-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrsa-user-csr
executable file
·94 lines (83 loc) · 2.67 KB
/
rsa-user-csr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/bash
## Takes one parameter for the name of the certificate and creates
## a private certificate and an certification signing request both in PEM
## format
usage () {
>&2 echo "usage:"
>&2 echo " $0 <key-name> <C> <ST> <L> <O> <OU> <CN> <mail>"
>&2 echo "or"
>&2 echo " $0 <key-name> <config-file> <CN> <mail>"
>&2 echo "with:"
>&2 echo " <key-name> The name of the key to be created."
>&2 echo " <config-file> A configuration file which must exists, which defines <C> <ST> <L> <O> <OU>"
>&2 echo " <C> The two letter country code where the client is located."
>&2 echo " <ST> The state where the client is located."
>&2 echo " <L> The locality, where the client is located."
>&2 echo " <O> The organisation, where the client belongs to."
>&2 echo " <OU> The organisation unit the client belongs to."
>&2 echo " <CN> The common name to identify the client e.g. personal id."
>&2 echo " <mail> The e-mail address of the client."
exit 1
}
debug () {
now=$(date +"%T")
echo "[$now] Key: $KEY_FILE | CSR: $CSR_FILE"
echo "[$now] /C=$CSR_C/ST=$CSR_ST/L=$CSR_L/O=$CSR_O/OU=$CSR_OU/CN=$CSR_CN/emailAddress=$CSR_MAIL"
}
if [ ! -f CA/key.pem ]; then
>&2 echo "The CA is not initialized!"
exit 1
fi
# Check if a name was provided.
if [ -z "$1" ]; then
usage
exit 2
fi
# Declare the variables, if config file was provided, read it from there.
if [ -f "$2" ]; then
source $2
CSR_CN="$3"
CSR_MAIL="$4"
else
CSR_C="$2"
CSR_ST="$3"
CSR_L="$4"
CSR_O="$5"
CSR_OU="$6"
CSR_CN="$7"
CSR_MAIL="$8"
fi
KEY_FILE="./$1.key.pem"
CSR_FILE="./$1.csr.pem"
# debug
# Create the private key, which is stored AES256 encrypted.
openssl genrsa -aes256 -out "$KEY_FILE" 4096
retVal=$?
if [ $retVal -eq 0 ]; then
now=$(date +"%T")
echo "[$now] RSA key '$KEY_FILE' created."
fi
# Create the CSR, using the just created private key
# FIXME: The content of the ext config seems to be not part of the CSR!
openssl req -new -sha256 \
-subj "/C=$CSR_C/ST=$CSR_ST/L=$CSR_L/O=$CSR_O/OU=$CSR_OU/CN=$CSR_CN/emailAddress=$CSR_MAIL" \
-key "$KEY_FILE" -out "$CSR_FILE" \
-extensions SAN \
-config <(cat <<EOF
[req]
prompt=no
distinguished_name=req_distinguished_name
[req_distinguished_name]
O=bogo-p384
[SAN]
subjectAltName=email:$CSR_MAIL
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
EOF
)
retVal=$?
if [ $retVal -eq 0 ]; then
now=$(date +"%T")
echo "[$now] CSR '$1.csr.pem' created."
fi