summaryrefslogtreecommitdiff
path: root/gensignedcert.sh
blob: b51f69b286edfffba1d91169d897d14151dff4a0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/bash
# ./gensignedcert.sh [name] (configfile)
# This is only suggested if you have a secured path to deliver this new key through.
# requires bash 3.0 regexes

set -e

SUPPLEMENTARY_CONFIG="$2"

. ./configure.sh

if ! [ $1 ]; then
  echo "Please provide a one-word certificate name as an argument.\n"
  echo "$0 [name] (configfile)\n"
  exit 2
fi

if [ -e "$CA"/signed/"$1".key ]; then
  echo "$CA/signed/$1.key already exists!"
  exit 3
fi

# Gen signed key
mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
openssl req -config "$OPENSSL_CONFIG" -new -nodes -out "$CA"/temp/"$1".csr -keyout "$CA"/temp/"$1".key
chmod 600 "$CA"/temp/"$1".key
SERIAL=$(cat "$CA"/ca/"$CA".serial)
openssl ca -config <( ./ekusub.sh "serverAuth" < "$OPENSSL_CONFIG" ) -in "$CA"/temp/"$1".csr
if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.
  mv -i "$CA"/temp/"$1".csr "$CA"/temp/"$1".key "$CA"/signed/
  ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$1".crt # so we can find the certificate by name as well as by serial
  echo To create an encrypted key/certificate, run the following:
  echo openssl rsa -in "$CA"/signed/"$1".key -des3 -out "$CA"/signed/"$1"-password.key
  echo cat "$CA"/signed/"$1"-password.key "$CA"/signed/"$1".crt '>' "$CA"/signed/"$1"-password.pem
fi