/[pdpsoft]/nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-request.sh
ViewVC logotype

Annotation of /nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-request.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3330 - (hide annotations) (download) (as text)
Mon Jul 5 08:35:52 2021 UTC (3 months, 2 weeks ago) by davidg
File MIME type: application/x-shellscript
File size: 4824 byte(s)
Create a PKCS#12 bundle for server certs - consolidated wildcard fixes

1 davidg 3286 #! /bin/sh
2     #
3     # @(#)$Id$
4     #
5     #
6 davidg 3293 # Copyright 2020 David Groep, Nikhef, Amsterdam
7     #
8     # Licensed under the Apache License, Version 2.0 (the "License");
9     # you may not use this file except in compliance with the License.
10     # You may obtain a copy of the License at
11     #
12     # http://www.apache.org/licenses/LICENSE-2.0
13     #
14     # Unless required by applicable law or agreed to in writing, software
15     # distributed under the License is distributed on an "AS IS" BASIS,
16     # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17     # See the License for the specific language governing permissions and
18     # limitations under the License.
19     #
20 davidg 3286
21 davidg 3307 bits=4096
22 davidg 3286 key=rsa
23     force=0
24    
25     # ############################################################################
26     # usage help and instructions
27     #
28     help() { cat <<EOF
29     Usage: tcsg4-request.sh [-d destdir] hostname [hostname ...]
30    
31     -d destdir write result files to <destdir>
32     (default: ./tcs-<hostname>/)
33 davidg 3307 -b bits use <bits> for RSA key length (default: 4096) or curve for
34 davidg 3286 ECC (e.g. "prime256v1", set explicitly)
35     -f | --force overwrite existing files
36     -E | --ecc generate ECC cert (remember to set -b to the curve!)
37    
38     hostname hostname (FQDN) to be included in the request
39     Any literal string "WILDCARD" will be replaced by
40     a "*" in the hostname - it should ONLY be included as
41     the first element of the fqdn, and MUST be on its own
42     (the list of hostnames may be separated by spaces or commas)
43    
44     EOF
45     return;
46     }
47    
48     # ############################################################################
49     #
50     while [ $# -gt 0 ]; do
51     case "$1" in
52     -b | --bits ) bits="$2"; shift 2 ;;
53     -E | --ecc ) key="ecc"; shift ;;
54     -f | --force ) force=1; shift ;;
55     -d | --destination ) destdir="$2"; shift 2 ;;
56     -* ) echo "Unknown option $1, exiting" >&2 ; exit 1 ;;
57     * ) break ;;
58     esac
59     done
60    
61 davidg 3287 case "$#" in
62 davidg 3286 0 ) help
63     exit 1
64     ;;
65     * ) break ;;
66     esac
67    
68 davidg 3288 hn=`echo $1 | sed -e 's/[,\ ]//g;s/DNS://;'`
69 davidg 3286 domain=$hn
70    
71     case "$domain" in
72     [a-zA-Z][-a-zA-Z0-9\.][-a-zA-Z0-9\.]* ) ;;
73     * ) echo "Invalid domain name '$domain', exiting." >&2 ; exit 1 ;;
74     esac
75    
76     destdir="${destdir:-tcs-$domain}"
77    
78     echo "Creating request for $domain in $destdir"
79    
80     if [ -d "$destdir" -a $force -eq 0 ]; then
81     echo "Directory $destdir for $domain already exists, exiting." >&2
82     echo "use --force to override" >&2
83     exit 1
84     fi
85    
86     alt=""
87     while [ x"$1" != x"" ] ; do
88     if [ x"$alt" != x"" ]; then
89     alt="$alt,"
90     fi
91 davidg 3330 hn=`echo $1 | sed -e 's/[,\ ]//g;s/DNS://;s/;//g'`
92 davidg 3286 alt="${alt}DNS:$hn"
93     shift
94     done
95    
96     filebase="$domain"
97    
98     domain=`echo $domain | sed -e 's/WILDCARD/\*/g'`
99     alt=`echo $alt | sed -e 's/WILDCARD/\*/g'`
100    
101     echo "----------------------------------------------------------------------"
102     echo "Requesting certificate for $domain in $destdir"
103     echo " SAN dNSNames: $alt"
104 davidg 3289
105 davidg 3286 fn=`mktemp /tmp/request.cnf.XXXXXX`
106    
107     cat <<EOF > $fn
108     [ req ]
109     default_bits = 0
110     default_keyfile = $destdir/key-$filebase.pem
111     distinguished_name = req_distinguished_name
112     attributes = req_attributes
113     prompt = no
114     req_extensions = v3_req
115     default_md = sha256
116    
117     [ req_distinguished_name ]
118     CN = $domain
119    
120     [ v3_req ]
121     subjectAltName = $alt
122    
123     [ req_attributes ]
124     EOF
125    
126     echo "Written cnf file to $fn"
127    
128     mkdir -p "$destdir" 2>/dev/null
129     if [ ! -d "$destdir" ]; then
130     echo "Directory $destdir cannot be found or created, exiting." >&2
131     exit 1
132     fi
133    
134     # generate the keyfile first
135     case "$key" in
136     rsa )
137     openssl genpkey -out "$destdir/key-$filebase.pem" -outform pem -algorithm rsa -pkeyopt rsa_keygen_bits:$bits
138     ;;
139     ecc )
140     [ "$bits" -gt 0 ] >/dev/null 2>&1
141     if [ $? -eq 0 ]; then
142     # bits was not set for ECC, revert to default
143     echo "!!! value of bits invalid for ECC, set to default prime256v1" >&2
144     bits="prime256v1"
145     fi
146     openssl genpkey -out "$destdir/key-$filebase.pem" -outform pem -algorithm ec -pkeyopt ec_paramgen_curve:$bits
147     ;;
148     * )
149     echo "Unknown key type (internal error): $key" >&2
150     exit 1
151     ;;
152     esac
153    
154     openssl req \
155     -nodes \
156     -config $fn \
157     -new -key "$destdir/key-$filebase.pem" \
158     -out "$destdir/request-$filebase.pem"
159    
160     openssl req -in "$destdir/request-$filebase.pem" -text -out "$destdir/request-$filebase.txt"
161    
162     chmod 0600 "$destdir/key-$filebase.pem"
163     mv "$fn" "$destdir/config-$filebase.cnf"
164    
165     echo "----------------------------------------------------------------------"
166     echo "Domain name CN = $domain"
167     echo "SubjectAltNames = $alt"
168     echo "Key length $key = $bits"
169    
170     cat "$destdir/request-$filebase.pem"
171    
172     echo "----------------------------------------------------------------------"
173     echo "left request in $destdir/request-$filebase.pem"
174 davidg 3330 echo "go there by cd $destdir"

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28