summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaciej Wejs <maciej.wejs@nokia.com>2018-08-17 13:56:31 +0200
committerMaciej Wejs <maciej.wejs@nokia.com>2018-08-17 12:01:06 +0000
commit02c1970bc985e1263a141c5ac22dee33ebae2df6 (patch)
treecb71cd546bcf3a381f95a963cf4b5600f72c55a9
parent7fa31dee0dcfc9ef37703feef1c3d573728be742 (diff)
Improvements of Certs creation scripts
Corrections and usability improvements of Certificates creation scripts located at: /aaf/authz/conf/CA Change-Id: I1b933f4eaf49e94805e5307563886049606d4103 Issue-ID: AAF-441 Signed-off-by: Maciej Wejs <maciej.wejs@nokia.com>
-rw-r--r--conf/CA/manual.sh67
-rw-r--r--conf/CA/newIntermediate.sh9
-rw-r--r--conf/CA/p12.sh16
3 files changed, 48 insertions, 44 deletions
diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
index 00a23ec8..07a1ed6a 100644
--- a/conf/CA/manual.sh
+++ b/conf/CA/manual.sh
@@ -1,84 +1,91 @@
#
# Initialize a manual Cert. This is NOT entered in Certman Records
+# $1 - CN (Common Name)
+# $2 - FQI (Fully Qualified Identity)
+# $3-$n - SANs (Service Alias Names)
#
-echo "FQI (Fully Qualified Identity): "
-read FQI
-if [ "$1" = "" -o "$1" = "-local" ]; then
+
+if [ "$2" = "" ]; then
+ echo "FQI (Fully Qualified Identity): "
+ read FQI
+fi
+
+if [ "$1" = "" -o "$1" = "-local" ]; then
echo "Personal Certificate"
SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`"
NAME=$FQI
-else
+else
echo "Application Certificate"
SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`"
- FQDN=$1
- NAME=$FQDN
- shift
+ NAME=$1
- echo "Enter any SANS, delimited by spaces: "
- read SANS
+ if [ "$3" = "" ]; then
+ echo "Enter any SANS, delimited by spaces: "
+ read SANS
+ else
+ SANS=""
+ while [ ! "$3" = "" ]; do
+ SANS=${SANS}" "$3
+ shift
+ done
+ fi
fi
# Do SANs
if [ "$SANS" = "" ]; then
echo no SANS
- if [ -e $NAME.san ]; then
+ if [ -e $NAME.san ]; then
rm $NAME.san
fi
else
- echo some SANS
+ echo some SANS: $SANS
cp ../san.conf $NAME.san
NUM=1
- for D in $SANS; do
+ for D in $SANS; do
echo "DNS.$NUM = $D" >> $NAME.san
- NUM=$((NUM+1))
+ NUM=$((NUM+1))
done
fi
echo $SUBJECT
-if [ -e $NAME.csr ]; then
- SIGN_IT=true
-else
+if [ ! -e $NAME.csr ]; then
if [ "$1" = "-local" ]; then
echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
echo "Enter the PassPhrase for the Key for $FQI: "
`stty -echo`
read PASSPHRASE
`stty echo`
-
+
# remove any previous Private key
rm private/$NAME.key
- # Create j regaular rsa encrypted key
+ # Create regular rsa encrypted key
openssl req -new -newkey rsa:2048 -sha256 -keyout private/$NAME.key \
-out $NAME.csr -outform PEM -subj "$SUBJECT" \
-passout stdin << EOF
$PASSPHRASE
EOF
- chmod 400 private/$NAME.key
- SIGN_IT=true
- else
- echo openssl req -newkey rsa:2048 -sha256 -keyout $NAME.key -out $NAME.csr -outform PEM -subj '"'$SUBJECT'"'
- echo chmod 400 $NAME.key
+ chmod 400 private/$NAME.key
+ else
+ openssl req -newkey rsa:2048 -sha256 -keyout private/$NAME.key -out $NAME.csr -outform PEM -subj "$SUBJECT"
+ chmod 400 $NAME.key
echo "# All done, print result"
- echo openssl req -verify -text -noout -in $NAME.csr
+ openssl req -verify -text -noout -in $NAME.csr
fi
fi
-if [ "$SIGN_IT" = "true" ]; then
# Sign it
if [ -e $NAME.san ]; then
- openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \
-cert certs/ca.crt -keyfile private/ca.key \
-policy policy_loose \
-days 360 \
-extfile $NAME.san \
-infiles $NAME.csr
- else
- openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ else
+ openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \
-cert certs/ca.crt -keyfile private/ca.key \
-policy policy_loose \
-days 360 \
-infiles $NAME.csr
fi
-fi
-
diff --git a/conf/CA/newIntermediate.sh b/conf/CA/newIntermediate.sh
index 303c22e1..b548dd45 100644
--- a/conf/CA/newIntermediate.sh
+++ b/conf/CA/newIntermediate.sh
@@ -41,19 +41,18 @@ echo $SUBJECT
$PASSPHRASE
EOF
- chmod 400 $DIR/private/$CN.key
+ chmod 400 $DIR/private/ca.key
openssl req -verify -text -noout -in $DIR/$CN.csr
# Sign it
openssl ca -config openssl.conf -extensions v3_intermediate_ca \
-days 1826 \
- -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+ -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
-infiles $DIR/$CN.csr
- openssl x509 -text -noout -in $DIR/certs/ca.crt
+ openssl x509 -text -noout -in $DIR/certs/ca.crt
-
- openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
+ openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
# Create a Signer p12 script
diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh
index 53184e2f..23e76247 100644
--- a/conf/CA/p12.sh
+++ b/conf/CA/p12.sh
@@ -1,22 +1,20 @@
#
# Create a p12 file from local certs
#
-echo "FQI (Fully Qualified Identity): "
-read FQI
if [ "$1" = "" ]; then
- MACH=$FQI
-else
+ echo "Enter Keystore Name: "
+ read MACH
+else
MACH=$1
fi
-# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
- cat $MACH.crt > $MACH.chain
+ # Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
+ cat certs/$MACH.crt > $MACH.chain
# Add THIS Intermediate CA into chain
- cat "certs/ca.crt" >> $MACH.chain
+ cat certs/ca.crt >> $MACH.chain
# Make a pkcs12 keystore, a jks keystore and a pem keystore
rm -f $MACH.p12
# Note: Openssl will pickup and load all Certs in the Chain file
- openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12
-
+ openssl pkcs12 -name $MACH -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12