X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=blobdiff_plain;f=conf%2FCA%2Fmanual.sh;h=b2a5db97663b3ab72ea878eb31d87c4455314416;hp=eb391591c356dc4c96a72adb922f2f9315fe52f8;hb=HEAD;hpb=924b18d7469204ceaae60d7345712ea09f75a674 diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh index eb391591..b2a5db97 100644 --- a/conf/CA/manual.sh +++ b/conf/CA/manual.sh @@ -1,56 +1,111 @@ +#!/bin/bash +######### +# ============LICENSE_START==================================================== +# org.onap.aaf +# =========================================================================== +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# =========================================================================== +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END==================================================== +# # # Initialize a manual Cert. This is NOT entered in Certman Records +# $1 - CN (Common Name) +# $2 - FQI (Fully Qualified Identity) +# $3-$n - SANs (Service Alias Names) # -echo "FQI (Fully Qualified Identity): " -read FQI -if [ "$1" = "" -o "$1" = "-local" ]; then + +if [ "$2" = "" ]; then + echo "FQI (Fully Qualified Identity): " + read FQI +fi + +if [ "$1" = "" -o "$1" = "-local" ]; then echo "Personal Certificate" SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`" -else + NAME=$FQI +else echo "Application Certificate" SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`" - FQI=$1 - shift + NAME=$1 + + if [ "$3" = "" ]; then + echo "Enter any SANS, delimited by spaces: " + read SANS + else + SANS="" + while [ ! "$3" = "" ]; do + SANS=${SANS}" "$3 + shift + done + fi fi + +# Do SANs +if [ "$SANS" = "" ]; then + echo no SANS + if [ -e $NAME.san ]; then + rm $NAME.san + fi + else + echo some SANS: $SANS + cp ../san.conf $NAME.san + NUM=1 + for D in $SANS; do + echo "DNS.$NUM = $D" >> $NAME.san + NUM=$((NUM+1)) + done +fi + echo $SUBJECT -if [ -e $FQI.csr ]; then - SIGN_IT=true -else +if [ ! -e $NAME.csr ]; then if [ "$1" = "-local" ]; then echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'" echo "Enter the PassPhrase for the Key for $FQI: " `stty -echo` read PASSPHRASE `stty echo` - + # remove any previous Private key - rm private/$FQI.key - # Create j regaular rsa encrypted key - openssl req -new -newkey rsa:2048 -sha256 -keyout private/$FQI.key \ - -out $FQI.csr -outform PEM -subj "$SUBJECT" \ + rm private/$NAME.key + # Create regular rsa encrypted key + openssl req -new -newkey rsa:2048 -sha256 -keyout private/$NAME.key \ + -out $NAME.csr -outform PEM -subj "$SUBJECT" \ -passout stdin << EOF $PASSPHRASE EOF - chmod 400 private/$FQI.key - SIGN_IT=true - else - echo openssl req -newkey rsa:2048 -sha256 -keyout $FQI.key -out $FQI.csr -outform PEM -subj '"'$SUBJECT'"' - echo chmod 400 $FQI.key + chmod 400 private/$NAME.key + else + openssl req -newkey rsa:2048 -sha256 -keyout private/$NAME.key -out $NAME.csr -outform PEM -subj "$SUBJECT" + chmod 400 $NAME.key echo "# All done, print result" - echo openssl req -verify -text -noout -in $FQI.csr + openssl req -verify -text -noout -in $NAME.csr fi fi -if [ "$SIGN_IT" = "true" ]; then # Sign it - openssl ca -config ../openssl.conf -extensions server_cert -out $FQI.crt \ + if [ -e $NAME.san ]; then + openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \ -cert certs/ca.crt -keyfile private/ca.key \ -policy policy_loose \ -days 360 \ - -infiles $FQI.csr -fi - - - - + -extfile $NAME.san \ + -infiles $NAME.csr + else + openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \ + -cert certs/ca.crt -keyfile private/ca.key \ + -policy policy_loose \ + -days 360 \ + -infiles $NAME.csr + fi