From 1d7b429f783947d32b136b80eaf01849a44e725f Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 7 Nov 2015 07:56:55 +0200
Subject: [PATCH] - init works, gen works but doesn't set the correct CN yet.
---
.gitignore | 2 +-
README.rst | 8 +++++++-
ssl-ca | 59 ++++++++++++++++++++++++++++++++++++------------------
3 files changed, 48 insertions(+), 21 deletions(-)
diff --git a/.gitignore b/.gitignore
index 9c81e92..c2dde0e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,5 +4,5 @@
*.swo
certs/*
keys/*
-openssl.cnf
+openssl.cnf*
CA.*
diff --git a/README.rst b/README.rst
index 7d63b9c..6b4cd0c 100644
--- a/README.rst
+++ b/README.rst
@@ -21,6 +21,10 @@ configuration for starting work and a new CA key and certificate. ::
$ mkdir domain.tld
$ cd domain.tld
$ ssl-ca init
+ Generating RSA private key, 512 bit long modulus
+ .++++++++++++
+ ......++++++++++++
+ e is 65537 (0x10001)
To generate a new key and certificate for the www host, the key will at
``keys/www`` and the certificate at ``certs/www`` ::
@@ -49,6 +53,8 @@ Nimrod Adar.
TODO
----
+- Verify that the fqdn is correct.
- Fill out example output in the usage section.
- Add checks and failure messages to each action.
-- Finish openssl configuration.
+- Delete serial file.
+- Testing (creating a ca, creating a key and cert and verifying).
diff --git a/ssl-ca b/ssl-ca
index 6b507c5..4389d82 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -1,5 +1,6 @@
#!/bin/sh -e
+domain="$(basename $(pwd))"
default_config=\
"[ ca ]
default_ca = CA_default
@@ -12,45 +13,65 @@ private_key = CA.key
default_md = sha256
default_days = 365
email_in_dn = no
-policy = policy_any
-[ policy_any ]
-countryName = US
-stateOrProvinceName =
+[ req_distinguished_name]
+#C = 2 letter country code
+#ST = State
+#L = Locality
+#O = Organization name
+#OU = Organizational unit
+#emailAddress = email address
+#CN = *.*.$domain
[ req ]
+distinguished_name = req_distinguished_name
prompt = no
-encrypt_key =
+encrypt_key = no
default_md = sha256
default_bits = 2048"
-#keytype=\"$keytype\"
-#cipher=\"$cipher\"
-#state='Somewhere'
-#locality='Some other place.'
-#orgname='Acme'
-#orgunit='Widgets'
-
usage () {
echo "Usage: $0 init|gen|sign|resign"
}
init () {
- mkdir "certs"
- mkdir "keys"
- openssl genra -out CA.key
- openssl req -x509 -new -config openssl.cnf -key CA.key -out CA.crt
+ mkdir -p "certs"
+ mkdir -p "keys"
echo "$default_config" > "openssl.cnf"
+ openssl genrsa \
+ -out CA.key
+ openssl req \
+ -x509 \
+ -config openssl.cnf \
+ -new \
+ -subj "CN=*.*.$domain" \
+ -key CA.key \
+ -out CA.crt
}
sign_key () {
- csr="$(mktemp)"
- openssl req -new -config openssl.cnf -out "$csr"
- openssl x509 -req -in "$csr" -out "certs/$1.crt"
+ echo "Generating CSR for $1.$domain."
+ csr="$(mktemp -t ssl-ca)"
+ openssl req \
+ -key keys/$1 \
+ -new \
+ -config openssl.cnf \
+ -subj "/CN=*.*.$1.$domain" \
+ -out "$csr"
+ echo "Generating cert for $1.$domain."
+ openssl x509 \
+ -req \
+ -in "$csr" \
+ -out "certs/$1" \
+ -CA CA.crt \
+ -CAcreateserial \
+ -extensions v3_ca \
+ -CAkey CA.key
rm "$csr"
}
gen_key () {
+ echo "Generating key for $1.$domain."
openssl genrsa -out "keys/$1"
}
--
GitLab