56 lines
2.4 KiB
Bash
Executable file
56 lines
2.4 KiB
Bash
Executable file
#!/bin/bash -e
|
|
|
|
# Script tested only on Fedora, CentOS or RHEL
|
|
|
|
# server certificate common name (hostname)
|
|
SERVER_CN=${1:-server.example.com}
|
|
|
|
# client certificate common name (hostname, uuid)
|
|
CLIENT_CN=${2:-client.example.com}
|
|
|
|
SUBJECT="/C=US/ST=CA/O=Example.com"
|
|
CA_CN="Example CA"
|
|
DAYS=9999
|
|
PASSCA=pass:temporary_password
|
|
PASSSV=pass:temporary_password
|
|
PASSCT=pass:temporary_password
|
|
|
|
# test-ca.crt
|
|
openssl genrsa -passout $PASSCA -des3 -out test-ca.key 4096
|
|
openssl req -passin $PASSCA -new -x509 -days $DAYS \
|
|
-key test-ca.key -out test-ca.crt -subj "$SUBJECT/CN=${CA_CN}"
|
|
openssl x509 -purpose -in test-ca.crt
|
|
openssl x509 -in test-ca.crt -out test-ca.pem -outform PEM
|
|
|
|
# server.crt
|
|
openssl genrsa -passout $PASSSV -des3 -out $SERVER_CN-server.key 4096
|
|
openssl req -passin $PASSSV -new -key $SERVER_CN-server.key -out server.csr \
|
|
-addext "subjectAltName = DNS:${SERVER_CN}" \
|
|
-subj "$SUBJECT/CN=${SERVER_CN}"
|
|
openssl x509 -req -passin $PASSCA -extfile /etc/pki/tls/openssl.cnf \
|
|
-extensions usr_cert -days $DAYS -in server.csr \
|
|
-extensions SAN -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${SERVER_CN}\n")) \
|
|
-CA test-ca.crt -CAkey test-ca.key -set_serial 01 -out $SERVER_CN-server.crt
|
|
openssl x509 -purpose -in $SERVER_CN-server.crt
|
|
openssl rsa -passin $PASSSV -in $SERVER_CN-server.key -out $SERVER_CN-server.key
|
|
openssl x509 -in $SERVER_CN-server.crt -out $SERVER_CN-server.pem -outform PEM
|
|
|
|
# client.crt
|
|
openssl genrsa -passout $PASSCT -des3 -out $CLIENT_CN-client.key 4096
|
|
openssl req -passin $PASSCT -new -key $CLIENT_CN-client.key \
|
|
-addext "subjectAltName = DNS:${CLIENT_CN}" \
|
|
-out client.csr -subj "$SUBJECT/CN=${CLIENT_CN}"
|
|
openssl x509 -req -passin $PASSCA -days $DAYS \
|
|
-extfile /etc/pki/tls/openssl.cnf -extensions usr_cert \
|
|
-extensions SAN -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${CLIENT_CN}\n")) \
|
|
-in client.csr -CA test-ca.crt -CAkey test-ca.key -set_serial 02 -out $CLIENT_CN-client.crt
|
|
openssl x509 -purpose -in $CLIENT_CN-client.crt
|
|
openssl rsa -passin $PASSCT -in $CLIENT_CN-client.key -out $CLIENT_CN-client.key
|
|
openssl x509 -in $CLIENT_CN-client.crt -out $CLIENT_CN-client.pem -outform PEM
|
|
|
|
# print and verify
|
|
openssl x509 -in test-ca.crt -text -noout
|
|
openssl x509 -in $SERVER_CN-server.crt -text -noout
|
|
openssl x509 -in $CLIENT_CN-client.crt -text -noout
|
|
openssl verify -CAfile test-ca.crt $SERVER_CN-server.crt
|
|
openssl verify -CAfile test-ca.crt $CLIENT_CN-client.crt
|