diff --git a/README.md b/README.md index bad71cc..95aac0a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,18 @@ -To issue a Nuts development network certificate use the `issuer-cert.sh` script, providing the hostname: +# Issue certificate using Docker + +To issue a Nuts development network certificate use the `issuer-cert-docker.sh` script, providing the hostname: + +```shell script + $ ./issue-cert-docker.sh [network] my.nuts.host.nl +``` + +Replace `[network]` with `development` or `stable` to generate a certificate for one of those networks. + +It writes the private key and certificate in the `issued-certificates` directory. + +# Issue certificate without Docker + +If you don't want to use Docker you can use the OpenSSL script directly: ```shell script $ ./issue-cert.sh [network] my.nuts.host.nl @@ -13,3 +27,7 @@ my.nuts.host.nl-development.key my.nuts.host.nl-development.pem truststore-development.pem ``` + +# Wildcard certificates + +It is possible to issue a wildcard certificate, but don't forget to put the hostname in double quotes. \ No newline at end of file diff --git a/issue-cert-docker.sh b/issue-cert-docker.sh new file mode 100755 index 0000000..9f90aae --- /dev/null +++ b/issue-cert-docker.sh @@ -0,0 +1,11 @@ +#!/bin/sh +NETWORK=$1 +HOST=$2 +echo Generating key and certificate for $HOST to join $NETWORK + +docker run --rm \ + -v $(pwd)/issued-certificates:/work \ + -v $(pwd):/scripts/:rw \ + -w /work \ + --entrypoint=/bin/sh \ + alpine/openssl -c "/scripts/issue-cert.sh $NETWORK $HOST" diff --git a/issue-cert.sh b/issue-cert.sh index d4737b5..cd2022b 100755 --- a/issue-cert.sh +++ b/issue-cert.sh @@ -1,11 +1,21 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh NETWORK=$1 HOST=$2 + +# Working directory where generated keys and certs will end up +WORKDIR=$(pwd) +# Absolute path to this script, e.g. /home/user/bin/foo.sh +# Resolve location of this script, in case it is being called from another directory +SCRIPTPATH=$(readlink -f "$0") +SCRIPTDIR=$(dirname "$SCRIPTPATH") + echo Generating key and certificate for $HOST to join $NETWORK +openssl ecparam -genkey -name prime256v1 -noout -out $WORKDIR/$HOST-$NETWORK.key +openssl req -new -key $WORKDIR/$HOST-$NETWORK.key -out $WORKDIR/$HOST-$NETWORK.csr -subj "/CN=${HOST}" openssl ecparam -genkey -name prime256v1 -noout -out $HOST-$NETWORK.key openssl req -new -key $HOST-$NETWORK.key -out $HOST-$NETWORK.csr -subj "/CN=${HOST}" -local_openssl_config=" +echo " authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment @@ -13,13 +23,13 @@ extendedKeyUsage = serverAuth, clientAuth [alt_names] subjectAltName = DNS:${HOST} -" -cat <<< "$local_openssl_config" > node.ext -openssl x509 -req -in $HOST-$NETWORK.csr -CA $NETWORK/ca.pem -CAkey $NETWORK/ca.key -CAcreateserial -out $HOST-$NETWORK.pem -days 365 -sha256 \ - -extfile node.ext \ - -extensions alt_names +" > $WORKDIR/node.ext +openssl x509 -req -in $WORKDIR/$HOST-$NETWORK.csr -CA $SCRIPTDIR/$NETWORK/ca.pem -CAkey $SCRIPTDIR/$NETWORK/ca.key -CAcreateserial -out $WORKDIR/$HOST-$NETWORK.pem -days 365 -sha256 \ + -extfile $WORKDIR/node.ext \ + -extensions alt_names \ + -set_serial "0x`openssl rand -hex 8`" -cp $NETWORK/ca.pem truststore-$NETWORK.pem +cp $SCRIPTDIR/$NETWORK/ca.pem $WORKDIR/truststore-$NETWORK.pem -rm $HOST-$NETWORK.csr -rm node.ext +rm $WORKDIR/$HOST-$NETWORK.csr +rm $WORKDIR/node.ext diff --git a/issued-certificates/.gitignore b/issued-certificates/.gitignore new file mode 100644 index 0000000..b7756a6 --- /dev/null +++ b/issued-certificates/.gitignore @@ -0,0 +1,2 @@ +*.pem +*.key \ No newline at end of file