Initial commit of easy-ca scripts

cgzones · Sep 5, 2015 · b2925ab · b2925ab
1 parent 075c860
commit b2925ab
Show file tree

Hide file tree

Showing 11 changed files with 938 additions and 0 deletions.
diff --git a/create-client b/create-client
@@ -0,0 +1,76 @@
+#!/bin/bash
+# Derek Moore <derek.moore@gmail.com>
+
+usage() {
+    echo "Usage: $0 -c CLIENT_NAME"
+    echo "Issues a client certificate for CLIENT_NAME"
+    echo
+    echo "Options:"
+    echo "    -c CLIENT_NAME  Client name (commonName) for the new cert"
+    echo
+    exit 2
+}
+
+CLIENT_NAME=
+
+while getopts c: FLAG; do
+    case $FLAG in
+        c) CLIENT_NAME=${OPTARG} ;;
+        *) usage ;;
+    esac
+done
+
+if [ "${CLIENT_NAME}" == "" ]; then
+    usage
+fi
+
+BIN_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${BIN_DIR}/functions
+source ${BIN_DIR}/defaults.conf
+
+SAFE_NAME=`echo $CLIENT_NAME | sed 's/\*/star/g'`
+SAFE_NAME=`echo $SAFE_NAME | sed 's/[^A-Za-z0-9-]/-/g'`
+
+echo
+echo "Creating new client certificate for '${CLIENT_NAME}'"
+echo
+
+pushd ${BIN_DIR}/.. > /dev/null
+
+if [ -f conf/${SAFE_NAME}.client.conf ]; then
+    echo "Configuration already exists for '${CLIENT_NAME}', exiting."
+    exit 1
+fi
+
+echo -n "Enter passphase for signing CA key: "
+read -s PASS
+echo
+export CA_PASS=${PASS}
+
+# Generate the client cert openssl config
+export SAN=""
+export CA_USERNAME=${CLIENT_NAME}
+template "${BIN_DIR}/templates/client.tpl" "conf/${SAFE_NAME}.client.conf"
+
+# Create the client key and csr
+openssl req -new -nodes \
+            -config conf/${SAFE_NAME}.client.conf \
+            -keyout private/${SAFE_NAME}.client.key \
+            -out csr/${SAFE_NAME}.client.csr
+chmod 0400 private/${SAFE_NAME}.client.key
+
+# Create the client certificate
+openssl ca -batch -notext \
+           -config conf/ca.conf \
+           -in csr/${SAFE_NAME}.client.csr \
+           -out certs/${SAFE_NAME}.client.crt \
+           -days 730 \
+           -extensions client_ext \
+           -passin env:CA_PASS
+
+popd > /dev/null
+
+echo
+echo "Client certificate created."
+echo
+
diff --git a/create-root-ca b/create-root-ca
@@ -0,0 +1,97 @@
+#!/bin/bash
+# Derek Moore <derek.moore@gmail.com>
+
+usage() {
+    echo "Usage: $0 -d CA_DIR"
+    echo "Initializes a new root CA in CA_DIR"
+    echo
+    echo "Options:"
+    echo "    -d CA_DIR  Target directory to be created and initialized"
+    echo
+    exit 2
+}
+
+CA_DIR=
+
+while getopts d: FLAG; do
+    case $FLAG in
+        d) CA_DIR=${OPTARG} ;;
+        *) usage ;;
+    esac
+done
+
+if [ "${CA_DIR}" == "" ]; then
+    usage
+fi
+
+BIN_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${BIN_DIR}/functions
+[[ -f "${BIN_DIR}/defaults.conf" ]] && source ${BIN_DIR}/defaults.conf
+
+HOME=$CA_DIR
+CA_NAME=$( basename "${HOME}" )
+
+echo
+echo "Creating root CA in '${HOME}'"
+echo
+
+init_ca_home ${HOME}
+generate_conf ${HOME}/bin/defaults.conf
+source ${HOME}/bin/defaults.conf
+
+echo
+echo -n "Enter passphase for encrypting root CA key: "
+read -s PASS1
+echo
+echo -n "Verifying - Enter passphase for encrypting root CA key: "
+read -s PASS2
+echo
+
+if [ "${PASS1}" != "${PASS2}" ]; then
+    echo "Passphrases did not match, exiting."
+    exit 1
+fi
+export CA_PASS=${PASS1}
+
+pushd ${HOME} > /dev/null
+
+# Generate the root CA openssl config
+template "${BIN_DIR}/templates/root.tpl" "conf/ca.conf"
+
+# Create the root CA csr
+openssl genrsa -out ca/private/ca.key -passout env:CA_PASS 4096
+chmod 0400 ca/private/ca.key
+
+# Create the root CA csr
+openssl req -new -batch \
+            -config conf/ca.conf \
+            -key ca/private/ca.key \
+            -out ca/ca.csr \
+            -passin env:CA_PASS
+
+# Create the root CA certificate
+openssl ca -selfsign -batch -notext \
+           -config conf/ca.conf \
+           -in ca/ca.csr \
+           -out ca/ca.crt \
+           -days 3652 \
+           -extensions root_ca_ext \
+           -passin env:CA_PASS
+
+# Create the root CRL
+openssl ca -gencrl -batch \
+           -config conf/ca.conf \
+           -out crl/ca.crl
+
+# Replicate the existing binary directory
+for BIN in ${BINARIES}; do
+    cp ${BIN_DIR}/${BIN} bin/
+done
+cp -r ${BIN_DIR}/templates bin/
+
+popd > /dev/null
+
+echo
+echo "Root CA initialized."
+echo
+
diff --git a/create-server b/create-server
@@ -0,0 +1,95 @@
+#!/bin/bash
+# Derek Moore <derek.moore@gmail.com>
+
+usage() {
+    echo "Usage: $0 -s SERVER_NAME [-a ALT_NAME]..."
+    echo "Issues a server certificate for SERVER_NAME"
+    echo
+    echo "Options:"
+    echo "    -s SERVER_NAME  Server hostname (commonName) for the new cert"
+    echo "    -a ALT_NAME     One (or more) subjectAltNames for the new cert (optional)"
+    echo
+    exit 2
+}
+
+SERVER_NAME=
+ALT_NAME=
+
+while getopts s:a: FLAG; do
+    case $FLAG in
+        s) SERVER_NAME=${OPTARG}
+           if [ -z "${ALT_NAME}" ]; then
+               ALT_NAME="DNS:${OPTARG}"
+           else
+               ALT_NAME="${ALT_NAME}, DNS:${OPTARG}"
+           fi
+           ;;
+        a) if [ -z "${ALT_NAME}" ]; then
+               ALT_NAME="DNS:${OPTARG}"
+           else
+               ALT_NAME="${ALT_NAME}, DNS:${OPTARG}"
+           fi
+           ;;
+        *) usage
+           ;;
+    esac
+done
+
+if [ "${SERVER_NAME}" == "" ]; then
+    usage
+fi
+
+
+BIN_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${BIN_DIR}/functions
+source ${BIN_DIR}/defaults.conf
+
+# Sanitize the commonName to make it suitable for use in filenames
+SAFE_NAME=`echo ${SERVER_NAME} | sed 's/\*/star/g'`
+SAFE_NAME=`echo ${SAFE_NAME} | sed 's/[^A-Za-z0-9-]/-/g'`
+
+echo
+echo "Creating new SSL server certificate for:"
+echo "commonName: ${SERVER_NAME}"
+echo "subjectAltName: ${ALT_NAME}"
+echo
+
+pushd ${BIN_DIR}/.. > /dev/null
+
+if [ -f conf/${SAFE_NAME}.server.conf ]; then
+    echo "Configuration already exists for '${SERVER_NAME}', exiting."
+    exit 1
+fi
+
+echo -n "Enter passphase for signing CA key: "
+read -s PASS
+echo
+export CA_PASS=${PASS}
+
+# Generate the server openssl config
+export CA_HOSTNAME=${SERVER_NAME}
+export SAN=${ALT_NAME}
+template "${BIN_DIR}/templates/server.tpl" "conf/${SAFE_NAME}.server.conf"
+
+# Create the server key and csr
+openssl req -new -nodes \
+            -config conf/${SAFE_NAME}.server.conf \
+            -keyout private/${SAFE_NAME}.server.key \
+            -out csr/${SAFE_NAME}.server.csr
+chmod 0400 private/${SAFE_NAME}.server.key
+
+# Create the server certificate
+openssl ca -batch -notext \
+           -config conf/ca.conf \
+           -in csr/${SAFE_NAME}.server.csr \
+           -out certs/${SAFE_NAME}.server.crt \
+           -days 730 \
+           -extensions server_ext \
+           -passin env:CA_PASS
+
+popd > /dev/null
+
+echo
+echo "Server certificate created."
+echo
+
diff --git a/create-signing-ca b/create-signing-ca
@@ -0,0 +1,115 @@
+#!/bin/bash
+# Derek Moore <derek.moore@gmail.com>
+
+usage() {
+    echo "Usage: $0 -d CA_DIR"
+    echo "Initializes a new signing sub-CA in CA_DIR"
+    echo
+    echo "Options:"
+    echo "    -d CA_DIR  Target directory to be created and initialized"
+    echo
+    exit 2
+}
+
+CA_DIR=
+
+while getopts d: FLAG; do
+    case $FLAG in
+        d) CA_DIR=${OPTARG} ;;
+        *) usage ;;
+    esac
+done
+
+if [ "${CA_DIR}" == "" ]; then
+    usage
+fi
+
+BIN_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${BIN_DIR}/functions
+source ${BIN_DIR}/defaults.conf
+
+HOME=$CA_DIR
+PARENT=${BIN_DIR}/..
+CA_NAME=$( basename "${HOME}" )
+
+echo
+echo "Creating new signing sub-CA in '${HOME}'"
+echo
+
+init_ca_home ${HOME}
+generate_conf ${HOME}/bin/defaults.conf
+source ${HOME}/bin/defaults.conf
+
+echo
+echo -n "Enter passphase for encrypting signing CA key: "
+read -s PASS1
+echo
+echo -n "Verifying - Enter passphase for encrypting signing CA key: "
+read -s PASS2
+echo
+
+if [ "${PASS1}" != "${PASS2}" ]; then
+    echo "Passphrases did not match, exiting."
+    exit 1
+fi
+export CA_PASS=${PASS1}
+
+echo
+
+echo -n "Enter passphase for root CA key: "
+read -s PARENT_PASS
+echo
+export CA_PARENT_PASS=${PARENT_PASS}
+
+# Fully-qualify home to we can return to it later
+HOME=$( cd "${HOME}" && pwd )
+
+pushd ${HOME} > /dev/null
+
+# Generate the signing CA openssl config
+template "${BIN_DIR}/templates/signing.tpl" "conf/ca.conf"
+
+# Create the signing CA key
+openssl genrsa -out ca/private/ca.key -passout env:CA_PASS 2048
+chmod 0400 ca/private/ca.key
+
+# Create the signing CA csr
+openssl req -new -batch \
+            -config conf/ca.conf \
+            -key ca/private/ca.key \
+            -out ca/ca.csr \
+            -passin env:CA_PASS
+
+# Create the signing CA certificate
+pushd ${PARENT} > /dev/null
+openssl ca -batch -notext \
+           -config conf/ca.conf \
+           -in ${HOME}/ca/ca.csr \
+           -out ${HOME}/ca/ca.crt \
+           -days 3652 \
+           -extensions signing_ca_ext \
+           -passin env:CA_PARENT_PASS
+popd > /dev/null
+
+# Create the signing CRL
+openssl ca -gencrl -batch \
+           -config conf/ca.conf \
+           -out crl/ca.crl
+
+# Create the chain bundle if this is a sub-CA
+if [ -f "${PARENT}/ca/chain.pem" ]; then
+    cat ${PARENT}/ca/chain.pem > ca/chain.pem
+fi
+cat ca/ca.crt >> ca/chain.pem
+
+for BIN in ${BINARIES}; do
+    cp ${BIN_DIR}/${BIN} bin/
+done
+cp -r ${BIN_DIR}/templates bin/
+
+popd > /dev/null
+
+echo
+echo "Signing sub-CA initialized."
+echo
+
diff --git a/defaults.conf b/defaults.conf
@@ -0,0 +1,7 @@
+CA_DOMAIN=bogus.com
+
+CA_CERT_C="US"
+CA_CERT_ST="California"
+CA_CERT_L="San Francisco"
+CA_CERT_O="Bogus Inc."
+CA_CERT_OU="Operations"