| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 |
- #! /bin/sh
- CLIENT=$1
- if [ -z "${CLIENT}" ] ; then
- echo "Usage: $0 FQDN"
- exit 1
- fi
- set -e
- CACERT=ca/ca.crt
- CAKEY=private/ca.key
- CLIENTKEY=clients/${CLIENT}/${CLIENT}.key
- CLIENTPUB=clients/${CLIENT}/${CLIENT}.pub
- CLIENTCSR=clients/${CLIENT}/${CLIENT}.csr
- CLIENTCRT=certs/${CLIENT}.crt
- PASSFILE=
- if [ -e ca.pass ] ; then
- PASSFILE="-passin file:ca.pass"
- fi
- mkdir -p clients/${CLIENT}
- mkdir -p certs
- cat x509v3.cnf > x509v3_ca.cnf
- cat >> x509v3_ca.cnf <<!
- [ x509v3_FQDN ]
- keyUsage = \$ENV::CERTUSAGE
- subjectAltName = DNS:${CLIENT}
- extendedKeyUsage = \$ENV::EXTCERTUSAGE
- nsCertType = \$ENV::NSCERTTYPE
- !
- sed 's/^commonName.*/commonName='${CLIENT}'/' openssl.cnf > "sign-${CLIENT}.cnf"
- # Create the clients key if not already available
- if [ \! -f "${CLIENTKEY}" ] ; then
- openssl genrsa -out "${CLIENTKEY}" 2048
- fi
- if [ \! -f "${CLIENTPUB}" ] ; then
- openssl rsa -in "${CLIENTKEY}" -pubout -out "${CLIENTPUB}"
- fi
- # Create a signing requrest
- openssl req -new -key "${CLIENTKEY}" \
- -config "sign-${CLIENT}.cnf" -out "${CLIENTCSR}"
- # And sign the certificate
- openssl x509 -req -sha256 -days 3650 \
- -in "${CLIENTCSR}" \
- -CA "${CACERT}" -CAkey "${CAKEY}" \
- -CAcreateserial \
- -extfile x509v3_ca.cnf -extensions x509v3_FQDN \
- -out "${CLIENTCRT}" \
- ${PASSFILE}
- openssl verify -CAfile "${CACERT}" "${CLIENTCRT}"
- rm -f x509v3_ca.cnf "sign-${CLIENT}.cnf"
|
