certificate-authority/request-sign.sh at master · ordenull/certificate-authority · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/bin/bash

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source lib/functions.sh

load_config
verify_ca

if [ $# -lt 1 ]; then
  echo "usage: $0 example.com [www.example.com] [*.example.com]"
  echo "   - This will sign a request generated by 'request-generate.sh'"
  echo "   - To sign a request generated somewhere else, save it as"
  echo "       $DATA/<common name>/<common name>.csr"

  exit 1;
fi
CN="$1"; shift

if [ ! -e "$DATA/$CN/$CN.csr" ]; then
  print_error "Certificate Signing Request (CSR) not found at '$DATA/$CN/$CN.csr'"
  print_error "Either generate one using './request-generate.sh $CN' or place an existing one there"
  exit 1
fi

print_info "Generating a $DATA/conf/usr_cert.cnf openssl config file"
USR_CERT="$CONF/usr_cert.cnf"
: > "$USR_CERT" || {
  print_error "Failed to write to '$CONF/usr_cert.cnf'"
  exit 1
}

echo "[ usr_cert ]"                                                        >> "$USR_CERT"
echo "extendedKeyUsage = serverAuth, clientAuth"                           >> "$USR_CERT"

DNS_LIST=$CN

if [ -z "$@" ]; then
  echo "subjectAltName = DNS:$CN"                                          >> "$USR_CERT"
else
  echo "subjectAltName = @alt_names"                                       >> "$USR_CERT"
  ALT_NAMES=section
fi

[ ! -z "$CRT_URL" ] && echo "authorityInfoAccess = caIssuers;URI:$CRT_URL" >> "$USR_CERT"
echo "subjectKeyIdentifier = hash"                                         >> "$USR_CERT"
echo "authorityKeyIdentifier = keyid,issuer"                               >> "$USR_CERT"
[ ! -z "$CRL_URL" ] && echo "crlDistributionPoints = URI:$CRL_URL"         >> "$USR_CERT"
echo "basicConstraints = CA:FALSE"                                         >> "$USR_CERT"

if [ "$ALT_NAMES" == "section" ]; then
  echo "[alt_names]"                                                       >> "$USR_CERT"
  echo "DNS.1 = $CN"                                                       >> "$USR_CERT"
  COUNT=2
  for DNS in "$@"; do
    print_info "Including DNS alias: $DNS"
    echo "DNS.$COUNT = $DNS"                                               >> "$USR_CERT"
    COUNT=$((COUNT + 1))
  done
fi


generate_openssl_config

openssl ca -batch -config "$DATA/generated.cnf" -out "$DATA/$CN/$CN.crt" -infiles "$DATA/$CN/$CN.csr"
rm -f "$USR_CERT"

if [ ! -e "$DATA/$CN/$CN.crt" ]; then
  print_error "Unable to create a certificate for $CN"
  exit 1
else
  print_info "Signed a certificate with the filename '$DATA/$CN/$CN.crt'"
fi