add python thing

[tools/certgen.git] / singlecertgen.sh

#!/bin/bash

MYPWD=$(pwd)
umask 0027

if  [[ $# < 3 || $# > 4 ]]; then
        echo "Invalid argument count." 1>&2
        echo "Usage: $0 <action> <common name> <subject> [<additional domain>[,<additional domain>[,..]]]" 1>&2
        echo "e.g.: $0 SGN mail.ionic.at /emailAddress=astra@fsinf.at/O=AstraCA/ smtp.ionic.at,imap.ionic.at"
        exit 1
fi

mkdir -p output/csr output/crt output/sgn output/client

cd $MYPWD
read -a certdata <<< "$*"

echo "*** Processing: $(date -Iseconds) - ${certdata[0]} - ${certdata[1]} ***"
if [[ -d "output/${certdata[1]}"  ]] ; then
        echo "*** ERROR - THIS SEEMS TO ALREADY EXIST ***" 1>&2
        echo "*** ABORTED ***" 1>&2
        exit 1
fi

mkdir "output/${certdata[1]}"
chmod o+x "output/${certdata[1]}"
cd "output/${certdata[1]}"

# Handle "CA" type here.
if [[ ${certdata[0]} == "CA" ]] ; then
        mkdir -m 0700 certs crl newcerts
        touch index.txt
        export CA_PATH="./"
        SUBJECT=$(echo -n "${certdata[2]}" | sed -e 's/_/ /g')
        openssl req -batch -new -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -nodes -subj "${SUBJECT}" -reqexts v3_ca_req -config "${MYPWD}/openssl.cnf" -days 3650 &>/dev/null
        exit 0
fi

# Handle non "CA" types here.
export CA_PATH="$MYPWD/ca/"
CNAME="$(echo -n "${certdata[1]}" | sed -e 's/_/ /g')"
SUBJECT="$(echo -n "${certdata[2]}" | sed -e 's/_/ /g')CN=${CNAME}/"
DNS_NAMES="${CNAME},$(echo -n "${certdata[3]}" | sed -e 's/_/ /g')"
OLDIFS=$IFS
IFS=","
cat "${MYPWD}/openssl.cnf" > /tmp/certgen.cnf
COUNTER=0
for name in $DNS_NAMES; do
        if [[ "" == $name ]] ; then
                break
        fi
        COUNTER=$((COUNTER+1))
        echo "DNS.${COUNTER} = $name" >> /tmp/certgen.cnf
done
IFS=$OLDIFS
unset OLDIFS
unset COUNTER

openssl genrsa -out "${certdata[1]}.key" 4096 &> /dev/null
openssl req -new -key "${certdata[1]}.key" -out "${certdata[1]}.csr" -utf8 -batch -subj "${SUBJECT}" -config /tmp/certgen.cnf

if [[ ${certdata[0]} == "SGN" || ${certdata[0]} == "CLIENT" ]] ; then
        if [[ ! -d "${CA_PATH}"  ]] ; then
                echo "*** ERROR - NO CA DATA FOUND ***" 1>&2
                echo "*** maybe generate a CA and move it to ${CA_PATH} ***" 1>&2
                echo "copy template: mv output/SomeNet ${CA_PATH}" 1>&2
                echo "*** ABORTED ***" 1>&2
                exit 2
        fi

        openssl ca -batch -create_serial -out "${certdata[1]}.crt" -days 365 -keyfile "${MYPWD}/ca/ca.key" -extensions v3_ca \
                -config "${MYPWD}/openssl.cnf" -infiles "${certdata[1]}.csr"
        cat "${MYPWD}/ca/ca.crt" >> "${certdata[1]}.crt"

        if [[ ${certdata[0]} == "CLIENT" ]]; then
                openssl pkcs12 -export -clcerts -in ${certdata[1]}.crt -inkey ${certdata[1]}.key -out ${certdata[1]}.p12 -name "${CNAME}" -passout pass:
                openssl pkcs12 -in ${certdata[1]}.p12 -out ${certdata[1]}.pem -clcerts -passin pass: -passout pass:
        fi

elif [[ ${certdata[0]} == "CRT" ]] ; then
        openssl x509 -req -signkey "${certdata[1]}.key" -in "${certdata[1]}.csr" -out "${certdata[1]}.crt" -extensions v3_req -extfile /tmp/certgen.cnf \
                -days 365 -sha512 &> /dev/null
        chmod o+r "${certdata[1]}.crt"

        echo -n "${certdata[1]} " >> "${MYPWD}/output/fpfile.txt"
        openssl x509 -in "${certdata[1]}.crt" -fingerprint -noout -sha512 >> "${MYPWD}/output/fpfile.txt"
        echo "" >> "${MYPWD}/output/fpfile.txt"
fi

rm /tmp/certgen.cnf
cd $MYPWD

if [[ ${certdata[0]} == "SGN" ]] ; then
        mv "output/${certdata[1]}" "output/sgn/${certdata[1]}"
elif [[ ${certdata[0]} == "CRT" ]] ; then
        mv "output/${certdata[1]}" "output/crt/${certdata[1]}"
elif [[ ${certdata[0]} == "CLIENT" ]]; then
        mv "output/${certdata[1]}" "output/client/${certdata[1]}"
else
        mv "output/${certdata[1]}" "output/csr/${certdata[1]}"
fi