forked from jlim0930/scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwildcard.sh
More file actions
executable file
·91 lines (76 loc) · 2.7 KB
/
wildcard.sh
File metadata and controls
executable file
·91 lines (76 loc) · 2.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env bash
# This scrip will create a CA cert and key and a wildcard cert
# CONFIG
COUNTRY="US" # COUNTY
STATE="TX" # STATE
LOCALITY="AUSTIN" # LOCALITY
ORGANIZATION="WORK" # ORGANIZATION NAME
ORGANIZATIONUNIT="IT" # ORGANIZATION UNIT
COMMONNAME="SERVER" # COMMON NAME
DNS1="*.work.it" # domain name
# Do not change anything below
set -x
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
NAME=${1:-localhost}
SUBJECT="/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/OU=${ORGANIZATIONUNIT}/CN=${COMMONNAME}"
# Create CA Key
CA_KEY=${DIR}/CA.key
PASS=`openssl rand -base64 48`
echo ${PASS} > ${DIR}/CA.passphrase
[ ! -f ${CA_KEY} ] || rm -rf ${CA_KEY}
openssl genrsa -des3 -passout pass:${PASS} -out ${CA_KEY}
# Create non Crypt CA Key
CA_NONCRYPT_KEY=${DIR}/CA.noncrypt.key
openssl rsa -passin pass:${PASS} -in ${CA_KEY} -out ${CA_NONCRYPT_KEY}
# Create CA Cert
CA_CERT=${DIR}/CA.crt
[ -f ${CA_CERT} ] || rm -rf ${CA_CERT}
openssl req -x509 -new -nodes -key ${CA_KEY} -sha256 -days 365 -passin pass:${PASS} -out ${CA_CERT} -subj ${SUBJECT}
#openssl req -x509 -new -nodes -key ${CA_NONCRYPT_KEY} -sha256 -days 365 -out ${CA_CERT} -subj ${SUBJECT}
# Create wildcard key
WILD_KEY=${DIR}/wildcard.key.pem
[ -f ${WILD_KEY} ] || rm -rf ${WILD_KEY}
openssl genrsa -out ${WILD_KEY} 2048
# Create wildcard CSR
CSRCONFIG=/tmp/csrconfig.cnf
WILD_CSR=wildcard.csr
[ ! -f ${CSRCONFIG} ] || rm -rf ${CSRCONFIG}
cat > ${CSRCONFIG}<<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = ${COUNTRY}
ST = ${STATE}
L = ${LOCALITY}
O = ${ORGANIZATION}
OU = ${ORGANIZATIONUNIT}
CN = ${COMMONNAME}
[v3_req]
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${DNS1}
EOF
openssl req -new -newkey rsa:2048 -key ${WILD_KEY} -nodes -out ${WILD_CSR} -extensions v3_req -config ${CSRCONFIG}
rm -rf ${CSRCONFIG}
# Sign wildcard cert
CERTCONFIG=/tmp/certconfig.cnf
WILD_CERT=${DIR}/wildcard.crt
[ ! -f ${CERTCONFIG} ] || rm -rf ${CERTCONFIG}
cat > ${CERTCONFIG}<<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
[req_ext]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${DNS1}
EOF
openssl x509 -req -in ${WILD_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} -passin pass:${PASS} -CAcreateserial -out ${WILD_CERT} -days 365 -sha256 -extfile ${CERTCONFIG} -extensions req_ext
#openssl x509 -req -in ${WILD_CSR} -CA ${CA_CERT} -CAkey ${CA_NONCRYPT_KEY} -CAcreateserial -out ${WILD_CERT} -days 365 -sha256 -extfile ${CERTCONFIG} -extensions req_ext
rm -rf ${CERTCONFIG}
# check cert
openssl x509 -text -in ${WILD_CERT}