-
Notifications
You must be signed in to change notification settings - Fork 175
/
generate-sslcert.sh
104 lines (90 loc) · 2.82 KB
/
generate-sslcert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/sh
# Generate SSL certificate
# Note: daemons using certificate need to be restarted for changes to take effect
fatal() {
echo "fatal: $@" 1>&2
exit 1
}
# Exit if openssl is not available
which openssl >/dev/null || fatal "openssl is not installed"
if [ $# -ne "0" ]; then
HELP=y
fi
set ${O:="TurnKey Linux"}
set ${OU:="Software appliances"}
set ${DAYS:=3650}
set ${BITS:=2048}
set ${KEYPASS:=<blank>} # workaround: no way of passing a blank pass
set ${CERTFILE:="/etc/ssl/certs/mineos.pem"}
set ${CRTFILE:="/etc/ssl/certs/mineos.crt"}
set ${KEYFILE:="/etc/ssl/certs/mineos.key"}
if [ $HELP ]; then
echo "Generate SSL certificate"
echo
echo "# VARIABLE EXPLANATION [VALUE]"
echo " C Country Code $C"
echo " ST State or province $ST"
echo " L Locality (city) $L"
echo " O Organization name $O"
echo " OU Organizational unit $OU"
echo " CN Common name $CN"
echo " emailAddress Email address $emailAddress"
echo
echo " DAYS Duration in days $DAYS"
echo " BITS RSA bits to use $BITS"
echo " KEYPASS Key password $KEYPASS"
echo
echo " KEYFILE Output file $KEYFILE"
echo " CRTFILE Output file $CRTFILE"
echo " CERTFILE Output file: KEY+CRT $CERTFILE"
echo
echo "# NOTES"
echo " Warning: only set password if you know what your doing"
echo " Display certificate: openssl x509 -text < $CERTFILE"
exit 1
fi
TMPCRT=.tmpcrt.pem
TMPKEY=.tmpkey.pem
RDN="/"
[ "$C" ] && RDN="${RDN}C=${C}/"
[ "$ST" ] && RDN="${RDN}ST=${ST}/"
[ "$L" ] && RDN="${RDN}L=${L}/"
[ "$O" ] && RDN="${RDN}O=${O}/"
[ "$OU" ] && RDN="${RDN}OU=${OU}/"
[ "$CN" ] && RDN="${RDN}CN=${CN}/"
[ "$emailAddress" ] && RDN="${RDN}emailAddress=${emailAddress}/"
# create key and password protected cert
openssl req -x509 \
-newkey rsa:$BITS \
-keyout $TMPKEY -out $TMPCRT \
-passout pass:$KEYPASS \
-days $DAYS \
-multivalue-rdn -subj "$RDN"
# create needed directories
mkdir -p ${CERTFILE%/*} ${CRTFILE%/*} ${KEYFILE%/*}
# remove password protection from key if not set by user
if [ "$KEYPASS" = "<blank>" ]; then
openssl rsa -passin pass:$KEYPASS < $TMPKEY > $KEYFILE
cp $KEYFILE $CERTFILE
else
cat $TMPKEY > $KEYFILE
cp $KEYFILE $CERTFILE
fi
# create crt and add it to certfile (key + crt)
cp $TMPCRT $CRTFILE
cat $TMPCRT >> $CERTFILE
# set permissions
if grep -q ^certssl: /etc/group; then
chgrp certssl $CRTFILE
chgrp certssl $KEYFILE
chgrp certssl $CERTFILE
chmod 640 $KEYFILE
chmod 640 $CRTFILE
chmod 640 $CERTFILE
else
chmod 600 $KEYFILE
chmod 600 $CRTFILE
chmod 600 $CERTFILE
fi
# cleanup
rm -f $TMPCRT $TMPKEY