Commit 76511d5b authored by Pavel Spirek's avatar Pavel Spirek

Finally a fully automatic scripts for certificate generation

parent 69ecbb95
Generating a basic client SSL certificate for testing purposes:
The SSL certificates can be generated using the 'openssl' utility. To partially
automate this task, the 'gen_client_cert.sh' script is provided. This will
issue a new client certificate using the 'CA.pem' as a certification authority.
Note: such certificates are of course not considered trustworthy by common
web browsers and operating systems, they are only suitable for testing.
You can just run the script as follows:
./gen_client_cert.sh <output_filename>
Steps 2 and 3 (creating CSR and signing it) are the only ones that require
a user interaction.
2. Creating CSR:
When requested to enter certificate fields like Country Name or Locality Name,
you can enter any values you want or just use defaults by simply pressing
ENTER key. The only fileld that matters is the 'Email Address', which will be
used as the username by Jetconf server.
Do not enter any 'Challenge password'.
3. Signing CSR:
Enter the following password for test CA private key: ahoj
Now you should have the following files:
output_filename.pem - the client certificate
output_filename.key - the client private key
output_filename_curl.pem - the combination of previous 2 files containing both
certificate and key. Some utilities like CURL expect the client certificate
to be in this combined form.
Generating a basic client SSL certificate for testing purposes
--------------------------------------------------------------------------------
The SSL certificates can be generated using the 'openssl' utility. To automate
this task, the 'gen_client_cert.sh' script is provided. This will issue a new
client certificate using the 'CA.pem' as the certification authority.
Note: such certificates are of course not considered trustworthy by common web
browsers and operating systems, they are only suitable for testing.
To generate a client certificate, just run the provided script as follows:
./gen_client_cert.sh <username>
The issued certificate will have the "emailAddress" DN in the form of
username@mail.cz. This will be used as the username by Jetconf server.
The following files will be generated:
username.pem - the client certificate
username.key - the client private key
username_curl.pem - the concateration of previous 2 files. Some utilities, like
CURL, expect the client certificate in this form.
username.pfx - certificate and private key in PKCS#12 format. Required for
importing into web browsers (Chrome, Firefox, ...).
-----BEGIN ENCRYPTED PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI9RYN7l6uawgCAggA MIIEpQIBAAKCAQEAnMgi+WX1wcORWiq5Mv/1PbcSwAnMmAlU1dZvYsCSmX96pBOo
MB0GCWCGSAFlAwQBKgQQCYymROgGy6W7C4wFvogZ/gSCBNCII8W/MeTQTkTxNjBB wFtkF5QDFkgwUMzaefXeiliBd3IhNfTbYeToNx1un8o17TKz1vAl9ZL9pbRTKPXr
mtxgb5biPVc5kEkMKi7wOAZnnCR4Eh+vBq4JIaxlLoeMNDmKSj1bPMQcsRG8Hszj OC6mKFZ2BVeeRg7I3/8Kik7a4OhScnuhaGzq5mEs1QN3PAOCqefnsJPZCROxnuZc
Z3KyI7/am+W0GOcM6iUQlfo3nztjygDxZ7hPowLJnKC8K0gNkGowY/PU8x58o+Ou dkZDKpwjI2+oBaM7EvVTJeoAimKarremil4vobKs1g4b0Pfmh6wigLWNlAFQlSJz
iWRGXspzaQoZpQtOuMVMx1XsSpOXfDpVZhBYsQI4hdHEANqDxJgAwtT1k0A+A9+i L9RWcnI4WT1gLmrC0OMEsGwgdSHY2qcpLIOa8sOOXAtVkLeUathGQIvUKAkCC8XK
em2peJMA+Y+MAKLd0PvI2UdtVZCExfi7rzGMF9vwKgCO/54YBJzMCadn+Y2OjgYx qZ6wAu0OcaqfV4fMw7xnUZ4reiN+NybisLv4lQIDAQABAoIBABsj5jIIPXfSdAoI
nQi89fqDQmpAjpfiKhe/Oj4GTiO8zUy3+JuUrNTKFbWyZ/68fZaYdGQ6maDoFsdq 1VCH0JtjYsKNr7Yt/1qZKWUN8xLRZ5iZsp/B8lzGiZZE3uBN5hAwyNpoIdlcj3U4
DbgRpn1MyDKrP+6MFCoJay0JTJd4t3oUGsYxJFJEF4zFAtA4vm1mjEV2f89TpTyB svWKW8yWsrzEk3tBSLKPlfKiBHi386FmmNZ79NWMyhd4qHR2QL3N97QjnG5MqWEa
3XKdSdHE5OeTv8prCimk85Uls9E6+LDZmpzBMxkTZHnctm+W7rA3OZsXztRz8g/R F8HtAOjqr4kcdXqVHPxuocQGhA627aKs2OBe501vP4slKchN5XeUpqt/5Zg7K2Mm
56KsKq553xq0UpUua+zjIafb4mKdOTjb6GFRXnaXxi7zOmGoENZ1cNuszxN0fVD6 1a0XVv5UUZki9VjSc+/wOwpgWeNDf/k9NcKButBRO42bYbW/4ZqG26aCe3+dAVLE
ewJ35segGuuJ2Ggj2SGuLNt7KfYU9vBN4Pw3zlcmv2AIhK9b2aU67qFUSkQsU0ez l0f/S+yoUhRqfMzooIYxzzLkRBr/hZMOA8ZNk2L/D37pSYFvANeDUj/AeiWPzrWc
7+ry9VO2HMQV4xP5eIIfi18hwo+TRpm3noxaM1lavoHRQ2dfqhAov3SnsdSJBnC5 Qc0Ww4ECgYEAz+g7K++wOCmQPAsfj7z5bMzwQTYbypKtdMoOEBLMFHmhEjmAnfNE
Hoja1TUFzx/31hVHk83VSU6cbDVc8kVdOGqed9RtvCN0PPV/KlGLYsiHkL0NB9xY pyHbGzeFk3DnkRgi9INCdnZ6zdpAX4K9HGw0WHQ2nzJkvoyGc+cAhnWqeO/sSdJJ
Yr9Rvm7VzdC3O8Zt+w3E20ByLwNM40C8GRpJCofQc+hYd9pxd8HL+9K2IGPWaWHR n1O+CD3vkxa6xSUjoRmQBcD4nzO6k+zArNDjM3ctG6vF9KW47jma2rUCgYEAwQxh
2XbOVdId+eR4ilT+PsW8hWBimWb9FmHIAiopwuC4Uh/BEOtFIbxlD+maJhqdN90U 3QfAz6C/ypvrKcii/wxdEWRLvOGCS4wFqCji3USmzi9TVKrSE64zhnLVZSvv88b8
trTRKiIzsgpCYhY4UEIVK8zrc3dTBH21hH3QJZ+VX02yErGXYEheWWXu4H7Pkf3E Ctq0R4LtPfqZ0n/pU5IM1SMi43voNA6WLi8jFxt0I7B6/k8J/BEdgVnWENcYp9iV
xD0qSsxHuUm5rT7CcKP/ntOk7vel3AXYl7rOkENYeaFao5GzCs1PObKbatfeIprO sBDIYc+hYlujW/sAepSix/flKTajqc3WN/MQ8mECgYEAntfoNXZIJXCj8SvybihM
CTihn1tikDtE3YHNdZWWE5yxlQCn+tp8/7zUyj/hAYwrgdvG22aL8Ebg2KPba0tc TLL7MGd9rjSIb71cJy2lXFNdG4ZxXLwbDLJSK6Ys2OwfD/zn3/ZVFhsJUjNYkWBa
yAdPwZl1zjR+ZVTLOZ5RfInOCXNXg+5cYDG1jH9HdjcawyvvieAQZAShZAJXB0C6 yddl2trXTKP80pScuPqZrSFDIGj2F6SheShK/RMM8k0gXzUz1oaoQa0ghsnH1/K/
0pTuz15UNn/tSpLfDy7Zwf93fYX8fuCn/+La9VmxALIkgBxm01c1XGwOjiSNQBH1 domVvKFmBkkj0fm3o9LBHC0CgYEAoRvaWIJt8VlwdoClQ5vEHCKPUUJoyttQyAe1
WBTdZBS9zB2ZNSH0GvfJM48q7iNMSPs+JgxRmWUYFHweShPeGD6kH/BWkf+N31jr eN+WZZ8zroNkghaFeBM7wQr4+JQwjzwTgGOBbOThZYZM9ZX2fd43g3DtXvg7k6ZQ
T47rMn/x3T666STa2SvHgAbUFs36GGGXyJsk25QC8tFd94bO710OS01nP/ozjqsr w35nRJOO23IfUzlXVdxayWbV9fvtAbcJRYTcFnUXdGSR8uOJRMPjDgveXgTRlZbJ
1uamNiJDEQk/wdZrdyQPMYjADLxL5J0jZx8hv7mdb4fnS6GdS+99bwzhnAaUtEN/ HqxmCkECgYEAw66kvnYqB/XSaDnBysPHQifcRKUSdazvVhg9/1G7o2aViuGUNTk7
rSKMShKkp+8+bIYd3y0+Glyl4Y0IHtYLSfVvcpwcFFn6y8AsV4Uz4jftZ4m4JY3+ FDAldwC0h12UUSQ20PkSTjJ5MRryCGDgyrXDAeWyCkl/uHMbd0HCFomQGJ9HTusZ
P9uLXb8MN9+XaMctMWKPncyJ9areW8/190klVYu92eNzObShKS92Q387JK8rcH01 vpxDYE6GwOyLXC84nsDLp9Ofd2TjZgR4bOaPHV3UKXX0ka4tI5l5wBA=
+DWsuFeOJWuQNrzlyZBGHWB0eYilE6Bj4c+buMHeC++TeJVv5cOj3AQ7HfvJ7+Op -----END RSA PRIVATE KEY-----
OFow7f45TI3AtHwkkzPPXFm8kA6az1fR7eg6L/Z5a7fA4B5qrQZOL3RINH65gCP4
EJ8iHPGRDmVtVMzwyJbDfD5ITw==
-----END ENCRYPTED PRIVATE KEY-----
...@@ -4,16 +4,21 @@ if [ "$1" = "" ]; then ...@@ -4,16 +4,21 @@ if [ "$1" = "" ]; then
exit 1 exit 1
fi fi
echo "\n1. Generating private key:" echo -e "\n1. Generating private key:"
openssl genrsa -out $1.key 2048 openssl genrsa -out $1.key 2048
echo "\n2. Generating CSR:" echo -e "\n2. Generating CSR:"
openssl req -new -key $1.key -out $1.req openssl req -new -key $1.key -out $1.req -subj "/CN=Test/emailAddress=$1@mail.cz"
echo "\n3. Signing CSR with test CA's key:" echo -e "\n3. Signing CSR with test CA's key:"
openssl x509 -req -in $1.req -CA ca.pem -CAkey ca.key -days 365 -out $1.pem openssl x509 -req -in $1.req -CA ca.pem -CAkey ca.key -days 3650 -out $1.pem
rm $1.req
echo "\n4. Creating combined $1_curl.pem file containing both certificate and key (for curl etc.):" echo -e "\n4. Creating $1_curl.pem (concaterated certificate and key for curl etc.):"
cat $1.pem > $1_curl.pem cat $1.pem > $1_curl.pem
cat $1.key >> $1_curl.pem cat $1.key >> $1_curl.pem
echo -e "\n5. Creating .pfx for web browsers (password: $1):"
openssl pkcs12 -export -out $1.pfx -inkey $1.key -in $1.pem -password pass:$1
echo -e "\nDone"
#!/bin/bash
if [ $# -ne 2 ] && [ $# -ne 3 ]; then
echo "Usage:"
echo " $0 <out_file_suffix> <domain/ip>"
echo "or:"
echo " $0 <out_file_suffix> <domain/ip> <server_key>"
echo "I.e. $0 example example.com will create file server_example.crt"
echo "with new private key."
exit 1
fi
# Generate server private key if not passed from the command line
if [ $# -eq 2 ]; then
KEY_FILE=server_$1.key
echo -e "\nGenerating new private key:"
openssl genrsa -out $KEY_FILE 2048
else
KEY_FILE=$3
fi
CSR_CNF_FILE=/tmp/srv.csr.cnf
V3EXT_FILE=/tmp/srv.v3ext
# Prepare temporary configuration file
cat << EOF > $CSR_CNF_FILE
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
CN = $2
EOF
# Prepare temporary v3-extensions file
cat << EOF > $V3EXT_FILE
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
EOF
# Test if certificate is being issued for domain or IP and set a correct SAN
if [[ $2 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "IP.1 = $2" >> $V3EXT_FILE
else
echo "DNS.1 = $2" >> $V3EXT_FILE
fi
echo -e "\n1. Generating CSR:"
openssl req -new -key $KEY_FILE -out server_$1.csr -sha256 -config $CSR_CNF_FILE
echo -e "\n2. Signing CSR with test CA's key:"
openssl x509 -req -in server_$1.csr -CA ca.pem -CAkey ca.key -days 3650 -sha256 -extfile $V3EXT_FILE -out server_$1.crt
rm -f server_$1.csr $CSR_CNF_FILE $V3EXT_FILE
echo -e "\nDone"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment