/[pdpsoft]/nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-request.sh
ViewVC logotype

Contents of /nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-request.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3330 - (show annotations) (download) (as text)
Mon Jul 5 08:35:52 2021 UTC (4 months, 3 weeks ago) by davidg
File MIME type: application/x-shellscript
File size: 4824 byte(s)
Create a PKCS#12 bundle for server certs - consolidated wildcard fixes

1 #! /bin/sh
2 #
3 # @(#)$Id$
4 #
5 #
6 # Copyright 2020 David Groep, Nikhef, Amsterdam
7 #
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
11 #
12 # http://www.apache.org/licenses/LICENSE-2.0
13 #
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
19 #
20
21 bits=4096
22 key=rsa
23 force=0
24
25 # ############################################################################
26 # usage help and instructions
27 #
28 help() { cat <<EOF
29 Usage: tcsg4-request.sh [-d destdir] hostname [hostname ...]
30
31 -d destdir write result files to <destdir>
32 (default: ./tcs-<hostname>/)
33 -b bits use <bits> for RSA key length (default: 4096) or curve for
34 ECC (e.g. "prime256v1", set explicitly)
35 -f | --force overwrite existing files
36 -E | --ecc generate ECC cert (remember to set -b to the curve!)
37
38 hostname hostname (FQDN) to be included in the request
39 Any literal string "WILDCARD" will be replaced by
40 a "*" in the hostname - it should ONLY be included as
41 the first element of the fqdn, and MUST be on its own
42 (the list of hostnames may be separated by spaces or commas)
43
44 EOF
45 return;
46 }
47
48 # ############################################################################
49 #
50 while [ $# -gt 0 ]; do
51 case "$1" in
52 -b | --bits ) bits="$2"; shift 2 ;;
53 -E | --ecc ) key="ecc"; shift ;;
54 -f | --force ) force=1; shift ;;
55 -d | --destination ) destdir="$2"; shift 2 ;;
56 -* ) echo "Unknown option $1, exiting" >&2 ; exit 1 ;;
57 * ) break ;;
58 esac
59 done
60
61 case "$#" in
62 0 ) help
63 exit 1
64 ;;
65 * ) break ;;
66 esac
67
68 hn=`echo $1 | sed -e 's/[,\ ]//g;s/DNS://;'`
69 domain=$hn
70
71 case "$domain" in
72 [a-zA-Z][-a-zA-Z0-9\.][-a-zA-Z0-9\.]* ) ;;
73 * ) echo "Invalid domain name '$domain', exiting." >&2 ; exit 1 ;;
74 esac
75
76 destdir="${destdir:-tcs-$domain}"
77
78 echo "Creating request for $domain in $destdir"
79
80 if [ -d "$destdir" -a $force -eq 0 ]; then
81 echo "Directory $destdir for $domain already exists, exiting." >&2
82 echo "use --force to override" >&2
83 exit 1
84 fi
85
86 alt=""
87 while [ x"$1" != x"" ] ; do
88 if [ x"$alt" != x"" ]; then
89 alt="$alt,"
90 fi
91 hn=`echo $1 | sed -e 's/[,\ ]//g;s/DNS://;s/;//g'`
92 alt="${alt}DNS:$hn"
93 shift
94 done
95
96 filebase="$domain"
97
98 domain=`echo $domain | sed -e 's/WILDCARD/\*/g'`
99 alt=`echo $alt | sed -e 's/WILDCARD/\*/g'`
100
101 echo "----------------------------------------------------------------------"
102 echo "Requesting certificate for $domain in $destdir"
103 echo " SAN dNSNames: $alt"
104
105 fn=`mktemp /tmp/request.cnf.XXXXXX`
106
107 cat <<EOF > $fn
108 [ req ]
109 default_bits = 0
110 default_keyfile = $destdir/key-$filebase.pem
111 distinguished_name = req_distinguished_name
112 attributes = req_attributes
113 prompt = no
114 req_extensions = v3_req
115 default_md = sha256
116
117 [ req_distinguished_name ]
118 CN = $domain
119
120 [ v3_req ]
121 subjectAltName = $alt
122
123 [ req_attributes ]
124 EOF
125
126 echo "Written cnf file to $fn"
127
128 mkdir -p "$destdir" 2>/dev/null
129 if [ ! -d "$destdir" ]; then
130 echo "Directory $destdir cannot be found or created, exiting." >&2
131 exit 1
132 fi
133
134 # generate the keyfile first
135 case "$key" in
136 rsa )
137 openssl genpkey -out "$destdir/key-$filebase.pem" -outform pem -algorithm rsa -pkeyopt rsa_keygen_bits:$bits
138 ;;
139 ecc )
140 [ "$bits" -gt 0 ] >/dev/null 2>&1
141 if [ $? -eq 0 ]; then
142 # bits was not set for ECC, revert to default
143 echo "!!! value of bits invalid for ECC, set to default prime256v1" >&2
144 bits="prime256v1"
145 fi
146 openssl genpkey -out "$destdir/key-$filebase.pem" -outform pem -algorithm ec -pkeyopt ec_paramgen_curve:$bits
147 ;;
148 * )
149 echo "Unknown key type (internal error): $key" >&2
150 exit 1
151 ;;
152 esac
153
154 openssl req \
155 -nodes \
156 -config $fn \
157 -new -key "$destdir/key-$filebase.pem" \
158 -out "$destdir/request-$filebase.pem"
159
160 openssl req -in "$destdir/request-$filebase.pem" -text -out "$destdir/request-$filebase.txt"
161
162 chmod 0600 "$destdir/key-$filebase.pem"
163 mv "$fn" "$destdir/config-$filebase.cnf"
164
165 echo "----------------------------------------------------------------------"
166 echo "Domain name CN = $domain"
167 echo "SubjectAltNames = $alt"
168 echo "Key length $key = $bits"
169
170 cat "$destdir/request-$filebase.pem"
171
172 echo "----------------------------------------------------------------------"
173 echo "left request in $destdir/request-$filebase.pem"
174 echo "go there by cd $destdir"

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28