From 2178a7905800b02afd02914b62e2cac3a2814726 Mon Sep 17 00:00:00 2001 From: Someone Date: Thu, 5 Feb 2015 00:19:54 +0100 Subject: [PATCH] Script to autogenerate CSRs and optionally self sign to get CRTs. --- certgen.sh | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++ openssl.cnf | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100755 certgen.sh create mode 100644 openssl.cnf diff --git a/certgen.sh b/certgen.sh new file mode 100755 index 0000000..9b051e2 --- /dev/null +++ b/certgen.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +MYPWD=$(pwd) +umask 0027 + +echo "cleanup previous run..." +rm -rf output/* +mkdir output/csr output/crt + +while read cdline ; do + if [[ $cdline == "" || $cdline == "#"* ]] ; then + continue + fi + + cd $MYPWD + read -a certdata <<< "$cdline" + + echo "*** Processing: ${certdata[0]} - ${certdata[1]} ***" + if [[ -d "output/${certdata[1]}" ]] ; then + echo "*** ERROR - THIS SEEMS TO ALREADY EXIST ***" 1>&2 + echo "*** ABORTED ***" 1>&2 + exit 1 + fi + + mkdir "output/${certdata[1]}" + + SUBJECT="${certdata[2]}CN=${certdata[1]}/" + CERTGEN_DNS_ALT_NAMES=$(echo "DNS:${certdata[1]},${certdata[3]}" | sed -e 's/,/ DNS:/g') + cat openssl.cnf | sed -e "s/CERTGEN_DNS_ALT_NAMES/${CERTGEN_DNS_ALT_NAMES}/" > /tmp/certgen.cnf + + cd "output/${certdata[1]}" + openssl genrsa -out "${certdata[1]}.key" 4096 &> /dev/null + openssl req -new -key "${certdata[1]}.key" -out "${certdata[1]}.csr" -utf8 -batch -subj "${SUBJECT}" -config /tmp/certgen.cnf + + if [[ ${certdata[0]} == "CRT" ]] ; then + openssl x509 -req -signkey "${certdata[1]}.key" -in "${certdata[1]}.csr" -out "${certdata[1]}.crt" -extensions v3_req -extfile /tmp/certgen.cnf \ + -days 365 -sha512 &> /dev/null + echo -n "${certdata[1]} " >> "${MYPWD}/output/fpfile.txt" + openssl x509 -in "${certdata[1]}.crt" -fingerprint -noout -sha512 >> "${MYPWD}/output/fpfile.txt" + echo "" >> "${MYPWD}/output/fpfile.txt" + fi + + rm /tmp/certgen.cnf + cd $MYPWD + + if [[ ${certdata[0]} == "CRT" ]] ; then + mv "output/${certdata[1]}" "output/crt/${certdata[1]}" + else + mv "output/${certdata[1]}" "output/csr/${certdata[1]}" + fi + +done < certgen.data + +echo "*** DONE ***" +ls -l output/*/ | grep -v "total" + diff --git a/openssl.cnf b/openssl.cnf new file mode 100644 index 0000000..87cf140 --- /dev/null +++ b/openssl.cnf @@ -0,0 +1,57 @@ +# +# OpenSSL example configuration file. + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +default_days = 365 # how long to certify for +default_crl_days = 365 # how long before next CRL +default_md = sha512 # use public key default MD +preserve = no # keep passed DN ordering + +x509_extensions = ca_extensions # The extensions to add to the cert + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +#################################################################### +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +default_md = sha512 +x509_extensions = v3_ca +req_extensions = v3_req + +#################################################################### +[ req_distinguished_name ] +0.organizationName = Organization Name (eg, company) +0.organizationName_default = somenet.org + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = CertGen + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +#################################################################### +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = CERTGEN_DNS_ALT_NAMES + +#################################################################### +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = CA:true + +#################################################################### -- 2.43.0