-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmake-simple-client-cert.sh
More file actions
executable file
·54 lines (42 loc) · 1.26 KB
/
make-simple-client-cert.sh
File metadata and controls
executable file
·54 lines (42 loc) · 1.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/sh
# the simple-client cert is different in that
# . it is signed with the root CA cert
. ./common.sh
if [ ! -e cadir/private/capw.dat ]
then
echo Need the root CA
exit 1
fi
rm -f simple-client.crt simple-client.key
arg=$1
if [ "X$arg" = "X-k" ]
then
cpass=`openssl rand -hex 10`
reqarg="-passout pass:$cpass"
pkcs8arg="-passin pass:$cpass -passout pass:$cpass"
echo Using password $cpass
else
reqarg="-nodes"
pkcs8arg="-passout pass:"
fi
# get the root CA certificate
cp cadir/cacert.pem root.crt
# we'll sign this with the root CA
capw=`cat cadir/private/capw.dat`
# this will be the CN of the certificate
user=${CERTUSER:-"my_user"}
# generate the CSR
openssl req -new $reqarg -text -days 365 -out simple-client.csr \
-keyout simple-client.key -subj "$SUBJ/CN=$user" >/dev/null 2>&1
# protect the key
chmod og-rwx client.key
# sign the CSR, generating the certificate
openssl ca -in simple-client.csr \
-config cadir/openssl.cnf \
-cert cadir/cacert.pem -keyfile cadir/private/cakey.pem \
-passin pass:$capw -out simple-client.crt -batch >/dev/null 2>&1
# remove the CSR
rm simple-client.csr
# generate the PKCS#8 version of the client key for jdbc use
openssl pkcs8 -topk8 $pkcs8arg -inform PEM -in client.key \
-outform DER -out simple-client.pk8