From e6621cdd9bd7c7511cbae759d148916ff22311f0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 27 Jun 2018 11:45:03 +0200 Subject: [PATCH] Init need CommonName for CA --- shellpki.sh | 54 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 39 insertions(+), 15 deletions(-) diff --git a/shellpki.sh b/shellpki.sh index 3095e1e..21d89e0 100755 --- a/shellpki.sh +++ b/shellpki.sh @@ -8,24 +8,48 @@ set -eu init() { umask 0177 - if [ -f "${CAKEY}" ]; then - echo "${CAKEY} already exists, do you really want to erase it ?\n" - echo "Press return to continue..." - read -r REPLY - fi - [ -d "${CADIR}" ] || mkdir -m 0750 "${CADIR}" [ -d "${CRTDIR}" ] || mkdir -m 0750 "${CRTDIR}" [ -f "${INDEX}" ] || touch "${INDEX}" + [ -f "${CRL}" ] || touch "${CRL}" [ -f "${SERIAL}" ] || echo "01" > "${SERIAL}" - "${OPENSSL}" req \ - -config "${CONFFILE}" \ - -newkey rsa:4096 -sha512 \ - -x509 -days 3650 \ - -extensions v3_ca \ - -keyout "${CAKEY}" \ - -out "${CACERT}" + cn="${1:-}" + [ -z "${cn}" ] && usage >&2 && exit 1 + + if [ -f "${CAKEY}" ]; then + printf "%s already exists, do you really want to erase it ? [y/N] " ${CAKEY} + read -r REPLY + resp=$(echo "${REPLY}"|tr 'Y' 'y') + [ "${resp}" = "y" ] && rm "${CAKEY}" "${CACERT}" + fi + + [ ! -f "${CAKEY}" ] && "$OPENSSL" \ + genrsa \ + -out "${CAKEY}" \ + -aes256 4096 >/dev/null 2>&1 + + if [ -f "${CACERT}" ]; then + printf "%s already exists, do you really want to erase it ? [y/N] " ${CACERT} + read -r REPLY + resp=$(echo "${REPLY}"|tr 'Y' 'y') + [ "${resp}" = "y" ] && rm "${CACERT}" + fi + + [ ! -f "${CACERT}" ] && ask_ca_password 0 + + [ ! -f "${CACERT}" ] && CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" \ + req \ + -batch -sha512 \ + -x509 -days 3650 \ + -extensions v3_ca \ + -key "${CAKEY}" \ + -out "${CACERT}" \ + -passin env:CA_PASSWORD \ + -config /dev/stdin < [options] [CommonName] Initialize PKI (create CA key and self-signed cert) : - ${0} init + ${0} init Create a client cert with key and CSR directly generated on server (use -p for set a password on client key) : @@ -370,7 +394,7 @@ main() { case "${command}" in init) shift - init + init "$@" ;; create)