~arx10/furemcape: simple openssl ca scripts for feeder tls

3 files changed, 145 insertions(+), 0 deletions(-)

A feeder/bin/ca/create-rsa-ca.sh
A feeder/bin/ca/create-rsa-client-cert.sh
A feeder/bin/ca/create-rsa-server-cert.sh

A feeder/bin/ca/create-rsa-ca.sh => feeder/bin/ca/create-rsa-ca.sh +103 -0

@@ 0,0 1,103 @@
+#!/bin/sh -e
+# generates a new simple root CA in the current working directory
+# with two intermediate CAs: "server" and "client"
+
+ca_dir=${CA_DIR:-.}
+country=${CA_COUNTRY:-US}
+organization=${CA_ORGANIZATION:-furemcape}
+
+prepare_ca_dir() {
+    type=$1
+    dir=$ca_dir/$type
+
+    mkdir -p $dir/certs $dir/db $dir/req
+    touch $dir/db/index $dir/db/index.attr
+    test -f $dir/db/serial || openssl rand -hex 16 > $dir/db/serial
+
+    test -f $dir/openssl.cnf || cat <<EOF >$dir/openssl.cnf
+[default]
+default_ca = ca_default
+
+[ca_default]
+dir = $(readlink -f $dir)
+certificate = \$dir/ca.crt
+private_key = \$dir/ca.key
+RANDFILE = \$dir/random
+database = \$dir/db/index
+serial = \$dir/db/serial
+new_certs_dir = \$dir/certs
+default_days = 365
+default_md = sha256
+policy = policy_anything
+
+[policy_anything]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[req]
+distinguished_name = dn
+prompt = no
+
+[dn]
+C = $country
+O = $organization
+OU = $type
+CN = CA
+
+[ca_ext]
+authorityKeyIdentifier = keyid, issuer
+basicConstraints = critical, CA:true
+keyUsage = cRLSign, keyCertSign
+subjectKeyIdentifier = hash
+
+[usr_ext]
+authorityKeyIdentifier = keyid, issuer
+basicConstraints = critical, CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+EOF
+}
+
+# generate root ca
+prepare_ca_dir root
+test -f $ca_dir/root/ca.key || openssl genrsa -out $ca_dir/root/ca.key
+test -f $ca_dir/root/ca.crt || openssl req -new \
+    -key $ca_dir/root/ca.key \
+    -out $ca_dir/root/ca.csr \
+    -config $ca_dir/root/openssl.cnf
+test -f $ca_dir/root/ca.crt || openssl ca -batch -extensions ca_ext -selfsign \
+    -subj "/C=$country/O=$organization/OU=root/CN=CA" \
+    -in $ca_dir/root/ca.csr \
+    -out $ca_dir/root/ca.crt \
+    -config $ca_dir/root/openssl.cnf
+
+# generate server ca
+prepare_ca_dir server
+test -f $ca_dir/server/ca.key || openssl genrsa -out $ca_dir/server/ca.key
+test -f $ca_dir/server/ca.crt || openssl req -new \
+    -key $ca_dir/server/ca.key \
+    -out $ca_dir/server/ca.csr \
+    -config $ca_dir/root/openssl.cnf
+test -f $ca_dir/server/ca.crt || openssl ca -batch -extensions ca_ext \
+    -subj "/C=$country/O=$organization/OU=server/CN=CA" \
+    -in $ca_dir/server/ca.csr \
+    -out $ca_dir/server/ca.crt \
+    -config $ca_dir/root/openssl.cnf
+
+# generate client ca
+prepare_ca_dir client
+test -f $ca_dir/client/ca.key || openssl genrsa -out $ca_dir/client/ca.key
+test -f $ca_dir/client/ca.crt || openssl req -new \
+    -key $ca_dir/client/ca.key \
+    -out $ca_dir/client/ca.csr \
+    -config $ca_dir/root/openssl.cnf
+test -f $ca_dir/client/ca.crt || openssl ca -batch -extensions ca_ext \
+    -subj "/C=$country/O=$organization/OU=client/CN=CA" \
+    -in $ca_dir/client/ca.csr \
+    -out $ca_dir/client/ca.crt \
+    -config $ca_dir/root/openssl.cnf

A feeder/bin/ca/create-rsa-client-cert.sh => feeder/bin/ca/create-rsa-client-cert.sh +21 -0

@@ 0,0 1,21 @@
+#!/bin/sh -e
+# generates a new cert in the client/req dir, named with this script's first
+# arg; eg to create client/req/me@example.com.crt, run:
+# create-rsa-client-cert.sh me@example.com
+
+name=${1:-new}
+ca_dir=${CA_DIR:-.}
+req_dir=$ca_dir/client/req
+country=${CA_COUNTRY:-US}
+organization=${CA_ORGANIZATION:-furemcape}
+
+test -f $req_dir/$name.key || openssl genrsa -out $req_dir/$name.key
+test -f $req_dir/$name.crt || openssl req -new \
+    -key $req_dir/$name.key \
+    -out $req_dir/$name.csr \
+    -config $ca_dir/client/openssl.cnf
+test -f $req_dir/$name.crt || openssl ca -batch -extensions usr_ext \
+    -subj "/C=$country/O=$organization/OU=client/CN=$name" \
+    -in $req_dir/$name.csr \
+    -out $req_dir/$name.crt \
+    -config $ca_dir/client/openssl.cnf

A feeder/bin/ca/create-rsa-server-cert.sh => feeder/bin/ca/create-rsa-server-cert.sh +21 -0

@@ 0,0 1,21 @@
+#!/bin/sh -e
+# generates a new cert in the server/req dir, named with this script's first
+# arg; eg to create server/req/www.example.com.crt, run:
+# create-rsa-server-cert.sh www.example.com
+
+name=${1:-new}
+ca_dir=${CA_DIR:-.}
+req_dir=$ca_dir/server/req
+country=${CA_COUNTRY:-US}
+organization=${CA_ORGANIZATION:-furemcape}
+
+test -f $req_dir/$name.key || openssl genrsa -out $req_dir/$name.key
+test -f $req_dir/$name.crt || openssl req -new \
+    -key $req_dir/$name.key \
+    -out $req_dir/$name.csr \
+    -config $ca_dir/server/openssl.cnf
+test -f $req_dir/$name.crt || openssl ca -batch -extensions usr_ext \
+    -subj "/C=$country/O=$organization/OU=server/CN=$name" \
+    -in $req_dir/$name.csr \
+    -out $req_dir/$name.crt \
+    -config $ca_dir/server/openssl.cnf

~arx10/furemcape unlisted