Some clarification and fixes.

[somenet/certgen.git] / certgen.sh

#!/bin/bash

MYPWD=$(pwd)
umask 0027

echo "cleanup previous run..."
rm -rf output/*
mkdir output/csr output/crt output/sgn

while read cdline ; do
        if [[ $cdline == "" || $cdline == "#"* ]] ; then
                continue
        fi

        cd $MYPWD
        read -a certdata <<< "$cdline"

        echo "*** Processing: $(date -Iseconds) - ${certdata[0]} - ${certdata[1]} ***"
        if [[ -d "output/${certdata[1]}"  ]] ; then
                echo "*** ERROR - THIS SEEMS TO ALREADY EXIST ***" 1>&2
                echo "*** ABORTED ***" 1>&2
                exit 1
        fi

        mkdir "output/${certdata[1]}"
        chmod o+x "output/${certdata[1]}"
        cd "output/${certdata[1]}"

        # Handle "CA" type here.
        if [[ ${certdata[0]} == "CA" ]] ; then
                mkdir -m 0700 certs crl newcerts
                touch index.txt
                export CA_PATH="./"
                openssl req -batch -new -newkey rsa:4096 -keyout ca.key -out ca.csr -nodes -subj "${certdata[2]}" -reqexts v3_ca_req -config "${MYPWD}/openssl.cnf" &>/dev/null
                openssl ca -batch -create_serial -out ca.crt -days 3650 -keyfile ca.key -selfsign -extensions v3_ca -config "${MYPWD}/openssl.cnf" -infiles ca.csr
                continue
        fi


        # Handle non "CA" types here.
        export CA_PATH="$MYPWD/ca/"
        SUBJECT="${certdata[2]}CN=${certdata[1]}/"
        DNS_NAMES="${certdata[1]},${certdata[3]}"
        OLDIFS=$IFS
        IFS=","
        cat "${MYPWD}/openssl.cnf" > /tmp/certgen.cnf
        COUNTER=0
        for name in $DNS_NAMES; do
                if [[ "" == $name ]] ; then
                        continue
                fi
                COUNTER=$((COUNTER+1))
                echo "DNS.${COUNTER} = $name" >> /tmp/certgen.cnf
        done
        IFS=$OLDIFS
        unset OLDIFS
        unset COUNTER
        
        openssl genrsa -out "${certdata[1]}.key" 4096 &> /dev/null
        openssl req -new -key "${certdata[1]}.key" -out "${certdata[1]}.csr" -utf8 -batch -subj "${SUBJECT}" -config /tmp/certgen.cnf

        if [[ ${certdata[0]} == "SGN" ]] ; then
                if [[ ! -d "${CA_PATH}"  ]] ; then
                        echo "*** ERROR - NO CA DATA FOUND ***" 1>&2
                        echo "*** maybe generate a CA and move it to ${CA_PATH} ***" 1>&2
                        echo "copy template: mv output/SomeNet ${CA_PATH}" 1>&2
                        echo "*** ABORTED ***" 1>&2
                        exit 2
                fi

                openssl ca -batch -create_serial -out "${certdata[1]}.crt" -days 365 -keyfile "${MYPWD}/ca/ca.key" -extensions v3_ca \
                        -config "${MYPWD}/openssl.cnf" -infiles "${certdata[1]}.csr"
                cat "${MYPWD}/ca/ca.crt" >> "${certdata[1]}.crt"

        elif [[ ${certdata[0]} == "CRT" ]] ; then
                openssl x509 -req -signkey "${certdata[1]}.key" -in "${certdata[1]}.csr" -out "${certdata[1]}.crt" -extensions v3_req -extfile /tmp/certgen.cnf \
                        -days 365 -sha512 &> /dev/null
                chmod o+r "${certdata[1]}.crt"

                echo -n "${certdata[1]} " >> "${MYPWD}/output/fpfile.txt"
                openssl x509 -in "${certdata[1]}.crt" -fingerprint -noout -sha512 >> "${MYPWD}/output/fpfile.txt"
                echo "" >> "${MYPWD}/output/fpfile.txt"
        fi

        rm /tmp/certgen.cnf
        cd $MYPWD

        if [[ ${certdata[0]} == "SGN" ]] ; then
                mv "output/${certdata[1]}" "output/sgn/${certdata[1]}"
        elif [[ ${certdata[0]} == "CRT" ]] ; then
                mv "output/${certdata[1]}" "output/crt/${certdata[1]}"
        else
                mv "output/${certdata[1]}" "output/csr/${certdata[1]}"
        fi

done < certgen.data

echo "*** DONE ***"
ls -l "${MYPWD}/output/"*/ | grep -v "total"