src/script/signssl.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

#!/bin/bash

type_name=$1
name=$2

if [ "${type_name}" == "-caroot" ]; then
    csrfrom=$3
    csrname=$4
    csrkey=$5
else
    cafrom=$3
    caname=$4
    cakey=$5

    csrfrom=$6
    csrname=$7
    csrkey=$8
fi

san_nam=$9

trap "do_signal" 2
do_signal()
{
    echo "\n"
    read -p "Terminate theprocess? (y/n): " input
}

do_clear()
{
	if [ -d "./demoCA" ]; then
        rm -rf ./demoCA
    fi

    if [ $1 -ne 0 ];then
	    if [ -d "./ca-middle/$2" ]; then
            rm -rf ./ca-middle/$2
        fi
	    if [ -d "./entity/$2" ]; then
            rm -rf ./entity/$2
        fi
	    if [ -d "./caroot/$2" ]; then
            rm -rf ./caroot/$2
        fi
        if [ -d "./csr/$2" ]; then
            rm -rf ./csr/$2
        fi
        exit
    fi
}

do_help()
{
    echo ""
    echo "./signssl -type cert_name -cafrom ca_name key_name -csr csr_name csr_key -san san_nam"
    echo "usage: ./signssl args"
    echo "  -type                       - input type      "-csr -caroot -camiddle -entity""
    echo "  cert_name                   - input cert_name "input output cert namae""
    echo "  -cafrom ca_name keyname     - input ca_name keyname "input the root cert name and key""
    echo "  -csrfrom csr_name csr_key   - input csr_name csr_key "input cert signs request file name and key"" 
    echo "  san_name                    - input san_name  "When it is an entity cert, input user alternate name""
    echo ""
    echo "exanple -csr"
    echo "./signssl.sh -csr csr_name"
    echo "example -caroot"
    echo "./signssl.sh -caroot root_name"
    echo "example -camiddle"
    echo "./signssl.sh -camiddle middle_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key"
    echo "exaple -entity"
    echo "./signssl.sh -entity entity_name -cafrom ../cert/mesalab-ca-cert.cer ../cert/mesalab-ca-cert.key -csrfrom ./csr/csrname/csrname.csr ./csr/csrname/csrname.key  163"
    echo ""
    exit
}

do_mkdir()
{
	if [ ! -d "./demoCA" ]; then
		mkdir demoCA
        mkdir ./demoCA/newcerts
        touch ./demoCA/index.txt
        touch ./demoCA/serial
        echo 0001 >> ./demoCA/serial
    fi
}

do_check()
{
	if [ "$type_name" == "" ]||[ "$name" == "" ]; then
        echo "cert type is unkone!"
		do_help
		exit
    fi
    
    if [ "$type_name" == "-csr" ]; then
        return
    fi

    if [ "$type_name" == "-caroot" ]; then
        return
    fi


    if [ "$csrfrom" == "" ] || [ "$csrname" == "" ] || [ "$csrkey" == "" ]; then
        echo "input input cert signs request file name and key"
        do_help
        exit
    fi
 
    if [ "$cafrom" == "" ] || [ "$caname" == "" ] || [ "$cakey" == "" ]; then
		echo "input certificate name or key is unkone!"
		do_help
		exit
    fi
    
    if [ "$type_name" == "-entity" ];then
        if [ "$san_nam" == "" ];then
            echo "Please enter the san name!"
            do_help
            exit
        fi

    fi
}

do_middle()
{
	if [ ! -d "./ca-middle/${name}" ]; then
		mkdir -p  ca-middle/${name}
    fi
    outpath=ca-middle/${name}

	openssl ca -extensions v3_ca -in ${csrname} -out ${outpath}/${name}.cer -cert ${caname} -keyfile ${cakey} -days 365 -policy policy_anything
	openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12

    do_clear $? ${name} 
    cp ${csrkey} ${outpath}
}

do_entity()
{
	if [ ! -d "./entity/${name}" ];then
		mkdir -p  entity/${name}
	fi
    outpath=entity/${name}
    
    openssl ca -in ${csrname} -keyfile ${cakey} -cert ${caname} -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.${san_nam}.com,DNS:*.${san_nam}.cn")) -out ${outpath}/${name}.cer
    
    openssl pkcs12 -export -in ${outpath}/${name}.cer -inkey ${csrkey} -chain -CAfile ${caname} -out ${outpath}/${name}.p12
    
    do_clear $? ${name} 
    cp ${csrkey} ${outpath}
}

do_caroot()
{
	if [ ! -d ".caroot/${name}" ];then
		mkdir -p caroot/${name}
	fi
    outpath=caroot/${name}

	openssl genrsa -out  ${outpath}/${name}.key 1024   
    openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr 
    openssl x509 -req -days 365 -sha256 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey ${outpath}/${name}.key -in ${outpath}/${name}.csr -out ${outpath}/${name}.cer
    #openssl req -new -x509 -key ca.key -out ca.crt 
    do_clear $? ${name} 
}

do_csr()
{
    if [ ! -d "./csr/${name}" ];then
        mkdir -p csr/${name}
    fi
    outpath=csr/${name}

	openssl genrsa -out  ${outpath}/${name}.key 1024
	openssl req -new -key ${outpath}/${name}.key -out ${outpath}/${name}.csr
    do_clear $? ${name}
}

do_signssl()
{
	if [ "$type_name" == "-camiddle" ]; then
		do_middle
		exit
    fi
	if [ "$type_name" == "-entity" ]; then
		do_entity
		exit
    fi
	if [ "$type_name" == "-caroot" ]; then
		do_caroot
		exit
    fi
	if [ "$type_name" == "-csr" ]; then
        do_csr
        exit
    fi
    echo "unknow command"
}

do_check 
do_mkdir
do_signssl