparam -name ${CIPHER} -out ${FILE_PREFIX}.${CIPHER}.pem | |
| CIPHER_OPTIONS="ec:${FILE_PREFIX}.${CIPHER}.pem" | |
| else | |
| if [ -z "${CIPHER}" ]; then | |
| CIPHER="2048" | |
| fi | |
| CIPHER_OPTIONS="rsa:${CIPHER}" | |
| fi | |
| if [ -f "openssl.cnf" ]; then | |
| CONFIG="openssl.cnf" | |
| fi | |
| if [ "${NOPASS}" == "true" ]; then | |
| OPTIONS="-nodes ${OPTIONS}" | |
| PKCS12_OPTIONS="-nodes -passout pass:${P12_PASSWD}" | |
| else | |
| OPTIONS="-passin pass:${CERT_PASSWD} -passout pass:${CERT_PASSWD} ${OPTIONS}" | |
| PKCS12_OPTIONS="-passin pass:${CERT_PASSWD} -passout pass:${P12_PASSWD}" | |
| fi | |
| if [ -f "${DEST_DIRECTORY}${FILE_PREFIX}.key" ]; then | |
| KEY_OPTIONS="-key ${DEST_DIRECTORY}${FILE_PREFIX}.key" | |
| else | |
| KEY_OPTIONS="-newkey ${CIPHER_OPTIONS} -keyout ${DEST_DIRECTORY}${FILE_PREFIX}.key" | |
| fi | |
| if [ "${CSR}" == "true" ]; then | |
| if [ -n "${CONFIG}" ]; then | |
| openssl req -new ${OPTIONS} ${KEY_OPTIONS} -rand /dev/urandom -config ${CONFIG} -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${FQDN}/emailAddress=${EMAIL}" -sha${HASH_SIZE} -days ${EXPIRE_DAY} -out ${DEST_DIRECTORY}${FILE_PREFIX}.csr | |
| else | |
| openssl req -new ${OPTIONS} ${KEY_OPTIONS} -rand /dev/urandom -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${FQDN}/emailAddress=${EMAIL}" -sha${HASH_SIZE} -days ${EXPIRE_DAY} -out ${DEST_DIRECTORY}${FILE_PREFIX}.csr | |
| fi | |
| openssl req -text -verify -in ${DEST_DIRECTORY}${FILE_PREFIX}.csr > ${DEST_DIRECTORY}${FILE_PREFIX}-csr.info | |
| else | |
| if [ -n "${CONFIG}" ]; then | |
| openssl req -new ${OPTIONS} ${KEY_OPTIONS} -x509 -rand /dev/urandom -config ${CONFIG} -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${FQDN}/emailAddress=${EMAIL}" -sha${HASH_SIZE} -days ${EXPIRE_DAY} -out ${DEST_DIRECTORY}${FILE_PREFIX}${CERT_EXT} | |
| else | |
| openssl req -new ${OPTIONS} ${KEY_OPTIONS} -x509 -rand /dev/urandom -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${FQDN}/emailAddress=${EMAIL}" -sha${HASH_SIZE} -days ${EXPIRE_DAY} -out ${DEST_DIRECTORY}${FILE_PREFIX}${CERT_EXT} | |
| fi | |
| openssl pkcs12 -export ${PKCS12_OPTIONS} -in ${DEST_DIRECTORY}${FILE_PREFIX}${CERT_EXT} -inkey ${DEST_DIRECTORY}${FILE_PREFIX}.key -out ${DEST_DIRECTORY}${FILE_PREFIX}.p12 | |
| openssl x509 -noout -fingerprint -text < ${DEST_DIRECTORY}${FILE_PREFIX}${CERT_EXT} > ${DEST_DIRECTORY}${FILE_PREFIX}.info | |
| if [ -f "/etc/profile.d/java.sh" ]; then | |
| source /etc/profile.d/java.sh | |
| fi | |
| if [ "${NOKS}" != "true" ]; then | |
| if [ -f "${DEST_DIRECTORY}${FILE_PREFIX}.${KEYSTORE_SUFFIX}" ]; then | |
| rm -f ${DEST_DIRECTORY}${FILE_PREFIX}.${KEYSTORE_SUFFIX} | |
| fi | |
| keytool -importkeystore -srckeystore ${DEST_DIRECTORY}${FILE_PREFIX}.p12 -srcstoretype pkcs12 -alias 1 -destalias ${FILE_PREFIX} -srcstorepass ${P12_PASSWD} -deststorepass ${JKS_PASSWD} -destkeystore ${DEST_DIRECTORY}${FILE_PREFIX}.${KEYSTORE_SUFFIX} | |
| else | |
| if [ "${NOTS}" != "true" ]; then | |
| if [ -f "${DEST_DIRECTORY}${FILE_PREFIX}.${TRUSTSTORE_SUFFIX}" ]; then | |
| rm -f ${DEST_DIRECTORY}${FILE_PREFIX}.${TRUSTSTORE_SUFFIX} | |
| fi | |
| keytool -import -trustcacerts -noprompt -storepass ${JTS_PASSWD} -alias ${FILE_PREFIX} -file ${DEST_DIRECTORY}${FILE_PREFIX}${CERT_EXT} -keystore ${DEST_DIRECTORY}${FILE_PREFIX}.${TRUSTSTORE_SUFFIX} | |
| fi | |
| fi | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment