~arx10/furemcape unlisted

b05c375a7b3d33b4b8846ee3042f2a0348bb2771 — Justin Ludwig 1 year, 6 months ago 172be39
simple openssl ca scripts for feeder tls

Signed-off-by: Justin Ludwig <justin@arcemtene.com>
A feeder/bin/ca/create-rsa-ca.sh => feeder/bin/ca/create-rsa-ca.sh +103 -0
@@ 0,0 1,103 @@
#!/bin/sh -e
# generates a new simple root CA in the current working directory
# with two intermediate CAs: "server" and "client"

ca_dir=${CA_DIR:-.}
country=${CA_COUNTRY:-US}
organization=${CA_ORGANIZATION:-furemcape}

prepare_ca_dir() {
    type=$1
    dir=$ca_dir/$type

    mkdir -p $dir/certs $dir/db $dir/req
    touch $dir/db/index $dir/db/index.attr
    test -f $dir/db/serial || openssl rand -hex 16 > $dir/db/serial

    test -f $dir/openssl.cnf || cat <<EOF >$dir/openssl.cnf
[default]
default_ca = ca_default

[ca_default]
dir = $(readlink -f $dir)
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
RANDFILE = \$dir/random
database = \$dir/db/index
serial = \$dir/db/serial
new_certs_dir = \$dir/certs
default_days = 365
default_md = sha256
policy = policy_anything

[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
distinguished_name = dn
prompt = no

[dn]
C = $country
O = $organization
OU = $type
CN = CA

[ca_ext]
authorityKeyIdentifier = keyid, issuer
basicConstraints = critical, CA:true
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash

[usr_ext]
authorityKeyIdentifier = keyid, issuer
basicConstraints = critical, CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
EOF
}

# generate root ca
prepare_ca_dir root
test -f $ca_dir/root/ca.key || openssl genrsa -out $ca_dir/root/ca.key
test -f $ca_dir/root/ca.crt || openssl req -new \
    -key $ca_dir/root/ca.key \
    -out $ca_dir/root/ca.csr \
    -config $ca_dir/root/openssl.cnf
test -f $ca_dir/root/ca.crt || openssl ca -batch -extensions ca_ext -selfsign \
    -subj "/C=$country/O=$organization/OU=root/CN=CA" \
    -in $ca_dir/root/ca.csr \
    -out $ca_dir/root/ca.crt \
    -config $ca_dir/root/openssl.cnf

# generate server ca
prepare_ca_dir server
test -f $ca_dir/server/ca.key || openssl genrsa -out $ca_dir/server/ca.key
test -f $ca_dir/server/ca.crt || openssl req -new \
    -key $ca_dir/server/ca.key \
    -out $ca_dir/server/ca.csr \
    -config $ca_dir/root/openssl.cnf
test -f $ca_dir/server/ca.crt || openssl ca -batch -extensions ca_ext \
    -subj "/C=$country/O=$organization/OU=server/CN=CA" \
    -in $ca_dir/server/ca.csr \
    -out $ca_dir/server/ca.crt \
    -config $ca_dir/root/openssl.cnf

# generate client ca
prepare_ca_dir client
test -f $ca_dir/client/ca.key || openssl genrsa -out $ca_dir/client/ca.key
test -f $ca_dir/client/ca.crt || openssl req -new \
    -key $ca_dir/client/ca.key \
    -out $ca_dir/client/ca.csr \
    -config $ca_dir/root/openssl.cnf
test -f $ca_dir/client/ca.crt || openssl ca -batch -extensions ca_ext \
    -subj "/C=$country/O=$organization/OU=client/CN=CA" \
    -in $ca_dir/client/ca.csr \
    -out $ca_dir/client/ca.crt \
    -config $ca_dir/root/openssl.cnf

A feeder/bin/ca/create-rsa-client-cert.sh => feeder/bin/ca/create-rsa-client-cert.sh +21 -0
@@ 0,0 1,21 @@
#!/bin/sh -e
# generates a new cert in the client/req dir, named with this script's first
# arg; eg to create client/req/me@example.com.crt, run:
# create-rsa-client-cert.sh me@example.com

name=${1:-new}
ca_dir=${CA_DIR:-.}
req_dir=$ca_dir/client/req
country=${CA_COUNTRY:-US}
organization=${CA_ORGANIZATION:-furemcape}

test -f $req_dir/$name.key || openssl genrsa -out $req_dir/$name.key
test -f $req_dir/$name.crt || openssl req -new \
    -key $req_dir/$name.key \
    -out $req_dir/$name.csr \
    -config $ca_dir/client/openssl.cnf
test -f $req_dir/$name.crt || openssl ca -batch -extensions usr_ext \
    -subj "/C=$country/O=$organization/OU=client/CN=$name" \
    -in $req_dir/$name.csr \
    -out $req_dir/$name.crt \
    -config $ca_dir/client/openssl.cnf

A feeder/bin/ca/create-rsa-server-cert.sh => feeder/bin/ca/create-rsa-server-cert.sh +21 -0
@@ 0,0 1,21 @@
#!/bin/sh -e
# generates a new cert in the server/req dir, named with this script's first
# arg; eg to create server/req/www.example.com.crt, run:
# create-rsa-server-cert.sh www.example.com

name=${1:-new}
ca_dir=${CA_DIR:-.}
req_dir=$ca_dir/server/req
country=${CA_COUNTRY:-US}
organization=${CA_ORGANIZATION:-furemcape}

test -f $req_dir/$name.key || openssl genrsa -out $req_dir/$name.key
test -f $req_dir/$name.crt || openssl req -new \
    -key $req_dir/$name.key \
    -out $req_dir/$name.csr \
    -config $ca_dir/server/openssl.cnf
test -f $req_dir/$name.crt || openssl ca -batch -extensions usr_ext \
    -subj "/C=$country/O=$organization/OU=server/CN=$name" \
    -in $req_dir/$name.csr \
    -out $req_dir/$name.crt \
    -config $ca_dir/server/openssl.cnf