#!/bin/bash MYPWD=$(pwd) umask 0027 echo "cleanup previous run..." rm -rf output/* mkdir -p output/csr output/crt output/sgn while read cdline ; do if [[ $cdline == "" || $cdline == "#"* ]] ; then continue fi cd $MYPWD read -a certdata <<< "$cdline" if [[ ${certdata[0]} == "EXIT" ]] ; then echo "*** $cdline ***" 1>&2 exit ${certdata[1]} fi echo "*** Processing: $(date -Iseconds) - ${certdata[0]} - ${certdata[1]} ***" if [[ -d "output/${certdata[1]}" ]] ; then echo "*** ERROR - THIS SEEMS TO ALREADY EXIST ***" 1>&2 echo "*** ABORTED ***" 1>&2 exit 1 fi mkdir "output/${certdata[1]}" chmod o+x "output/${certdata[1]}" cd "output/${certdata[1]}" # Handle "CA" type here. if [[ ${certdata[0]} == "CA" ]] ; then mkdir -m 0700 certs crl newcerts touch index.txt export CA_PATH="./" SUBJECT=$(echo -n "${certdata[2]}" | sed -e 's/_/ /g') openssl req -batch -new -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -nodes -subj "${SUBJECT}" -reqexts v3_ca_req -config "${MYPWD}/openssl.cnf" -days 3650 &>/dev/null continue fi # Handle non "CA" types here. export CA_PATH="$MYPWD/ca/" SUBJECT="$(echo -n "${certdata[2]}" | sed -e 's/_/ /g')CN=${certdata[1]}/" DNS_NAMES="${certdata[1]},${certdata[3]}" IPS="${certdata[4]}" OLDIFS=$IFS IFS="," cat "${MYPWD}/openssl.cnf" > /tmp/certgen.cnf COUNTER=0 for name in $DNS_NAMES; do if [[ "" == $name ]] ; then continue fi COUNTER=$((COUNTER+1)) echo "DNS.${COUNTER} = $name" >> /tmp/certgen.cnf done COUNTER=0 for ip in $IPS; do if [[ "" == $ip ]] ; then continue fi COUNTER=$((COUNTER+1)) echo "IP.${COUNTER} = $ip" >> /tmp/certgen.cnf done IFS=$OLDIFS unset OLDIFS unset COUNTER openssl genrsa -out "${certdata[1]}.key" 4096 &> /dev/null openssl req -new -key "${certdata[1]}.key" -out "${certdata[1]}.csr" -utf8 -batch -subj "${SUBJECT}" -config /tmp/certgen.cnf if [[ ${certdata[0]} == "SGN" ]] ; then if [[ ! -d "${CA_PATH}" ]] ; then echo "*** ERROR - NO CA DATA FOUND ***" 1>&2 echo "*** maybe generate a CA and move it to ${CA_PATH} ***" 1>&2 echo "copy template: mv output/SomeNet ${CA_PATH}" 1>&2 echo "*** ABORTED ***" 1>&2 exit 2 fi openssl ca -batch -create_serial -out "${certdata[1]}.crt" -days 365 -keyfile "${MYPWD}/ca/ca.key" -extensions v3_ca \ -config "${MYPWD}/openssl.cnf" -infiles "${certdata[1]}.csr" cat "${MYPWD}/ca/ca.crt" >> "${certdata[1]}.crt" elif [[ ${certdata[0]} == "CRT" ]] ; then openssl x509 -req -signkey "${certdata[1]}.key" -in "${certdata[1]}.csr" -out "${certdata[1]}.crt" -extensions v3_req -extfile /tmp/certgen.cnf \ -days 365 -sha512 &> /dev/null chmod o+r "${certdata[1]}.crt" echo -n "${certdata[1]} " >> "${MYPWD}/output/fpfile.txt" openssl x509 -in "${certdata[1]}.crt" -fingerprint -noout -sha512 >> "${MYPWD}/output/fpfile.txt" echo "" >> "${MYPWD}/output/fpfile.txt" fi rm /tmp/certgen.cnf cd $MYPWD if [[ ${certdata[0]} == "SGN" ]] ; then mv "output/${certdata[1]}" "output/sgn/${certdata[1]}" elif [[ ${certdata[0]} == "CRT" ]] ; then mv "output/${certdata[1]}" "output/crt/${certdata[1]}" else mv "output/${certdata[1]}" "output/csr/${certdata[1]}" fi done < certgen.data echo "*** DONE ***" ls -l "${MYPWD}/output/"*/ | grep -v "total"