-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsetup_root_ca
More file actions
executable file
·165 lines (151 loc) · 4.66 KB
/
setup_root_ca
File metadata and controls
executable file
·165 lines (151 loc) · 4.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
#!/usr/bin/env bash
clear
current_path=`pwd`
script_path=`dirname $0`
echo
echo "- This script automates the creation of OpenSSL based Root CA."
echo "- You're only required to input some information about your CA during setup."
echo
echo -n "Enter Root CA name : "
read ROOT_CA_NAME
ROOT_CA_PATH=$HOME/CA
CA_PATH=$ROOT_CA_PATH/$ROOT_CA_NAME
mkdir -p $CA_PATH/{private,cert,issued_certs,crl,csr,data}
chmod 700 $CA_PATH
chmod 700 $CA_PATH/private
openssl rand -hex -out $CA_PATH/private/.rand 16
chmod 600 $CA_PATH/private/.rand
touch $CA_PATH/data/index.dat
openssl rand -hex -out $CA_PATH/data/serial.dat 8
chmod 600 $CA_PATH/data/*
echo "1000" > $CA_PATH/data/crl_number
echo "Directories and files for "$ROOT_CA_NAME" setup successfully.".
echo "---------------------------------------------------------------------"
echo
cp $script_path/templateroot $CA_PATH
ROOT_CNF=$CA_PATH/$ROOT_CA_NAME
mv $CA_PATH/templateroot $ROOT_CNF.cnf
echo "Preparing configuration file for "$ROOT_CA_NAME
echo -n "Country (C) : "
read ROOT_C
echo -n "State (ST) : "
read ROOT_ST
echo -n "Location (L) : "
read ROOT_L
echo -n "Organization (O) : "
read ROOT_O
echo -n "Org. Unit (OU) : "
read ROOT_OU
WEB_URL=`hostname`
sed -i 's@ROOT_HOME@'"$CA_PATH"'@' $ROOT_CNF.cnf
sed -i 's@ROOT_NAME@'"$ROOT_CA_NAME"'@' $ROOT_CNF.cnf
sed -i 's@COUNTRY@'"$ROOT_C"'@' $ROOT_CNF.cnf
sed -i 's@STATE@'"$ROOT_ST"'@' $ROOT_CNF.cnf
sed -i 's@LOCATION@'"$ROOT_L"'@' $ROOT_CNF.cnf
sed -i 's@ORGANIZATION@'"$ROOT_O"'@' $ROOT_CNF.cnf
sed -i 's@ORG_UNIT@'"$ROOT_OU"'@' $ROOT_CNF.cnf
sed -i 's@ROOT_NAME@'"$ROOT_CA_NAME"'@' $ROOT_CNF.cnf
sed -i 's@WEBLINK@'"$WEB_URL"'@' $ROOT_CNF.cnf
echo "Configuration file for "$ROOT_CA_NAME" ready."
echo "---------------------------------------------------------------------"
echo
echo "Select key type."
echo "(1) for RSA. (default)"
echo "(2) for ECDSA."
echo "{3} for MLDSA."
echo -n "Key Type : "
read KEY_TYPE
if [ -z "$KEY_TYPE" ]
then
KEY_TYPE=1
fi
if [ $KEY_TYPE -eq 1 ]
then
echo -n "Key size (default 2048) : "
read RSA_KEY_SIZE
if [ -z "$RSA_KEY_SIZE" ] || [ "$RSA_KEY_SIZE" -lt 2048 ]
then
RSA_KEY_SIZE=2048
fi
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:$RSA_KEY_SIZE -quiet | openssl pkcs8 -passout file:/etc/machine-id -topk8 -out $CA_PATH/private/$ROOT_CA_NAME.key
if [ $? -ne 0 ]
then
exit 1
fi
chmod 400 $CA_PATH/private/$ROOT_CA_NAME.key
fi
if [ $KEY_TYPE -eq 2 ]
then
echo -n "ECDSA Curve (default secp384r1) : "
read EC_CURVE
if [ -z "$EC_CURVE" ]
then
EC_CURVE="secp384r1"
fi
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:$EC_CURVE | openssl pkcs8 -passout file:/etc/machine-id -topk8 -out $CA_PATH/private/$ROOT_CA_NAME.key
if [ $? -ne 0 ]
then
exit 1
fi
chmod 400 $CA_PATH/private/$ROOT_CA_NAME.key
fi
if [ $KEY_TYPE -eq 3 ]
then
echo " - MLDSA44 (default)"
echo " - MLDSA65"
echo " - MLDSA87"
echo -n " MLDSA size : "
read MLDSA_SIZE
if [ -z "$MLDSA_SIZE" ]
then
MLDSA_SIZE="MLDSA44"
fi
openssl genpkey -algorithm $MLDSA_SIZE -quiet | openssl pkcs8 -passout file:/etc/machine-id -topk8 -out $CA_PATH/private/$ROOT_CA_NAME.key
if [ $? -ne 0 ]
then
exit 1
fi
chmod 400 $CA_PATH/private/$ROOT_CA_NAME.key
fi
echo "Private key for $ROOT_CA_NAME generated successfully."
echo "---------------------------------------------------------------------"
echo
echo -n "Certificate validity (days, default 3650) : "
read VALIDITY_DAYS
if [ -z "$VALIDITY_DAYS" ]
then
VALIDITY_DAYS=3650
fi
openssl req -config $ROOT_CNF.cnf -key $CA_PATH/private/$ROOT_CA_NAME.key -passin file:/etc/machine-id -new -x509 -extensions root_ca -days $VALIDITY_DAYS -out $CA_PATH/cert/$ROOT_CA_NAME.cer
if [ $? -ne 0 ]
then
exit 1
fi
chmod 444 $CA_PATH/cert/$ROOT_CA_NAME.cer
openssl ca -gencrl -config $ROOT_CNF.cnf -passin file:/etc/machine-id -out $CA_PATH/crl/$ROOT_CA_NAME.crl
if [ $? -ne 0 ]
then
exit 1
fi
echo
echo
echo
echo "-----------------------------------------------------------"
echo "Don't forget to export these environment variables."
echo "export ROOT_CA_NAME="$ROOT_CA_NAME
echo "export ROOT_CA_PATH="$CA_PATH
echo
echo "or execute 'source $ROOT_CA_PATH/setenv.sh'"
echo 'export ROOT_CA_NAME='$ROOT_CA_NAME >> $ROOT_CA_PATH/setenv.sh
echo 'export ROOT_CA_PATH='$CA_PATH >> $ROOT_CA_PATH/setenv.sh
echo "-----------------------------------------------------------"
echo "ROOT CA : ["$ROOT_CA_NAME"] setup successfully."
mkdir -p $ROOT_CA_PATH/web/{cert,crl}
chmod 755 $ROOT_CA_PATH/web -R
cp $CA_PATH/cert/$ROOT_CA_NAME.cer $ROOT_CA_PATH/web/cert
chmod 444 $ROOT_CA_PATH/web/cert/$ROOT_CA_NAME.cer
cp $CA_PATH/crl/$ROOT_CA_NAME.crl $ROOT_CA_PATH/web/crl
chmod 444 $ROOT_CA_PATH/web/crl/$ROOT_CA_NAME.crl
chmod 700 $ROOT_CA_PATH/setenv.sh
echo
echo