Created
January 28, 2020 22:51
-
-
Save ffosilva/88b7d27c81553c52e83b4eaa30d266ed to your computer and use it in GitHub Desktop.
CA Certificate Issuing helper script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| function show_help() { | |
| echo -e "$0 - Generate x509 CA certificate/keys\n" | |
| echo -e "Before start using this script, you should define the following environment variables:" | |
| echo -e "CERT_C - Country Name (C): Use the two-letter code without punctuation for country" | |
| echo -e "CERT_S - State or Province (S): Spell out the state completely; do not abbreviate the state or province name" | |
| echo -e "CERT_L - Locality or City (L): The Locality field is the city or town name" | |
| echo -e "CERT_O - Organization (O): Your company or department" | |
| echo -e "CERT_OU - Organizational Unit (OU): This field is the name of the department or organization unit making the request." | |
| echo -e "CERT_CN - Common Name (CN): The Common Name is the Host Name or Domain Name. Example \"www.domain.com\" or \"domain.com\".\n In Kafka domain, commonly, this field is filled with Kafka username (to use with ACLs)." | |
| echo -e "CERT_EMAIL - Email: Email address" | |
| echo -e "CERT_SAN - (optional) Subject Alternative Name field" | |
| echo -e "CERT_KEY_PASS - (optional) Certificate Private key secret (for encrypted private key)\n" | |
| exit 1 | |
| } | |
| function show_usage() { | |
| echo "usage: $0 <output prefix> | --help" | |
| exit 1 | |
| } | |
| function fail_missing() { | |
| echo -e "[ERROR] \"$1\" environment variable is not set. Exiting...\n" | |
| show_usage | |
| } | |
| function check_var() { | |
| if [ -z "$2" ]; then | |
| fail_missing $1 | |
| fi | |
| } | |
| if [[ $1 == "--help" || -z $1 ]]; then | |
| show_help | |
| fi | |
| check_var "CERT_C" $CERT_C | |
| check_var "CERT_S" $CERT_S | |
| check_var "CERT_L" $CERT_L | |
| check_var "CERT_O" $CERT_O | |
| check_var "CERT_OU" $CERT_OU | |
| check_var "CERT_CN" $CERT_CN | |
| check_var "CERT_EMAIL" $CERT_EMAIL | |
| if [ -z "$CERT_KEY_PASS" ]; then | |
| if [ -z "$CERT_SAN" ]; then | |
| openssl req -new -x509 -newkey rsa:2048 -keyout $1.key -out $1.pem -days 7300 -nodes -subj "/C=$CERT_C/ST=$CERT_S/L=$CERT_L/O=$CERT_O/OU=$CERT_OU/CN=$CERT_CN" | |
| else | |
| openssl req -new -x509 -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=$CERT_SAN")) -newkey rsa:2048 -keyout $1.key -out $1.pem -days 7300 -nodes -subj "/C=$CERT_C/ST=$CERT_S/L=$CERT_L/O=$CERT_O/OU=$CERT_OU/CN=$CERT_CN" | |
| fi | |
| else | |
| if [ -z "$CERT_SAN" ]; then | |
| openssl req -new -x509 -newkey rsa:2048 -keyout $1.key -out $1.pem -days 7300 -passin "pass:$CERT_KEY_PASS" -passout "pass:$CERT_KEY_PASS" -subj "/C=$CERT_C/ST=$CERT_S/L=$CERT_L/O=$CERT_O/OU=$CERT_OU/CN=$CERT_CN" | |
| else | |
| openssl req -new -x509 -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=$CERT_SAN")) -newkey rsa:2048 -keyout $1.key -out $1.pem -days 7300 -passin "pass:$CERT_KEY_PASS" -passout "pass:$CERT_KEY_PASS" -subj "/C=$CERT_C/ST=$CERT_S/L=$CERT_L/O=$CERT_O/OU=$CERT_OU/CN=$CERT_CN" | |
| fi | |
| fi | |
| # if [ -z "$CERT_SAN" ]; then | |
| # openssl x509 -req -in $1.req -out $1.pem -key $1.key -days 7300 | |
| # else | |
| # openssl x509 -req -extfile <(printf "subjectAltName=$CERT_SAN") -in $1.req -CAcreateserial -out $1.pem -days 7300 | |
| # fi | |
| echo "Done!" | |
| echo | |
| echo "CA Certificate: '$(realpath $1.pem)'" | |
| echo "CA Cert. Private Key: '$(realpath $1.key)'" | |
| if [ ! -z "$CERT_KEY_PASS" ]; then | |
| echo "CA Cert. Private Key Password: $CERT_KEY_PASS" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment