104 lines
3.4 KiB
Bash
Executable File
104 lines
3.4 KiB
Bash
Executable File
# TODO key usage
|
|
|
|
OPENSSL_CONF=$(pwd)/openssl.cnf
|
|
|
|
TOP_DIR=fic_pki
|
|
|
|
CAKEY=./cakey.key
|
|
CAREQ=./careq.csr
|
|
CACERT=./cacert.crt
|
|
DAYS=365
|
|
|
|
GREEN="\033[1;32m"
|
|
RED="\033[1;31m"
|
|
COLOR_RST="\033[0m"
|
|
|
|
usage()
|
|
{
|
|
echo "Usage: $0 (-newca|-newserver|-newclient NAME)"
|
|
exit 1
|
|
}
|
|
|
|
[ $# -lt 1 ] && usage
|
|
|
|
export OPENSSL_CONF=${OPENSSL_CONF}
|
|
|
|
case $1 in
|
|
"-newca" )
|
|
echo -e -n "${GREEN}Create the directories, take care this will delete"
|
|
echo -e "the old directories ${COLOR_RST}"
|
|
sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"
|
|
|
|
rm -rf ${TOP_DIR}
|
|
mkdir -p ${TOP_DIR}/certs
|
|
mkdir -p ${TOP_DIR}/crl
|
|
mkdir -p ${TOP_DIR}/newcerts
|
|
mkdir -p ${TOP_DIR}/private
|
|
touch ${TOP_DIR}/index.txt
|
|
|
|
echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
|
|
sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
|
|
sed -i "s/=.*#DIR/= ${TOP_DIR} #DIR/" $OPENSSL_CONF
|
|
sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
|
|
|
|
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
|
|
-out ${TOP_DIR}/${CAREQ}
|
|
|
|
echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
|
|
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
|
|
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
|
|
-selfsign -extensions v3_ca -infiles ${TOP_DIR}/${CAREQ}
|
|
;;
|
|
"-newserver" )
|
|
echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
|
|
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
|
|
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
|
|
exit 2
|
|
fi
|
|
sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
|
|
openssl req -batch -new -keyout server.key -out server.csr -days ${DAYS}
|
|
echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
|
|
openssl ca -policy policy_match -out server.crt -infiles server.csr
|
|
if [ $? -ne 0 ]; then
|
|
echo -e "${RED}Signing failed${COLOR_RST}"
|
|
rm -rf server.key server.crt server.csr
|
|
exit 3
|
|
else
|
|
rm server.csr # remove ?
|
|
echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
|
|
fi
|
|
;;
|
|
"-newclient" )
|
|
[ $# -ne 2 ] && "Usage: $0 -newclient NAME"
|
|
echo -e "${GREEN}Making the client key and csr${COLOR_RST}"
|
|
|
|
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
|
|
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
|
|
exit 2
|
|
fi
|
|
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
|
|
sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF
|
|
|
|
openssl req -batch -new -keyout ${2}.key -out ${2}.csr -days ${DAYS}
|
|
echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
|
|
openssl ca -policy policy_match -out ${2}.crt -infiles ${2}.csr
|
|
if [ $? -ne 0 ]; then
|
|
echo -e "${RED}Signing failed${COLOR_RST}"
|
|
exit 3
|
|
fi
|
|
echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
|
|
openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2} -out ${2}.p12
|
|
if [ $? -ne 0 ]; then
|
|
echo -e "${RED}pkcs12 export failed${COLOR_RST}"
|
|
exit 4
|
|
else
|
|
echo -e "Exported pkcs12 file is ${2}.p12"
|
|
fi
|
|
|
|
rm -rf ${2}.key ${2}.csr ${2}.crt
|
|
;;
|
|
* )
|
|
usage
|
|
;;
|
|
esac
|