-
Notifications
You must be signed in to change notification settings - Fork 145
/
gencerts.sh
56 lines (48 loc) · 2.01 KB
/
gencerts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/bin/bash
NAME=$1 # Use your own domain name
SECRET=$2 # Keystore password
CAFILE=$3 # File name of the CA cert and key
read -e -p "Certificate alias: " alias
alias=$(echo "$alias" | awk '{print tolower($0)}')
######################
# Become a CA or use existing one
######################
if [[ -z "$SECRET" ]]; then
SECRET="secret"
fi
if [[ -z "$CAFILE" ]]; then
CAFILE="${alias^}RootCA"
# Generate root certificate
openssl req -x509 -new -nodes -sha256 -days 1024 -newkey rsa:2048 -keyout $CAFILE.key -out $CAFILE.pem -subj "/C=BG/CN=$CAFILE"
# Create a Windows-compatible crt file
openssl x509 -outform pem -in $CAFILE.pem -out $CAFILE.crt
fi
######################
# Create CA-signed certs
######################
# Create a certificate-signing request
openssl req -new -nodes -newkey rsa:2048 -keyout $NAME.key -out $NAME.csr -subj "/C=BG/ST=EU/L=Sofia/O=Erudika/CN=$NAME"
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
#IP.1 = 192.168.0.10 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -sha256 -days 1024 -in $NAME.csr -CA $CAFILE.pem -CAkey $CAFILE.key -CAcreateserial -extfile $NAME.ext -out $NAME.pem
# Create a Windows-compatible crt file
openssl x509 -outform pem -in $NAME.pem -out $NAME.crt
# Clean up
rm $NAME.csr $NAME.ext
######################
# Create Java Keystore
######################
openssl pkcs12 -export -out ${alias}-keystore.p12 -in $NAME.pem -inkey $NAME.key -name ${alias} -passin pass:$SECRET -passout pass:$SECRET
######################
# Create Java Truststore
######################
keytool -v -importcert -file $CAFILE.pem -alias root-ca -keystore ${alias}-truststore.p12 -storepass $SECRET -noprompt