From 2178a7905800b02afd02914b62e2cac3a2814726 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Thu, 5 Feb 2015 00:19:54 +0100
Subject: [PATCH] Script to autogenerate CSRs and optionally self sign to get
 CRTs.

---
 certgen.sh  | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 openssl.cnf | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 113 insertions(+)
 create mode 100755 certgen.sh
 create mode 100644 openssl.cnf

diff --git a/certgen.sh b/certgen.sh
new file mode 100755
index 0000000..9b051e2
--- /dev/null
+++ b/certgen.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+MYPWD=$(pwd)
+umask 0027
+
+echo "cleanup previous run..."
+rm -rf output/*
+mkdir output/csr output/crt
+
+while read cdline ; do
+	if [[ $cdline == "" || $cdline == "#"* ]] ; then
+		continue
+	fi
+
+	cd $MYPWD
+	read -a certdata <<< "$cdline"
+
+	echo "*** Processing: ${certdata[0]} - ${certdata[1]} ***"
+	if [[ -d "output/${certdata[1]}"  ]] ; then
+		echo "*** ERROR - THIS SEEMS TO ALREADY EXIST ***" 1>&2
+		echo "*** ABORTED ***" 1>&2
+		exit 1
+	fi
+
+	mkdir "output/${certdata[1]}"
+
+	SUBJECT="${certdata[2]}CN=${certdata[1]}/"
+	CERTGEN_DNS_ALT_NAMES=$(echo "DNS:${certdata[1]},${certdata[3]}" | sed -e 's/,/ DNS:/g')
+	cat openssl.cnf | sed -e "s/CERTGEN_DNS_ALT_NAMES/${CERTGEN_DNS_ALT_NAMES}/" > /tmp/certgen.cnf
+	
+	cd "output/${certdata[1]}"
+	openssl genrsa -out "${certdata[1]}.key" 4096 &> /dev/null
+	openssl req -new -key "${certdata[1]}.key" -out "${certdata[1]}.csr" -utf8 -batch -subj "${SUBJECT}" -config /tmp/certgen.cnf
+
+	if [[ ${certdata[0]} == "CRT" ]] ; then
+		openssl x509 -req -signkey "${certdata[1]}.key" -in "${certdata[1]}.csr" -out "${certdata[1]}.crt" -extensions v3_req -extfile /tmp/certgen.cnf \
+			-days 365 -sha512 &> /dev/null
+		echo -n "${certdata[1]} " >> "${MYPWD}/output/fpfile.txt"
+		openssl x509 -in "${certdata[1]}.crt" -fingerprint -noout -sha512 >> "${MYPWD}/output/fpfile.txt"
+		echo "" >> "${MYPWD}/output/fpfile.txt"
+	fi
+
+	rm /tmp/certgen.cnf
+	cd $MYPWD
+
+	if [[ ${certdata[0]} == "CRT" ]] ; then
+		mv "output/${certdata[1]}" "output/crt/${certdata[1]}"
+	else
+		mv "output/${certdata[1]}" "output/csr/${certdata[1]}"
+	fi
+
+done < certgen.data
+
+echo "*** DONE ***"
+ls -l output/*/ | grep -v "total"
+
diff --git a/openssl.cnf b/openssl.cnf
new file mode 100644
index 0000000..87cf140
--- /dev/null
+++ b/openssl.cnf
@@ -0,0 +1,57 @@
+#
+# OpenSSL example configuration file.
+
+HOME            = .
+RANDFILE        = $ENV::HOME/.rnd
+
+####################################################################
+[ ca ]
+default_ca  = CA_default        # The default ca section
+
+[ CA_default ]
+default_days		= 365          # how long to certify for
+default_crl_days	= 365            # how long before next CRL
+default_md			= sha512        # use public key default MD
+preserve			= no            # keep passed DN ordering
+
+x509_extensions		= ca_extensions     # The extensions to add to the cert
+
+email_in_dn		= no            # Don't concat the email in the DN
+copy_extensions	= copy          # Required to copy SANs from CSR to cert
+
+####################################################################
+[ req ]
+default_bits		= 4096
+distinguished_name	= req_distinguished_name
+string_mask			= utf8only
+default_md			= sha512
+x509_extensions		= v3_ca
+req_extensions		= v3_req
+
+####################################################################
+[ req_distinguished_name ]
+0.organizationName			= Organization Name (eg, company)
+0.organizationName_default	= somenet.org
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= CertGen
+
+commonName					= Common Name (e.g. server FQDN or YOUR name)
+commonName_max				= 64
+
+emailAddress				= Email Address
+emailAddress_max			= 64
+
+####################################################################
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = CERTGEN_DNS_ALT_NAMES
+
+####################################################################
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = CA:true
+
+####################################################################
-- 
2.43.0