forked from redredgroovy/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 1
/
create-client
executable file
·127 lines (96 loc) · 3.4 KB
/
create-client
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/bin/bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Derek Moore <[email protected]>
# Christian Göttsche <[email protected]>
set -eu
set -o pipefail
umask 0077
BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# shellcheck disable=SC1090
source "${BIN_DIR}/functions"
# shellcheck disable=SC1090
source "${BIN_DIR}/defaults.conf"
usage() {
echo "Usage: $0 -c CLIENT_NAME"
echo "Issues a client certificate for CLIENT_NAME"
echo
echo "Options:"
echo " -c CLIENT_NAME Client name (commonName) for the new cert"
echo
}
if [ ! -f ca/ca.crt ]; then
echo -e "$ERR Must be run inside a CA directory!"
exit 2
fi
CLIENT_NAME=
while getopts c:h FLAG; do
case $FLAG in
c) CLIENT_NAME=${OPTARG} ;;
h) echo -e -n "$SUCC " && usage && exit 0 ;;
*) echo -e -n "$ERR " && usage && exit 2 ;;
esac
done
if [ $OPTIND -le $# ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "${CLIENT_NAME}" = "" ]; then
echo -e -n "$ERR " && usage && exit 1
fi
SAFE_NAME=$(echo "${CLIENT_NAME}" | sed 's/\*/star/g' | sed 's/[^A-Za-z0-9-]/-/g')
echo -e "$NOTE Creating new client certificate for '$CLIENT_NAME'"
pushd "${BIN_DIR}/.." > /dev/null
if [ -d "certs/clients/$SAFE_NAME" ]; then
echo -e "$ERR Configuration already exists for '$CLIENT_NAME' ($SAFE_NAME), exiting."
exit 1
fi
echo
echo -e -n "$INPUT Enter passphase for signing CA key: "
read -r -s PASS
echo
export CA_PASS="${PASS}"
openssl rsa -check \
-in ca/private/ca.key \
-passin env:CA_PASS \
-noout
trap 'rm -Rf "certs/clients/$SAFE_NAME"' 0 2
mkdir "certs/clients/$SAFE_NAME"
# Generate the client cert openssl config
export CA_USERNAME="${CLIENT_NAME}"
export CA_CERT_MAIL=""
ask_client_cert_questions
export SAN="email:$CA_CERT_MAIL"
template "${BIN_DIR}/templates/client.tpl" "certs/clients/$SAFE_NAME/$SAFE_NAME.conf"
echo -e "$NOTE Creating the client key and csr"
# Create the client key and csr
openssl req -new -nodes \
-batch \
-config "certs/clients/$SAFE_NAME/$SAFE_NAME.conf" \
-keyout "certs/clients/$SAFE_NAME/$SAFE_NAME.key" \
-out "certs/clients/$SAFE_NAME/$SAFE_NAME.csr"
openssl rsa -noout -check -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
chmod 0400 "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
echo -e "$NOTE Creating the client certificate"
# Create the client certificate
openssl ca -batch -notext \
-config ca/ca.conf \
-in "certs/clients/$SAFE_NAME/$SAFE_NAME.csr" \
-out "certs/clients/$SAFE_NAME/$SAFE_NAME.crt" \
-extensions client_ext \
-passin env:CA_PASS
echo -e "$NOTE Verifying certificate/key pair"
key_mod=$(openssl rsa -noout -modulus -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key")
cert_mod=$(openssl x509 -noout -modulus -in "certs/clients/$SAFE_NAME/$SAFE_NAME.crt")
if [ ! "$key_mod" = "$cert_mod" ];then
echo -e "$ERR Certificate/Key pair invalid:"
echo -e "$ERR <>$cert_mod<>"
echo -e "$ERR <>$key_mod<>"
echo
exit 2
fi
echo -e "$NOTE Verifying trusted chain"
openssl verify -CAfile ca/chain.pem "certs/clients/$SAFE_NAME/$SAFE_NAME.crt"
popd > /dev/null
unset CA_PASS
trap - 0 2
echo -e "$SUCC Client certificate for '${CLIENT_NAME}' created."