-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathselfsign.sh
executable file
·298 lines (251 loc) · 7.26 KB
/
selfsign.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
#!/usr/bin/sh
# Generates your own Server Certificate
set -e
SELFSIGN_INSTALL_DIR=.
CERT_DAYS=1000
SILENT=false
CLEAN_CONFIGS=false
HAS_CONFIGS=false
while [ $# -gt 0 ]; do
if [[ $1 == "--"* ]]; then
v="${1/--/}"
case $v in
"days") CERT_DAYS=$2
;;
"silent") SILENT=true
;;
"domain") DOMAIN=$2
;;
"path") DOMAIN_PATH=$2
;;
"clean") CLEAN_CONFIGS=true
;;
*) echo "Invalid option --$v"
exit 1
;;
esac
elif [[ $1 == "-n="* ]]; then
CERT_DAYS="${1/-n=/}"
elif [[ $1 == "-s" ]]; then
SILENT=true
elif [[ $1 == "-d="* ]]; then
DOMAIN="${1/-d=/}"
elif [[ $1 == "-p="* ]]; then
DOMAIN_PATH="${1/-p=/}"
elif [[ $1 == "-z" ]]; then
CLEAN_CONFIGS=true
elif [[ $1 != '-'* ]]; then
DOMAIN=$1
fi
shift
done
if [ -z "$DOMAIN" ]; then
echo "mMissing domain name!"
echo
echo "Usage: $0 example.com [-d=example.com | --domain example.com] [--days DAYS | -n=DAYS] [-p=output_dir | --path output_dir] [-s | --silent]"
echo
echo "This will generate a wildcard certificate for the given domain name and its subdomains."
exit
fi
if [ -z "$DOMAIN_PATH" ]; then
DOMAIN_PATH="$DOMAIN"
fi
echo "Running cert generation script with the following options:"
echo " - validity period: ${CERT_DAYS} days"
echo " - silent: $SILENT"
echo " - domain: $DOMAIN (and *.$DOMAIN)"
echo " - output dir: $DOMAIN_PATH"
CA_DIR="$SELFSIGN_INSTALL_DIR/ca"
INTERMEDIATE_DIR="$CA_DIR/intermediate"
INTERMEDIATE_OPENSSL_CNF="$INTERMEDIATE_DIR/openssl.cnf"
SRC_CHAIN_PEM="$INTERMEDIATE_DIR/certs/chain.cert.pem"
INTERMEDIATE_CERT_PEM="$INTERMEDIATE_DIR/certs/intermediate.cert.pem"
INTERMEDIATE_KEY_PEM="$INTERMEDIATE_DIR/private/intermediate.key.pem"
LOCAL_CNF="$DOMAIN_PATH/openssl.cnf"
LOCAL_EXT="$DOMAIN_PATH/openssl.ext"
CERT_CSR_PEM="$DOMAIN_PATH/cert.csr"
CERT_PEM="$DOMAIN_PATH/cert.pem"
CHAIN_PEM="$DOMAIN_PATH/chain.pem"
FULLCHAIN_PEM="$DOMAIN_PATH/fullchain.pem"
PRIVKEY_PEM="$DOMAIN_PATH/privkey.pem"
if [ ! command -v openssl &> /dev/null ]; then
echo "openssl could not be found. Please install OpenSSL and run this script after"
exit
fi
# Verify or setup install directory
if [ ! -d "$SELFSIGN_INSTALL_DIR" ]; then
echo "Install directory not found \"$SELFSIGN_INSTALL_DIR\". Please run `selfsign-ca` first"
exit 1
else
echo "Install directory \"$SELFSIGN_INSTALL_DIR\" exists"
fi
if [ ! -d "$DOMAIN_PATH" ]; then
echo "Domain directory \"$DOMAIN_PATH\" does not exist. Creating..."
mkdir "$DOMAIN_PATH"
echo "Created domain directory \"$DOMAIN_PATH\""
else
echo "Domain directory \"$DOMAIN_PATH\" exists"
fi
create_local_cnf () {
local CNF_PATH=$1
local CNF_DOMAIN=$2
cat > $CNF_PATH << EOF
[req]
default_md = sha256
default_days = 365
# prompt = no
distinguished_name = req_distinguished_name
req_extension = server_cert
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
commonName_default = $CNF_DOMAIN
[server_cert]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $CNF_DOMAIN
DNS.2 = *.$CNF_DOMAIN
EOF
}
create_local_ext () {
local EXT_PATH=$1
local EXT_DOMAIN=$2
cat > "$EXT_PATH" << EOF
[server_cert]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $EXT_DOMAIN
DNS.2 = *.$EXT_DOMAIN
EOF
}
# Generate a private key
if [ ! -f "$PRIVKEY_PEM" ]; then
echo "Generating new certificate private key"
openssl genrsa -out $PRIVKEY_PEM 2048
echo "Generated certificate private key"
else
echo "Found certificate private key"
fi
if [ ! -f "$INTERMEDIATE_CERT_PEM" ]; then
echo "Could not find CA cert \"$INTERMEDIATE_CERT_PEM\""
echo "Please run `selfsign-ca` first"
exit 1
fi
if [ ! -f "$INTERMEDIATE_KEY_PEM" ]; then
echo "Could not find CA key \"$INTERMEDIATE_KEY_PEM\""
echo "Please run `selfsign-ca` first"
exit 1
fi
if [ ! -f "$CERT_PEM" ]; then
if [ ! -f "$CERT_CSR_PEM" ]; then
if [ ! -f "$LOCAL_CNF" ]; then
echo "Setting up the domain config"
create_local_cnf $LOCAL_CNF $DOMAIN
echo "Created the local domain config"
else
echo "Found local openssl config"
fi
echo "Creating a new certificate sign request (CSR)"
# Create a certificate signing request
openssl req \
-new \
-nodes \
-config $LOCAL_CNF \
-extensions server_cert \
-key $PRIVKEY_PEM \
-out $CERT_CSR_PEM
echo "Created local certificate sign request (CSR)"
else
echo "Found local certficiate sign request (CSR)"
fi
if [ ! -f "$LOCAL_EXT" ]; then
echo "Setting up the domain extension"
create_local_ext $LOCAL_EXT $DOMAIN
echo "Created the domain extension"
else
echo "Found local domain extension config"
fi
echo "Generating a new domain certificate"
openssl x509 \
-req \
-extfile "$LOCAL_EXT" \
-extensions server_cert \
-CA $INTERMEDIATE_CERT_PEM \
-CAkey $INTERMEDIATE_KEY_PEM \
-CAcreateserial \
-in $CERT_CSR_PEM \
-out $CERT_PEM \
-days $CERT_DAYS \
-sha256
echo "Generated the new domain certificate"
else
echo "Found domain certificate"
fi
if [ -f "$CERT_PEM" ]; then
echo "Copying certificate to fullchain.pem"
cat $CERT_PEM > $FULLCHAIN_PEM
echo "Copied certificate to fullchain.pem"
fi
if [ -f "$CHAIN_PEM" ]; then
echo "Copying chain to fullchain"
cat $CHAIN_PEM >> $FULLCHAIN_PEM
echo "Copied chain to fullchain"
else
echo "Chain certificate not found in local dir"
if [ -f "$SRC_CHAIN_PEM" ]; then
echo "Chain certificate found in install dir. Copying..."
cp $SRC_CHAIN_PEM $CHAIN_PEM
echo "Chain certificate copied to local dir"
cat $CHAIN_PEM >> $FULLCHAIN_PEM
echo "Copied chain to fullchain"
else
echo "Could not find chain certificate \"$SRC_CHAIN_PEM\""
echo "Please run `selfsign-ca` if you want to include it in the fullchain certificate"
fi
fi
clean_configs () {
if [ -f "$LOCAL_EXT" ]; then
rm $LOCAL_EXT
fi
if [ -f "$LOCAL_CNF" ]; then
rm $LOCAL_CNF
fi
if [ -f "$CERT_CSR_PEM" ]; then
rm $CERT_CSR_PEM
fi
}
if [ -f "$LOCAL_EXT" ] || [ -f "$LOCAL_CNF" ] || [ -f "$_CERT_CSR_PEM" ]; then
HAS_CONFIGS=true
fi
if $HAS_CONFIGS; then
if [ "$CLEAN_CONFIGS" = false ] && [ "$SILENT" = false ]; then
read -p "Do you want to clean configs? (yes/no) " -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]; then
CLEAN_CONFIGS=true
fi
fi
if $CLEAN_CONFIGS; then
clean_configs
fi
fi
echo "Complete!"