2019-09-14 10:21:41 +02:00
#!/bin/sh
2022-07-20 09:21:40 +02:00
set -e
2022-07-07 05:03:08 +02:00
# you can set the hostname if you want, but it'll default to localhost
if [ -z " $CERT_HOSTNAME " ] ; then
CERT_HOSTNAME = "localhost"
fi
2022-03-28 00:36:25 +02:00
2022-07-07 05:03:08 +02:00
# also where the files are stored
if [ -z " $KANI_TMP " ] ; then
KANI_TMP = /tmp/kanidm/
fi
2022-03-28 00:36:25 +02:00
ALTNAME_FILE = " ${ KANI_TMP } altnames.cnf "
CACERT = " ${ KANI_TMP } ca.pem "
CAKEY = " ${ KANI_TMP } cakey.pem "
KEYFILE = " ${ KANI_TMP } key.pem "
CERTFILE = " ${ KANI_TMP } cert.pem "
CSRFILE = " ${ KANI_TMP } cert.csr "
CHAINFILE = " ${ KANI_TMP } chain.pem "
2022-06-20 12:16:55 +02:00
DHFILE = " ${ KANI_TMP } dh.pem "
2022-03-28 00:36:25 +02:00
if [ ! -d " ${ KANI_TMP } " ] ; then
echo " Creating temp kanidm dir: ${ KANI_TMP } "
mkdir -p " ${ KANI_TMP } "
fi
cat > " ${ ALTNAME_FILE } " << DEVEOF
2019-09-14 10:21:41 +02:00
[ req]
nsComment = "Certificate"
distinguished_name = req_distinguished_name
2019-11-16 05:40:45 +01:00
req_extensions = v3_req
2019-09-14 10:21:41 +02:00
[ req_distinguished_name ]
countryName = Country Name ( 2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name ( full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name ( eg, city)
localityName_default = Brisbane
0.organizationName = Organization Name ( eg, company)
0.organizationName_default = INSECURE EXAMPLE
organizationalUnitName = Organizational Unit Name ( eg, section)
2022-06-20 12:16:55 +02:00
organizationalUnitName_default = kanidm
2019-09-14 10:21:41 +02:00
commonName = Common Name ( eg, your name or your server\' s hostname)
commonName_max = 64
commonName_default = localhost
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names]
2019-11-16 05:40:45 +01:00
DNS.1 = localhost
IP.1 = 127.0.0.1
2019-09-14 10:21:41 +02:00
DEVEOF
# Make the ca
2022-03-28 00:36:25 +02:00
openssl req -x509 -new -newkey rsa:4096 -sha256 \
-keyout " ${ CAKEY } " \
-out " ${ CACERT } " \
2022-07-07 05:03:08 +02:00
-days +31 \
2022-03-28 00:36:25 +02:00
-subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes
2022-07-07 05:03:08 +02:00
# generate the ca private key
2022-03-28 00:36:25 +02:00
openssl genrsa -out " ${ KEYFILE } " 4096
# generate the certficate signing request
openssl req -sha256 \
-config " ${ ALTNAME_FILE } " \
-new -extensions v3_req \
-key " ${ KEYFILE } " \
2022-07-07 05:03:08 +02:00
-subj " /C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN= ${ CERT_HOSTNAME } " \
-nodes \
2022-03-28 00:36:25 +02:00
-out " ${ CSRFILE } "
2022-07-07 05:03:08 +02:00
2022-03-28 00:36:25 +02:00
# sign the cert
openssl x509 -req -days 31 \
-extfile " ${ ALTNAME_FILE } " \
-CA " ${ CACERT } " \
-CAkey " ${ CAKEY } " \
-CAcreateserial \
-in " ${ CSRFILE } " \
-out " ${ CERTFILE } " \
-extensions v3_req -sha256
2021-02-16 02:40:25 +01:00
# Create the chain
2022-03-28 00:36:25 +02:00
cat " ${ CERTFILE } " " ${ CACERT } " > " ${ CHAINFILE } "
2019-09-14 10:21:41 +02:00
2022-06-20 12:16:55 +02:00
# create the dh file for RADIUS
openssl dhparam -in " ${ CAFILE } " -out " ${ DHFILE } " 2048
2022-03-28 00:36:25 +02:00
echo " Certificate chain is at: ${ CHAINFILE } "
echo " Private key is at: ${ KEYFILE } "
2022-07-07 05:03:08 +02:00
echo ""
echo "**Remember** the default action is to store the files in /tmp/ so they'll be deleted on reboot! Set the KANI_TMP environment variable before running this script if you want to change that. You'll need to update server config elsewhere if you do, however."