-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgenerate.sh
executable file
·89 lines (75 loc) · 2.38 KB
/
generate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/sh
set -a
: ${DOMAIN=localhost}
set +a
: ${SAN="127.0.0.1"}
: ${CONF_PATH="/data/config"}
: ${CERT_PATH="/data/certificates"}
: ${ROOT_CERT_EXPIRATION_DAYS=36500}
: ${LEAF_CERT_EXPIRATION_DAYS=36500}
export SAN="$DOMAIN $SAN"
set -a
ALT_NAMES="$(./format-san.sh)"
set +a
root_cnf="${CONF_PATH}/root.cnf"
leaf_cnf="${CONF_PATH}/leaf.cnf"
tld_cnf="${CERT_PATH}/${DOMAIN}_names.txt"
root_key="${CERT_PATH}/root.key.pem"
root_csr="${CERT_PATH}/root.csr.pem"
root_crt="${CERT_PATH}/root.crt.pem"
root_srl="${CERT_PATH}/root.srl"
leaf_key="${CERT_PATH}/${DOMAIN}.key.pem"
leaf_csr="${CERT_PATH}/${DOMAIN}.csr.pem"
leaf_crt="${CERT_PATH}/${DOMAIN}.crt.pem"
if [ ! -f "$root_cnf" ]
then
echo "ERR: missing root config: $root_cnf" 1>&2
exit 1;
fi
if [ ! -f "$leaf_cnf" ]
then
echo "ERR: missing leaf config: $leaf_cnf" 1>&2
exit 1;
fi
# save used tld
if [ ! -f "$tld_cnf" ]
then
echo "$ALT_NAMES" > "$tld_cnf"
elif [ "$ALT_NAMES" != "$(cat "$tld_cnf")" ]
then
echo "$ALT_NAMES" > "$tld_cnf"
fi
# create root key
if [ ! -f "$root_key" ]
then
openssl genrsa -out "$root_key" 4096
fi
# create root csr
# when no csr, key newer than csr, conf newer then csr
if [ ! -f "$root_csr" -o "$root_key" -nt "$root_csr" -o "$root_cnf" -nt "$root_csr" ]
then
openssl req -new -out "$root_csr" -key "$root_key" -config "$root_cnf"
fi
# create root crt
# when no crt, csr newer than crt, conf newer then crt
if [ ! -f "$root_crt" -o "$root_csr" -nt "$root_crt" -o "$root_cnf" -nt "$root_crt" ]
then
openssl x509 -req -days 36500 -in "$root_csr" -signkey "$root_key" -out "$root_crt" -extensions v3_ca -extfile "$root_cnf"
fi
# create leaf key
if [ ! -f "$leaf_key" ]
then
openssl genrsa -out "$leaf_key" 4096
fi
# create leaf csr
# when no csr, key newer than csr, conf newer then csr, tld conf newer then csr
if [ ! -f "$leaf_csr" -o "$leaf_key" -nt "$leaf_csr" -o "$leaf_cnf" -nt "$leaf_csr" -o "$tld_conf" -nt "$leaf_csr" ]
then
openssl req -new -out "$leaf_csr" -key "$leaf_key" -config "$leaf_cnf"
fi
# create leaf crt
# when no crt, csr newer than crt, conf newer then crt, root crt newer then crt
if [ ! -f "$leaf_crt" -o "$leaf_csr" -nt "$leaf_crt" -o "$root_cnf" -nt "$leaf_crt" -o "$root_crt" -nt "$leaf_crt" ]
then
openssl x509 -req -days 36500 -in "$leaf_csr" -CA "$root_crt" -CAkey "$root_key" -CAserial "$root_srl" -CAcreateserial -out "$leaf_crt" -extensions v3_server_cert -extfile "$leaf_cnf"
fi