forked from redredgroovy/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sign-csr
executable file
·132 lines (104 loc) · 3.92 KB
/
sign-csr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Derek Moore <[email protected]>
# Christian Göttsche <[email protected]>
# tomberek
set -eu
set -o pipefail
umask 0077
BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# shellcheck disable=SC1090
source "${BIN_DIR}/functions"
# shellcheck disable=SC1090
source "${BIN_DIR}/defaults.conf"
usage() {
echo "Usage: $0 -c CSR_PATH [-F NAME]"
echo "Signs a client certificate located at CSR_PATH"
echo
echo "Options:"
echo " -c CSR_PATH Path to client certificate request"
echo
echo " -F NAME force to use custom SAFE_NAME"
echo " useful for name clahses, use with caution"
echo
}
if [ ! -f ca/ca.crt ]; then
echo -e "$ERR Must be run inside a CA directory!"
exit 2
fi
CSR_PATH=
CSR_NAME=
while getopts c:F:h FLAG; do
case $FLAG in
c) CSR_PATH=${OPTARG} ;;
F) CSR_NAME=${OPTARG} ;;
h) echo -e -n "$SUCC " && usage && exit 0 ;;
*) echo -e -n "$ERR " && usage && exit 2 ;;
esac
done
if [ $OPTIND -le $# ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "$CSR_PATH" = "" ]; then
echo -e -n "$ERR " && usage && exit 1
fi
if [ ! -f "$CSR_PATH" ]; then
echo -e "$ERR No csr found at '$CSR_PATH'!"
exit 2
fi
echo -e "$NOTE Verifying certificate request ..."
openssl req -text -noout -verify -in "$CSR_PATH"
CSR_SUBJ=$(openssl req -utf8 -in "$CSR_PATH" -noout -subject -nameopt multiline)
CSR_CERT_CN=$(echo "$CSR_SUBJ" | grep -E '^\s+commonName' | cut -d '=' -f 2- | sed -e 's/^[[:space:]]*//') || true
CSR_CERT_MAIL=$(echo "$CSR_SUBJ" | grep -E '^\s+emailAddress' | cut -d '=' -f 2- | sed -e 's/^[[:space:]]*//') || true
if [ -z "$CSR_CERT_CN" ]; then
echo -e "$ERR No name supplied in request, exiting."
exit 1
fi
if [ -z "$CSR_CERT_MAIL" ]; then
echo -e "$ERR No email address supplied in request, exiting."
exit 1
fi
if [ -n "$CSR_NAME" ]; then
SAFE_NAME=$(echo "$CSR_NAME" | sed 's/\*/star/g' | sed 's/[^A-Za-z0-9-]/-/g')
else
SAFE_NAME=$(echo "$CSR_CERT_CN" | sed 's/\*/star/g' | sed 's/[^A-Za-z0-9-]/-/g')
fi
if [ -f "certs/clients/$SAFE_NAME/$SAFE_NAME.crt" ]; then
echo -e "$ERR Certificate already exist for '$CSR_CERT_CN' ($SAFE_NAME), exiting."
exit 1
fi
echo -e "$NOTE Signing CSR for '$CSR_CERT_CN' with email address '$CSR_CERT_MAIL'"
pushd "${BIN_DIR}/.." > /dev/null
echo
echo -e -n "$INPUT Enter passphase for signing CA key (Verify the above information!!):"
read -r -s PASS
echo
export CA_PASS="$PASS"
openssl rsa -check \
-in ca/private/ca.key \
-passin env:CA_PASS \
-noout
echo -e "$NOTE Creating client directory certs/clients/$SAFE_NAME"
mkdir -p "certs/clients/$SAFE_NAME"
# Generate the client cert openssl config
export SAN="email:$CSR_CERT_MAIL"
export CA_USERNAME="$CSR_CERT_CN"
export CA_CERT_MAIL="$CSR_CERT_MAIL"
cp --suffix ".old" -b -f -u "$CSR_PATH" "certs/clients/$SAFE_NAME/$SAFE_NAME.csr"
template "$BIN_DIR/templates/client.tpl" "certs/clients/$SAFE_NAME/$SAFE_NAME.conf"
echo -e "$NOTE Creating the client certificate (overwriting C,ST,L,O,OU DN fields)."
# Create the client certificate overwriting CSR values
openssl ca -batch -notext \
-config ca/ca.conf \
-in "certs/clients/$SAFE_NAME/$SAFE_NAME.csr" \
-out "certs/clients/$SAFE_NAME/$SAFE_NAME.crt" \
-extensions client_ext \
-subj "/C=${CA_CERT_C}/ST=${CA_CERT_ST}/L=${CA_CERT_L}/O=${CA_CERT_O}/OU=${CA_CERT_OU}/CN=${CA_USERNAME}/emailAddress=${CSR_CERT_MAIL}" \
-passin env:CA_PASS
echo -e "$NOTE Verifying trusted chain"
openssl verify -CAfile ca/chain.pem "certs/clients/$SAFE_NAME/$SAFE_NAME.crt"
popd > /dev/null
unset CA_PASS
echo -e "$SUCC Client certificate for '$CSR_CERT_CN' created."