Skip to content

Commit

Permalink
If no argument given to certGen.sh the usage is not printed (#1862)
Browse files Browse the repository at this point in the history 
* If no argument given to certGen.sh the usage is not printed

* bug #1859/#1860/#1861

* fixed running under WSL
  • Loading branch information
@ericwolz
ericwolz authored Feb 17, 2021
1 parent f64bb51 commit feac7ef
Showing 1 changed file with 64 additions and 65 deletions.
129 changes: 64 additions & 65 deletions tools/CACertificates/certGen.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@

set -x # Set trace on
set -o errexit # Exit if command failed
set -o nounset # Exit if variable not set
set -o pipefail # Exit if pipe failed

root_ca_dir="."
Expand All @@ -38,8 +37,7 @@ intermediate_ca_prefix="azure-iot-test-only.intermediate"
function makeCNsubject()
{
local result="/CN=${1}"
case $OSTYPE in
msys|win32) result="/${result}"
case $OSTYPE in win32) result="/${result}"
esac
echo "$result"
}
Expand All @@ -60,15 +58,15 @@ function generate_root_ca()
local common_name="Azure IoT Hub CA Cert Test Only"
local password_cmd=" -aes256 -passout pass:${root_ca_password} "

cd ${home_dir}
cd "${home_dir}"
echo "Creating the Root CA Private Key"

openssl ${algorithm} \
openssl "${algorithm}" \
${password_cmd} \
-out ${root_ca_dir}/private/${root_ca_prefix}.key.pem \
-out "${root_ca_dir}/private/${root_ca_prefix}.key.pem" \
${key_bits_length}
[ $? -eq 0 ] || exit $?
chmod 400 ${root_ca_dir}/private/${root_ca_prefix}.key.pem
chmod 400 "${root_ca_dir}/private/${root_ca_prefix}.key.pem"
[ $? -eq 0 ] || exit $?

echo "Creating the Root CA Certificate"
Expand All @@ -77,24 +75,24 @@ function generate_root_ca()
openssl req \
-new \
-x509 \
-config ${openssl_root_config_file} \
-config "${openssl_root_config_file}" \
${password_cmd} \
-key ${root_ca_dir}/private/${root_ca_prefix}.key.pem \
-key "${root_ca_dir}/private/${root_ca_prefix}.key.pem" \
-subj "$(makeCNsubject "${common_name}")" \
-days ${days_till_expire} \
-sha256 \
-extensions v3_ca \
-out ${root_ca_dir}/certs/${root_ca_prefix}.cert.pem
-out "${root_ca_dir}/certs/${root_ca_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?
chmod 444 ${root_ca_dir}/certs/${root_ca_prefix}.cert.pem
chmod 444 "${root_ca_dir}/certs/${root_ca_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "CA Root Certificate Generated At:"
echo "---------------------------------"
echo " ${root_ca_dir}/certs/${root_ca_prefix}.cert.pem"
echo ""
openssl x509 -noout -text \
-in ${root_ca_dir}/certs/${root_ca_prefix}.cert.pem
-in "${root_ca_dir}/certs/${root_ca_prefix}.cert.pem"

warn_certs_not_for_production

Expand All @@ -113,14 +111,14 @@ function generate_intermediate_ca()
local password_cmd=" -aes256 -passout pass:${intermediate_ca_password} "
echo "Creating the Intermediate Device CA"
echo "-----------------------------------"
cd ${home_dir}
cd "${home_dir}"

openssl ${algorithm} \
openssl "${algorithm}" \
${password_cmd} \
-out ${intermediate_ca_dir}/private/${intermediate_ca_prefix}.key.pem \
-out "${intermediate_ca_dir}/private/${intermediate_ca_prefix}.key.pem" \
${key_bits_length}
[ $? -eq 0 ] || exit $?
chmod 400 ${intermediate_ca_dir}/private/${intermediate_ca_prefix}.key.pem
chmod 400 "${intermediate_ca_dir}/private/${intermediate_ca_prefix}.key.pem"
[ $? -eq 0 ] || exit $?


Expand All @@ -130,49 +128,49 @@ function generate_intermediate_ca()

openssl req -new -sha256 \
${password_cmd} \
-config ${openssl_intermediate_config_file} \
-config "${openssl_intermediate_config_file}" \
-subj "$(makeCNsubject "${common_name}")" \
-key ${intermediate_ca_dir}/private/${intermediate_ca_prefix}.key.pem \
-out ${intermediate_ca_dir}/csr/${intermediate_ca_prefix}.csr.pem
-key "${intermediate_ca_dir}/private/${intermediate_ca_prefix}.key.pem" \
-out "${intermediate_ca_dir}/csr/${intermediate_ca_prefix}.csr.pem"
[ $? -eq 0 ] || exit $?

echo "Signing the Intermediate Certificate with Root CA Cert"
echo "-----------------------------------"
password_cmd=" -passin pass:${root_ca_password} "

openssl ca -batch \
-config ${openssl_root_config_file} \
-config "${openssl_root_config_file}" \
${password_cmd} \
-extensions v3_intermediate_ca \
-days ${days_till_expire} -notext -md sha256 \
-in ${intermediate_ca_dir}/csr/${intermediate_ca_prefix}.csr.pem \
-out ${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem
-in "${intermediate_ca_dir}/csr/${intermediate_ca_prefix}.csr.pem" \
-out "${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?
chmod 444 ${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem
chmod 444 "${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "Verify signature of the Intermediate Device Certificate with Root CA"
echo "-----------------------------------"
openssl verify \
-CAfile ${root_ca_dir}/certs/${root_ca_prefix}.cert.pem \
${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem
-CAfile "${root_ca_dir}/certs/${root_ca_prefix}.cert.pem" \
"${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "Intermediate CA Certificate Generated At:"
echo "-----------------------------------------"
echo " ${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem"
echo ""
openssl x509 -noout -text \
-in ${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem
-in "${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "Create Root + Intermediate CA Chain Certificate"
echo "-----------------------------------"
cat ${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem \
${root_ca_dir}/certs/${root_ca_prefix}.cert.pem > \
${intermediate_ca_dir}/certs/${ca_chain_prefix}.cert.pem
cat "${intermediate_ca_dir}/certs/${intermediate_ca_prefix}.cert.pem" \
"${root_ca_dir}/certs/${root_ca_prefix}.cert.pem" > \
"${intermediate_ca_dir}/certs/${ca_chain_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?
chmod 444 ${intermediate_ca_dir}/certs/${ca_chain_prefix}.cert.pem
chmod 444 "${intermediate_ca_dir}/certs/${ca_chain_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "Root + Intermediate CA Chain Certificate Generated At:"
Expand Down Expand Up @@ -200,54 +198,54 @@ function generate_device_certificate_common()

echo "Creating ${cert_type_diagnostic} Certificate"
echo "----------------------------------------"
cd ${home_dir}
cd "${home_dir}"

openssl ${algorithm} \
-out ${certificate_dir}/private/${device_prefix}.key.pem \
openssl "${algorithm}" \
-out "${certificate_dir}/private/${device_prefix}.key.pem" \
${key_bits_length}
[ $? -eq 0 ] || exit $?
chmod 444 ${certificate_dir}/private/${device_prefix}.key.pem
chmod 444 "${certificate_dir}/private/${device_prefix}.key.pem"
[ $? -eq 0 ] || exit $?

echo "Create the ${cert_type_diagnostic} Certificate Request"
echo "----------------------------------------"
openssl req -config ${openssl_config_file} \
-key ${certificate_dir}/private/${device_prefix}.key.pem \
openssl req -config "${openssl_config_file}" \
-key "${certificate_dir}/private/${device_prefix}.key.pem" \
-subj "$(makeCNsubject "${common_name}")" \
-new -sha256 -out ${certificate_dir}/csr/${device_prefix}.csr.pem
-new -sha256 -out "${certificate_dir}/csr/${device_prefix}.csr.pem"
[ $? -eq 0 ] || exit $?

openssl ca -batch -config ${openssl_config_file} \
openssl ca -batch -config "${openssl_config_file}" \
${password_cmd} \
-extensions "${openssl_config_extension}" \
-days ${days_till_expire} -notext -md sha256 \
-in ${certificate_dir}/csr/${device_prefix}.csr.pem \
-out ${certificate_dir}/certs/${device_prefix}.cert.pem
-in "${certificate_dir}/csr/${device_prefix}.csr.pem" \
-out "${certificate_dir}/certs/${device_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?
chmod 444 ${certificate_dir}/certs/${device_prefix}.cert.pem
chmod 444 "${certificate_dir}/certs/${device_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "Verify signature of the ${cert_type_diagnostic}" \
" certificate with the signer"
echo "-----------------------------------"
openssl verify \
-CAfile ${certificate_dir}/certs/${ca_chain_prefix}.cert.pem \
${certificate_dir}/certs/${device_prefix}.cert.pem
-CAfile "${certificate_dir}/certs/${ca_chain_prefix}.cert.pem" \
"${certificate_dir}/certs/${device_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?

echo "${cert_type_diagnostic} Certificate Generated At:"
echo "----------------------------------------"
echo " ${certificate_dir}/certs/${device_prefix}.cert.pem"
echo ""
openssl x509 -noout -text \
-in ${certificate_dir}/certs/${device_prefix}.cert.pem
-in "${certificate_dir}/certs/${device_prefix}.cert.pem"
[ $? -eq 0 ] || exit $?
echo "Create the ${cert_type_diagnostic} PFX Certificate"
echo "----------------------------------------"
openssl pkcs12 -in ${certificate_dir}/certs/${device_prefix}.cert.pem \
-inkey ${certificate_dir}/private/${device_prefix}.key.pem \
openssl pkcs12 -in "${certificate_dir}/certs/${device_prefix}.cert.pem" \
-inkey "${certificate_dir}/private/${device_prefix}.key.pem" \
-password pass:${server_pfx_password} \
-export -out ${certificate_dir}/certs/${device_prefix}.cert.pfx
-export -out "${certificate_dir}/certs/${device_prefix}.cert.pfx"
[ $? -eq 0 ] || exit $?
echo "${cert_type_diagnostic} PFX Certificate Generated At:"
echo "--------------------------------------------"
Expand Down Expand Up @@ -323,34 +321,34 @@ function initial_cert_generation()
###############################################################################
function generate_verification_certificate()
{
if [ $# -ne 1 ]; then
echo "Usage: <subjectName>"
if [ -z $1 ]; then
echo "Usage: create_verification_certificate <subjectName>"
exit 1
fi

rm -f ./private/verification-code.key.pem
rm -f ./certs/verification-code.cert.pem
generate_leaf_certificate "${1}" "verification-code" \
${root_ca_dir} ${root_ca_password} \
${openssl_root_config_file}
"${root_ca_dir}" "${root_ca_password}" \
"${openssl_root_config_file}"
}

###############################################################################
# Generates a certificate for a device, chained directly to the root.
###############################################################################
function generate_device_certificate()
{
if [ $# -ne 1 ]; then
echo "Usage: <subjectName>"
if [ -z $1 ]; then
echo "Usage: create_device_certificate <subjectName>"
exit 1
fi

rm -f ./private/new-device.key.pem
rm -f ./certs/new-device.key.pem
rm -f ./certs/new-device-full-chain.cert.pem
generate_leaf_certificate "${1}" "new-device" \
${root_ca_dir} ${root_ca_password} \
${openssl_root_config_file}
"${root_ca_dir}" "${root_ca_password}" \
"${openssl_root_config_file}"
}


Expand All @@ -359,17 +357,17 @@ function generate_device_certificate()
###############################################################################
function generate_device_certificate_from_intermediate()
{
if [ $# -ne 1 ]; then
echo "Usage: <subjectName>"
if [ -z $1 ]; then
echo "Usage: create_device_certificate_from_intermediate <subjectName>"
exit 1
fi

rm -f ./private/new-device.key.pem
rm -f ./certs/new-device.key.pem
rm -f ./certs/new-device-full-chain.cert.pem
generate_leaf_certificate "${1}" "new-device" \
${intermediate_ca_dir} ${intermediate_ca_password} \
${openssl_intermediate_config_file}
"${intermediate_ca_dir}" "${intermediate_ca_password}" \
"${openssl_intermediate_config_file}"
}


Expand All @@ -379,8 +377,8 @@ function generate_device_certificate_from_intermediate()
function generate_edge_device_certificate()
{
local device_prefix="new-edge-device"
if [ $# -ne 1 ]; then
echo "Usage: <subjectName>"
if [ -z $1 ]; then
echo "Usage: create_edge_device_certificate <subjectName>"
exit 1
fi
rm -f ./private/new-edge-device.key.pem
Expand All @@ -393,13 +391,14 @@ function generate_edge_device_certificate()
# client certificate where the hostname is used as the common name
# which essentially results in "loop" for validation purposes.
generate_device_certificate_common "${1}.ca" \
${device_prefix} \
${intermediate_ca_dir} \
${intermediate_ca_password} \
${openssl_intermediate_config_file} \
"${device_prefix}" \
"${intermediate_ca_dir}" \
"${intermediate_ca_password}" \
"${openssl_intermediate_config_file}" \
"v3_intermediate_ca" "Edge Device"
}

set +x
if [ "${1}" == "create_root_and_intermediate" ]; then
initial_cert_generation
elif [ "${1}" == "create_verification_certificate" ]; then
Expand Down

0 comments on commit feac7ef

Please sign in to comment.