From 02c1970bc985e1263a141c5ac22dee33ebae2df6 Mon Sep 17 00:00:00 2001 From: Maciej Wejs Date: Fri, 17 Aug 2018 13:56:31 +0200 Subject: [PATCH] Improvements of Certs creation scripts Corrections and usability improvements of Certificates creation scripts located at: /aaf/authz/conf/CA Change-Id: I1b933f4eaf49e94805e5307563886049606d4103 Issue-ID: AAF-441 Signed-off-by: Maciej Wejs --- conf/CA/manual.sh | 67 +++++++++++++++++++++++++--------------------- conf/CA/newIntermediate.sh | 9 +++---- conf/CA/p12.sh | 16 +++++------ 3 files changed, 48 insertions(+), 44 deletions(-) diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh index 00a23ec8..07a1ed6a 100644 --- a/conf/CA/manual.sh +++ b/conf/CA/manual.sh @@ -1,84 +1,91 @@ # # Initialize a manual Cert. This is NOT entered in Certman Records +# $1 - CN (Common Name) +# $2 - FQI (Fully Qualified Identity) +# $3-$n - SANs (Service Alias Names) # -echo "FQI (Fully Qualified Identity): " -read FQI -if [ "$1" = "" -o "$1" = "-local" ]; then + +if [ "$2" = "" ]; then + echo "FQI (Fully Qualified Identity): " + read FQI +fi + +if [ "$1" = "" -o "$1" = "-local" ]; then echo "Personal Certificate" SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`" NAME=$FQI -else +else echo "Application Certificate" SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`" - FQDN=$1 - NAME=$FQDN - shift + NAME=$1 - echo "Enter any SANS, delimited by spaces: " - read SANS + if [ "$3" = "" ]; then + echo "Enter any SANS, delimited by spaces: " + read SANS + else + SANS="" + while [ ! "$3" = "" ]; do + SANS=${SANS}" "$3 + shift + done + fi fi # Do SANs if [ "$SANS" = "" ]; then echo no SANS - if [ -e $NAME.san ]; then + if [ -e $NAME.san ]; then rm $NAME.san fi else - echo some SANS + echo some SANS: $SANS cp ../san.conf $NAME.san NUM=1 - for D in $SANS; do + for D in $SANS; do echo "DNS.$NUM = $D" >> $NAME.san - NUM=$((NUM+1)) + NUM=$((NUM+1)) done fi echo $SUBJECT -if [ -e $NAME.csr ]; then - SIGN_IT=true -else +if [ ! -e $NAME.csr ]; then if [ "$1" = "-local" ]; then echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'" echo "Enter the PassPhrase for the Key for $FQI: " `stty -echo` read PASSPHRASE `stty echo` - + # remove any previous Private key rm private/$NAME.key - # Create j regaular rsa encrypted key + # Create regular rsa encrypted key openssl req -new -newkey rsa:2048 -sha256 -keyout private/$NAME.key \ -out $NAME.csr -outform PEM -subj "$SUBJECT" \ -passout stdin << EOF $PASSPHRASE EOF - chmod 400 private/$NAME.key - SIGN_IT=true - else - echo openssl req -newkey rsa:2048 -sha256 -keyout $NAME.key -out $NAME.csr -outform PEM -subj '"'$SUBJECT'"' - echo chmod 400 $NAME.key + chmod 400 private/$NAME.key + else + openssl req -newkey rsa:2048 -sha256 -keyout private/$NAME.key -out $NAME.csr -outform PEM -subj "$SUBJECT" + chmod 400 $NAME.key echo "# All done, print result" - echo openssl req -verify -text -noout -in $NAME.csr + openssl req -verify -text -noout -in $NAME.csr fi fi -if [ "$SIGN_IT" = "true" ]; then # Sign it if [ -e $NAME.san ]; then - openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \ -cert certs/ca.crt -keyfile private/ca.key \ -policy policy_loose \ -days 360 \ -extfile $NAME.san \ -infiles $NAME.csr - else - openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + else + openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \ -cert certs/ca.crt -keyfile private/ca.key \ -policy policy_loose \ -days 360 \ -infiles $NAME.csr fi -fi - diff --git a/conf/CA/newIntermediate.sh b/conf/CA/newIntermediate.sh index 303c22e1..b548dd45 100644 --- a/conf/CA/newIntermediate.sh +++ b/conf/CA/newIntermediate.sh @@ -41,19 +41,18 @@ echo $SUBJECT $PASSPHRASE EOF - chmod 400 $DIR/private/$CN.key + chmod 400 $DIR/private/ca.key openssl req -verify -text -noout -in $DIR/$CN.csr # Sign it openssl ca -config openssl.conf -extensions v3_intermediate_ca \ -days 1826 \ - -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \ + -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \ -infiles $DIR/$CN.csr - openssl x509 -text -noout -in $DIR/certs/ca.crt + openssl x509 -text -noout -in $DIR/certs/ca.crt - - openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt + openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt # Create a Signer p12 script diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh index 53184e2f..23e76247 100644 --- a/conf/CA/p12.sh +++ b/conf/CA/p12.sh @@ -1,22 +1,20 @@ # # Create a p12 file from local certs # -echo "FQI (Fully Qualified Identity): " -read FQI if [ "$1" = "" ]; then - MACH=$FQI -else + echo "Enter Keystore Name: " + read MACH +else MACH=$1 fi -# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not)) - cat $MACH.crt > $MACH.chain + # Add Cert AND Intermediate CAs (Clients will have Root CAs (or not)) + cat certs/$MACH.crt > $MACH.chain # Add THIS Intermediate CA into chain - cat "certs/ca.crt" >> $MACH.chain + cat certs/ca.crt >> $MACH.chain # Make a pkcs12 keystore, a jks keystore and a pem keystore rm -f $MACH.p12 # Note: Openssl will pickup and load all Certs in the Chain file - openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12 - + openssl pkcs12 -name $MACH -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12 -- 2.16.6