Provide script to issue certificates using Docker container

README.md

@@ -1,4 +1,18 @@
-To issue a Nuts development network certificate use the `issuer-cert.sh` script, providing the hostname:
+# Issue certificate using Docker
+
+To issue a Nuts development network certificate use the `issuer-cert-docker.sh` script, providing the hostname:
+
+```shell script
+    $ ./issue-cert-docker.sh [network] my.nuts.host.nl
+```
+
+Replace `[network]` with `development` or `stable` to generate a certificate for one of those networks.
+
+It writes the private key and certificate in the `issued-certificates` directory.
+
+# Issue certificate without Docker
+
+If you don't want to use Docker you can use the OpenSSL script directly:
 
 ```shell script
     $ ./issue-cert.sh [network] my.nuts.host.nl
@@ -13,3 +27,7 @@ my.nuts.host.nl-development.key
 my.nuts.host.nl-development.pem
 truststore-development.pem
 ```
+
+# Wildcard certificates
+
+It is possible to issue a wildcard certificate, but don't forget to put the hostname in double quotes.

issue-cert-docker.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+NETWORK=$1
+HOST=$2
+echo Generating key and certificate for $HOST to join $NETWORK
+
+docker run --rm \
+  -v $(pwd)/issued-certificates:/work \
+  -v $(pwd):/scripts/:rw \
+  -w /work \
+  --entrypoint=/bin/sh \
+  alpine/openssl -c "/scripts/issue-cert.sh $NETWORK $HOST"

issue-cert.sh

@@ -1,25 +1,35 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 NETWORK=$1
 HOST=$2
+
+# Working directory where generated keys and certs will end up
+WORKDIR=$(pwd)
+# Absolute path to this script, e.g. /home/user/bin/foo.sh
+# Resolve location of this script, in case it is being called from another directory
+SCRIPTPATH=$(readlink -f "$0")
+SCRIPTDIR=$(dirname "$SCRIPTPATH")
+
 echo Generating key and certificate for $HOST to join $NETWORK
+openssl ecparam -genkey -name prime256v1 -noout -out $WORKDIR/$HOST-$NETWORK.key
+openssl req -new -key $WORKDIR/$HOST-$NETWORK.key -out $WORKDIR/$HOST-$NETWORK.csr -subj "/CN=${HOST}"
 openssl ecparam -genkey -name prime256v1 -noout -out $HOST-$NETWORK.key
 openssl req -new -key $HOST-$NETWORK.key -out $HOST-$NETWORK.csr -subj "/CN=${HOST}"
 
-local_openssl_config="
+echo "
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 
 [alt_names]
 subjectAltName = DNS:${HOST}
-"
-cat <<< "$local_openssl_config" > node.ext
-openssl x509 -req -in $HOST-$NETWORK.csr -CA $NETWORK/ca.pem -CAkey $NETWORK/ca.key -CAcreateserial -out $HOST-$NETWORK.pem -days 365 -sha256 \
-  -extfile node.ext \
-  -extensions alt_names
+" > $WORKDIR/node.ext
+openssl x509 -req -in $WORKDIR/$HOST-$NETWORK.csr -CA $SCRIPTDIR/$NETWORK/ca.pem -CAkey $SCRIPTDIR/$NETWORK/ca.key -CAcreateserial -out $WORKDIR/$HOST-$NETWORK.pem -days 365 -sha256 \
+  -extfile $WORKDIR/node.ext \
+  -extensions alt_names \
+  -set_serial "0x`openssl rand -hex 8`"
 
-cp $NETWORK/ca.pem truststore-$NETWORK.pem
+cp $SCRIPTDIR/$NETWORK/ca.pem $WORKDIR/truststore-$NETWORK.pem
 
-rm $HOST-$NETWORK.csr
-rm node.ext
+rm $WORKDIR/$HOST-$NETWORK.csr
+rm $WORKDIR/node.ext

issued-certificates/.gitignore

@@ -0,0 +1,2 @@
+*.pem
+*.key