#!/bin/bash # ./gensignedcert.sh [name] (configfile) # This is only suggested if you have a secured path to deliver this new key through. # requires bash 3.0 regexes set -e SUPPLEMENTARY_CONFIG="$2" . ./configure.sh if ! [ $1 ]; then echo "Please provide a one-word certificate name as an argument.\n" echo "$0 [name] (configfile)\n" exit 2 fi if [ -e "$CA"/signed/"$1".key ]; then echo "$CA/signed/$1.key already exists!" exit 3 fi # Gen signed key mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs openssl req -config "$OPENSSL_CONFIG" -new -nodes -out "$CA"/temp/"$1".csr -keyout "$CA"/temp/"$1".key chmod 600 "$CA"/temp/"$1".key SERIAL=$(cat "$CA"/ca/"$CA".serial) EKU="serverAuth" openssl ca -config "$OPENSSL_CONFIG" -in "$CA"/temp/"$1".csr if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. mv -i "$CA"/temp/"$1".csr "$CA"/temp/"$1".key "$CA"/signed/ ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$1".crt # so we can find the certificate by name as well as by serial echo To create an encrypted key/certificate, run the following: echo openssl rsa -in "$CA"/signed/"$1".key -des3 -out "$CA"/signed/"$1"-password.key echo cat "$CA"/signed/"$1"-password.key "$CA"/signed/"$1".crt '>' "$CA"/signed/"$1"-password.pem fi