]> git.somenet.org - somenet/certgen.git/blob - certgen.sh
support creating a CA and using a previously generated ca to sign new certs.
[somenet/certgen.git] / certgen.sh
1 #!/bin/bash
2
3 MYPWD=$(pwd)
4 export CA_PATH="$MYPWD/ca/"
5 umask 0027
6
7 echo "cleanup previous run..."
8 rm -rf output/*
9 mkdir output/csr output/crt output/sgn
10
11 while read cdline ; do
12         if [[ $cdline == "" || $cdline == "#"* ]] ; then
13                 continue
14         fi
15
16         cd $MYPWD
17         read -a certdata <<< "$cdline"
18
19         echo "*** Processing: $(date -Iseconds) - ${certdata[0]} - ${certdata[1]} ***"
20         if [[ -d "output/${certdata[1]}"  ]] ; then
21                 echo "*** ERROR - THIS SEEMS TO ALREADY EXIST ***" 1>&2
22                 echo "*** ABORTED ***" 1>&2
23                 exit 1
24         fi
25
26         mkdir "output/${certdata[1]}"
27         chmod o+x "output/${certdata[1]}"
28         cd "output/${certdata[1]}"
29
30         # Handle "CA" type here.
31         if [[ ${certdata[0]} == "CA" ]] ; then
32                 mkdir -m 0700 certs crl newcerts
33                 touch index.txt
34                 export CA_PATH="./"
35                 openssl req -batch -new -newkey rsa:4096 -keyout ca.key -out ca.csr -nodes -subj "${certdata[2]}" -reqexts v3_ca_req -config "${MYPWD}/openssl.cnf"
36                 openssl ca -batch -create_serial -out ca.crt -days 3650 -keyfile ca.key -selfsign -extensions v3_ca -config "${MYPWD}/openssl.cnf" -infiles ca.csr
37                 continue
38         fi
39
40
41         # Handle non "CA" types here.
42         SUBJECT="${certdata[2]}CN=${certdata[1]}/"
43         DNS_NAMES="${certdata[1]},${certdata[3]}"
44         OLDIFS=$IFS
45         IFS=","
46         cat "${MYPWD}/openssl.cnf" > /tmp/certgen.cnf
47         COUNTER=0
48         for name in $DNS_NAMES; do
49                 if [[ "" == $name ]] ; then
50                         continue
51                 fi
52                 COUNTER=$((COUNTER+1))
53                 echo "DNS.${COUNTER} = $name" >> /tmp/certgen.cnf
54         done
55         IFS=$OLDIFS
56         unset OLDIFS
57         unset COUNTER
58         
59         openssl genrsa -out "${certdata[1]}.key" 4096 &> /dev/null
60         openssl req -new -key "${certdata[1]}.key" -out "${certdata[1]}.csr" -utf8 -batch -subj "${SUBJECT}" -config /tmp/certgen.cnf
61
62         if [[ ${certdata[0]} == "SGN" ]] ; then
63                 if [[ ! -d "${CA_PATH}"  ]] ; then
64                         echo "*** ERROR - NO CA DATA FOUND ***" 1>&2
65                         echo "*** maybe generate a CA and move it to ca first ***" 1>&2
66                         echo "copy template: mv output/SomeNet ca" 1>&2
67                         echo "*** ABORTED ***" 1>&2
68                         exit 2
69                 fi
70
71                 openssl ca -batch -create_serial -out "${certdata[1]}.crt" -days 365 -keyfile "${MYPWD}/ca/ca.key" -extensions v3_ca -config "${MYPWD}/openssl.cnf" -infiles "${certdata[1]}.csr"
72                 cat "${MYPWD}/ca/ca.crt" >> "${certdata[1]}.crt"
73
74         elif [[ ${certdata[0]} == "CRT" ]] ; then
75                 openssl x509 -req -signkey "${certdata[1]}.key" -in "${certdata[1]}.csr" -out "${certdata[1]}.crt" -extensions v3_req -extfile /tmp/certgen.cnf \
76                         -days 365 -sha512 &> /dev/null
77                 chmod o+r "${certdata[1]}.crt"
78
79                 echo -n "${certdata[1]} " >> "${MYPWD}/output/fpfile.txt"
80                 openssl x509 -in "${certdata[1]}.crt" -fingerprint -noout -sha512 >> "${MYPWD}/output/fpfile.txt"
81                 echo "" >> "${MYPWD}/output/fpfile.txt"
82         fi
83
84         rm /tmp/certgen.cnf
85         cd $MYPWD
86
87         if [[ ${certdata[0]} == "SGN" ]] ; then
88                 mv "output/${certdata[1]}" "output/sgn/${certdata[1]}"
89         elif [[ ${certdata[0]} == "CRT" ]] ; then
90                 mv "output/${certdata[1]}" "output/crt/${certdata[1]}"
91         else
92                 mv "output/${certdata[1]}" "output/csr/${certdata[1]}"
93         fi
94
95 done < certgen.data
96
97 echo "*** DONE ***"
98 ls -l "${MYPWD}/output/"*/ | grep -v "total"
99