strgonswan-create-certs.sh

#!/usr/bin/env bash 

function create_ca(){
  #
  ipsec pki --gen > ${CA_KEY}
  ipsec pki --self --in ${CA_KEY} --ca --dn "C=JP, O=strongSwan, CN=${SRV_NAME} CA" > ${CA_CRT}
}
function create_server_crt(){
  #
  ipsec pki --gen > ${SRV_KEY}
  ipsec pki --pub --in ${SRV_KEY} | \
      ipsec pki \
        --issue --cacert ${CA_CRT} \
        --cakey ${CA_KEY} --san ${SRV_NAME} \
        --flag serverAuth --dn "C=JP, O=strongSwan, CN=${SRV_NAME}" > ${SRV_CRT}
}
function create_client_crt(){
  [[ -z $USERNAME ]]  && USERNAME=takuya
  [[ -z $PASSWORD ]]  && PASSWORD=my_own_password

  ipsec pki --gen --outform pem > "${USERNAME}.key.pem"
  ipsec pki --pub --in "${USERNAME}.key.pem" | \
  ipsec pki --issue --cacert $CA_CRT  \
     --cakey $CA_KEY \
     --dn "CN=${USERNAME}" \
     --san "${USERNAME}" \
     --outform pem \
     --flag clientAuth --outform pem  > "${USERNAME}.cert.pem"
  openssl pkcs12 \
    -in "${USERNAME}.cert.pem" \
    -inkey "${USERNAME}.key.pem" \
    -certfile ${CA_CRT} \
    -export \
    -out "${USERNAME}.cert.key.p12" \
    -password "pass:${PASSWORD}"
  openssl x509  -in "${USERNAME}.cert.pem" -noout -text
  openssl pkcs12   -info -nodes -in "${USERNAME}.cert.key.p12" -password "pass:${PASSWORD}"
}

function main(){
  CA_KEY=ca.key
  CA_CRT=ca.crt
  SRV_KEY=server.key
  SRV_CRT=server.crt
  SRV_NAME=s01.lxd
  OUT_PATH=./out
  ## 
  [[ -e  ${OUT_PATH} ]] && rm -rf ${OUT_PATH}
  mkdir ${OUT_PATH}
  cd ${OUT_PATH}

  ## ca.crt / 自己認証局作成
  create_ca;
  ## server.crt / サーバー証明書作成
  create_server_crt;
  ## client.crt / クライアント用の証明書作成。
  create_client_crt;
  ### サーバーへの証明書の配置
  ls -alt 
  move_files;

  ## 後始末
	cd - 
}
function move_files(){

	rm /etc/ipsec.d/cacerts/*
	rm /etc/ipsec.d/certs/*
	rm /etc/ipsec.d/private/*

	cp ${CA_KEY} /etc/ipsec.d/private/
	cp ${CA_CRT} /etc/ipsec.d/cacerts/

	chmod 600 /etc/ipsec.d/private/$CA_KEY
	chmod 600 /etc/ipsec.d/cacerts/$CA_CRT
	chown root:root /etc/ipsec.d/private/$CA_KEY
	chown root:root /etc/ipsec.d/cacerts/$CA_CRT
}

main;