2019-09-14 10:21:41 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
2022-03-28 00:36:25 +02:00
|
|
|
|
|
|
|
|
KANI_TMP=/tmp/kanidm/
|
|
|
|
|
|
|
|
|
|
ALTNAME_FILE="${KANI_TMP}altnames.cnf"
|
|
|
|
|
CACERT="${KANI_TMP}ca.pem"
|
|
|
|
|
CAKEY="${KANI_TMP}cakey.pem"
|
|
|
|
|
|
|
|
|
|
KEYFILE="${KANI_TMP}key.pem"
|
|
|
|
|
CERTFILE="${KANI_TMP}cert.pem"
|
|
|
|
|
CSRFILE="${KANI_TMP}cert.csr"
|
|
|
|
|
CHAINFILE="${KANI_TMP}chain.pem"
|
|
|
|
|
|
|
|
|
|
if [ ! -d "${KANI_TMP}" ]; then
|
|
|
|
|
echo "Creating temp kanidm dir: ${KANI_TMP}"
|
|
|
|
|
mkdir -p "${KANI_TMP}"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
cat > "${ALTNAME_FILE}" << DEVEOF
|
2019-09-14 10:21:41 +02:00
|
|
|
[req]
|
|
|
|
|
nsComment = "Certificate"
|
|
|
|
|
distinguished_name = req_distinguished_name
|
2019-11-16 05:40:45 +01:00
|
|
|
req_extensions = v3_req
|
2019-09-14 10:21:41 +02:00
|
|
|
|
|
|
|
|
[ req_distinguished_name ]
|
|
|
|
|
|
|
|
|
|
countryName = Country Name (2 letter code)
|
|
|
|
|
countryName_default = AU
|
|
|
|
|
countryName_min = 2
|
|
|
|
|
countryName_max = 2
|
|
|
|
|
|
|
|
|
|
stateOrProvinceName = State or Province Name (full name)
|
|
|
|
|
stateOrProvinceName_default = Queensland
|
|
|
|
|
|
|
|
|
|
localityName = Locality Name (eg, city)
|
|
|
|
|
localityName_default = Brisbane
|
|
|
|
|
|
|
|
|
|
0.organizationName = Organization Name (eg, company)
|
|
|
|
|
0.organizationName_default = INSECURE EXAMPLE
|
|
|
|
|
|
|
|
|
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
|
|
|
organizationalUnitName_default = KaniDM
|
|
|
|
|
|
|
|
|
|
commonName = Common Name (eg, your name or your server\'s hostname)
|
|
|
|
|
commonName_max = 64
|
|
|
|
|
commonName_default = localhost
|
|
|
|
|
|
|
|
|
|
[ v3_req ]
|
|
|
|
|
|
|
|
|
|
# Extensions to add to a certificate request
|
|
|
|
|
|
|
|
|
|
basicConstraints = CA:FALSE
|
|
|
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
|
subjectAltName = @alt_names
|
|
|
|
|
|
|
|
|
|
[alt_names]
|
2019-11-16 05:40:45 +01:00
|
|
|
DNS.1 = localhost
|
|
|
|
|
IP.1 = 127.0.0.1
|
2019-09-14 10:21:41 +02:00
|
|
|
|
|
|
|
|
DEVEOF
|
|
|
|
|
|
|
|
|
|
# Make the ca
|
2022-03-28 00:36:25 +02:00
|
|
|
openssl req -x509 -new -newkey rsa:4096 -sha256 \
|
|
|
|
|
-keyout "${CAKEY}" \
|
|
|
|
|
-out "${CACERT}" \
|
|
|
|
|
-days 31 \
|
|
|
|
|
-subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes
|
|
|
|
|
|
|
|
|
|
# generate the private key
|
|
|
|
|
openssl genrsa -out "${KEYFILE}" 4096
|
|
|
|
|
|
|
|
|
|
# generate the certficate signing request
|
|
|
|
|
openssl req -sha256 \
|
|
|
|
|
-config "${ALTNAME_FILE}" \
|
|
|
|
|
-days 31 \
|
|
|
|
|
-new -extensions v3_req \
|
|
|
|
|
-key "${KEYFILE}"\
|
|
|
|
|
-out "${CSRFILE}"
|
|
|
|
|
# sign the cert
|
|
|
|
|
openssl x509 -req -days 31 \
|
|
|
|
|
-extfile "${ALTNAME_FILE}" \
|
|
|
|
|
-CA "${CACERT}" \
|
|
|
|
|
-CAkey "${CAKEY}" \
|
|
|
|
|
-CAcreateserial \
|
|
|
|
|
-in "${CSRFILE}" \
|
|
|
|
|
-out "${CERTFILE}" \
|
|
|
|
|
-extensions v3_req -sha256
|
2021-02-16 02:40:25 +01:00
|
|
|
# Create the chain
|
2022-03-28 00:36:25 +02:00
|
|
|
cat "${CERTFILE}" "${CACERT}" > "${CHAINFILE}"
|
2019-09-14 10:21:41 +02:00
|
|
|
|
2022-03-28 00:36:25 +02:00
|
|
|
echo "Certificate chain is at: ${CHAINFILE}"
|
|
|
|
|
echo "Private key is at: ${KEYFILE}"
|
2019-09-14 10:21:41 +02:00
|
|
|
|
