Skip to content

Commit

Permalink
Improved support for provided certificates (#2)
Browse files Browse the repository at this point in the history 
Nice, very useful - thanks for the PR!

* Improvements for provided CA cert and key
* added files for example
  • Loading branch information
@DennisFederico
DennisFederico authored Jun 3, 2024
1 parent 5a62742 commit 58d251f
Show file tree
Hide file tree
Showing 10 changed files with 142 additions and 13 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ schmitzi/openssl-alpine-j11:1.0.0
| PASSWD | Password for keystores / containers | changeme! |
| DAYS_CA | Validity for CA in days | 3650 |
| DAYS | Validity for certificates in days | 389 |
| CA_KEYPASSWD | Password for CA private key | |

* Please note: Only new certificates will be created in the existing directory - if a .csr file exists already, it will not be overwritten !
* How to provide an existing CA - simply put the following files in your certificate/output directory
Expand Down
2 changes: 2 additions & 0 deletions examples/encrypted-ca-key/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
An example using a provided CA cert and key encrypted with a password.
Run with `./run_test.sh` for YAML input and take a look at the resulting output in `certs/`.
25 changes: 25 additions & 0 deletions examples/encrypted-ca-key/certs/ca-root.crt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIELzCCAxegAwIBAgIUSwDqhjx/V9vzD1th7VfTwk9pJ2QwDQYJKoZIhvcNAQEL
BQAwXzELMAkGA1UEBhMCREUxDzANBgNVBAoMBk15IE9yZzELMAkGA1UECwwCSVQx
DDAKBgNVBAgMA0JFUjEPMA0GA1UEBwwGQmVybGluMRMwEQYDVQQDDAptZS5hdC5o
b21lMB4XDTI0MDYwMzE1NTEwMloXDTI0MDcwMzE1NTEwMlowXzELMAkGA1UEBhMC
REUxDzANBgNVBAoMBk15IE9yZzELMAkGA1UECwwCSVQxDDAKBgNVBAgMA0JFUjEP
MA0GA1UEBwwGQmVybGluMRMwEQYDVQQDDAptZS5hdC5ob21lMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuYaWhTkk5SMUMsPzEb2haNLGhtqjpbKOF+JJ
OiKLdVP+YaSy1wlQWw41jEPxEvSZou2KGj/HRdNaRozxFgaI8i18rSZco+YelUXa
ejo27qWrctfK3OLKPBc2G1Pw+SZzMev7ZYWZ2UoZQ2T6+2MINPkSgKuIRslz+IwW
Ekamac7vtk/DwPzbz7gC9D1LD2EaoXJEj/zsC3K7zeAC8PuAhgypcQVnmFkKJaJs
7gwRNB0yXZpyaF8PhJodZv2OMp6yB0qX3N1ihnm4zmfZJMDZsQ+jO1fAkUd+pRae
69tfBPB1XlXtsontHehgwsCCXAnDSiwlusHkxabptTHuCL5auwIDAQABo4HiMIHf
MB0GA1UdDgQWBBR++6DgSrLvxdkZvVait7ZRe4xv3jAPBgNVHRMBAf8EBTADAQH/
MIGcBgNVHSMEgZQwgZGAFH77oOBKsu/F2Rm9VqK3tlF7jG/eoWOkYTBfMQswCQYD
VQQGEwJERTEPMA0GA1UECgwGTXkgT3JnMQswCQYDVQQLDAJJVDEMMAoGA1UECAwD
QkVSMQ8wDQYDVQQHDAZCZXJsaW4xEzARBgNVBAMMCm1lLmF0LmhvbWWCFEsA6oY8
f1fb8w9bYe1X08JPaSdkMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
AQEAdctCBdOACqSAswEhGVyGwwUdD6/3OceJZ+JT8vKAdtpmlx3wlmjZTiPGElyz
nek30MyG5WdKkBdd/dfqu1skfhL8O/wglpFhvFqRi7mDWbmRdWh5f9rVMIA70K2s
fHFwuh2BmTmdbLoB1HMsCIM2uEr3vnJqdDNkbgPBDBynBbSLLsVsOkwtq43wW0pG
t9Oz4uW11CsDDB50A9DxlmV1NjZ1e2bSoP0gv6aGlB/tKA2C4nabdTmXQrzm049I
vLjy2x+EkGCvlap9YC+2MVc5OfFQaazNQLT5go3amZGmO7wpFa0xDvg1i8SWLDeh
bcI539S0bwfO06F1mrZBIskn9w==
-----END CERTIFICATE-----
30 changes: 30 additions & 0 deletions examples/encrypted-ca-key/certs/ca-root.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQgBzEhmPpat5ufySp
w1E8yAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEAS/Yqu9Sk556b2I
oXYc5ucEggTQci9Q1+eJ0ChcQioF9lCNLac80PKe8gNvTglem3UYPVgPTXI7ddJc
AmuwDudhtXtaRo9wqgh+R0MWjglvFxKRQUhD1YS3NfMYQSTihbIQVUZDlCCr+Sqt
GF2l38Io2dN/4vg4JM2arEIRK6p6kENfQrM8g4IAO+0hbpj8MGesMCnrYzrLT8X/
h3bwzPFG+CBUFCLNI8Wjukox2RINwGbe7gLSmPsbQU97kPd8defG+uZ9HIe1Kh0k
kRau6iluIQBMsi2sL57VQxfMywupv4vrAfemgCBY3n/pcXwEOFhn6ta34sOFttm4
wEI0XtLflED04ICxmJt0EBCyhJiNITQo+ED0ow9wZR4TZn8W0lzDAh4v6AtuRPF3
nUup6HeZmeNqt8h0ymAceO+IU0S7at7L9+PUpl7C/dWtzqxiddhPqxizk8PS3Gac
nyvb6gCsgZ3w6wGHwnQJiS4AT6WTYj81wGHbhJiszMA6xP8CVFVJHa5nuhhVMA5y
j75671GFwUwfWNPT3sYVyVluxbACH4M44bmKCi0QL/BDNEA9huz3Ielx2FN1rq7n
aUhO53djrWDlbTh2gTNUcqg1anRdarugE6d3di7j1nAxS18T4BTQqHRvSQLhNcFN
WaJRS+E4QV5OQYh6aJemDjZOXpwffscpQQxWgzq8f3OgJSGWRl1IVpwxyvLiGvQG
Pkk9Gc/LsS2+NuL9uCI65DMxE16rR/YiVmgXBT+PIr1mmeXZT2BBzJuS86k8vqI2
bEAXHFUNFxdw/Pg8qFpfB4eZTgW8+V/h7U9Y/7qCForkkbSAdI+Kbm9n4isANdgC
sbpfIbnIV8OahhQYJl1HmqB4pE5MjT26bX1hYobzE4YhPmAUI6Rx8SgNIQbLQ3Ei
d13BqFRD6Rsff2iavfdqQZh9HPCHnQzMD2hjIT3/wR5CyCE1VWsLu0kS8WKf0oi8
3M3y500+oRTGcn3gzwAc5KhFcZiS5ktsiRQF+d37J3DkygB/GsormVkWfNPLd6d8
rIVwu2djUB7aPvQnxyJJa+ejeaOfiBng2EIQbrCCpg5cVq+pIr8cZTVBgc1kDRWu
rWUUSyESHLy3UbQV5YG2G4gWytAoqwtmM5mHGASmovQ4Bl+WE09+0tDGI8YT4vVc
eNJFoColHbbTrlrwu16xZRAGhNFLhhy+R2aFDsLCQ7YTmYgQu4Wjmb+xGKN7lJnX
22jXWR/WTQA0Ez4RZXIorKaCnNTpXmfP39x/vQsUvYtv2LXcBcJ29PqP4DPAgfA9
YJ+W5Ll3t6MiuvswrBykV7dh4PjPDEo+EZsryi++/MXGP6A1lU6nvtV62UvMJI+R
HTucekEeIIzxrIiabgrOAzHEs+gURMWOzIhawNmCjGKrwh3JK6WEykWIXafn9hJq
VIgepM6BXBAZSFSgen7S1OqmVkCFt/OpTpOdFpQ7OL6Y43Z+rN4dl1AUE1ttpiMm
gaG/uX2eXGmnOP4+YvWNIiecLJWbDgFN4fr9BHMrkeoZ7rocbNWwwgcMEmj1ogTA
E+3G71G0yxEWPooNpc/gKuB+q6FRjWvQnfi/+bX/FJSaVOzAbSu0Xar45cot/oam
aRh8/LFzP9J9JC3OKXNxwxwZjaAxpbHhZDY99eKrdjbVCINt4781ZN0=
-----END ENCRYPTED PRIVATE KEY-----
16 changes: 16 additions & 0 deletions examples/encrypted-ca-key/hosts.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
global:
country: DE
org: My Org
locality: Berlin
certs:
- fileName: test
CN: me.at.home
CN_as_SAN: "false"
CA: "false"
SANs:
- name: 127.0.0.1
- name: 127.0.1.1
- name: 10.0.0.1
- CN: me.at.home
SANs:
- name: 10.0.0.2
7 changes: 7 additions & 0 deletions examples/encrypted-ca-key/run_test.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env bash

docker run --rm \
-e CA_KEYPASSWD=xyz123 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
-v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
-v $(pwd)/certs:/opt/certs/current \
schmitzi/openssl-alpine-j11:1.2.0
31 changes: 31 additions & 0 deletions scripts/check_ca.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bash

# Check if the provided CA Key is "encrypted" - using the first line of the ca-root.key file
first_line=$(head -n 1 /opt/certs/current/ca-root.key)

# Check if the first line contains "ENCRYPTED"
if [[ "$first_line" == *"ENCRYPTED"* ]]; then
if [[ -z "$CA_KEYPASSWD" ]]; then
echo "ERROR: The private key is encrypted. The keypass must be provided in the CA_KEYPASSWD environment variable."
exit 1
fi
fi

# Capture the modulus of the public certificate
public_modulus=$(openssl x509 -modulus -noout -in /opt/certs/current/ca-root.crt 2>/dev/null | openssl md5)

if [[ -z "$CA_KEYPASSWD" ]]; then
# Capture the modulus of the private key
private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key 2>/dev/null | openssl md5)
else
# Capture the modulus of the private key (with password)
private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5)
fi

# Compare the two modulis
if [ "$public_modulus" != "$private_modulus" ]; then
echo "ERROR: Provided CA certificate and key do not match!"
exit 1
fi

cat current/ca-root.crt > current/ca-root.pem
6 changes: 0 additions & 6 deletions scripts/gen_ca.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/usr/bin/env bash

[[ -z "${PASSWD}" ]] && echo "No keystore password PASSWD provided - using default 'changeme!'" && PASSWD="changeme!"
[[ -z "${DAYS_CA}" ]] && echo "No validity for CA (DAYS_CA) provided - using default 3650" && DAYS_CA="3650"

if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
Expand All @@ -13,11 +12,6 @@ if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
echo "############################"
echo "Created CA:"
openssl x509 -in current/ca-root.crt -text

# Create truststore
keytool -keystore current/truststore.jks -alias CARoot \
-import -file current/ca-root.crt \
-storepass ${PASSWD} -noprompt -storetype PKCS12
else
echo "Skipping CA generation as it is not required for CSR creation..."
fi
16 changes: 14 additions & 2 deletions scripts/gen_new_certs.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,12 @@ for i in ${CERTDIR}/*.cnf; do

if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
echo "Generating new certificate for'${CERTNAME}' ..."
openssl x509 -req -days ${DAYS} -in ${CERTNAME}.csr -CA ${CERTDIR}/${ROOTCA}.crt -CAkey ${CERTDIR}/${ROOTCA}.key -CAcreateserial -out ${CERTNAME}.crt -extfile ${CERTNAME}.cnf -extensions v3_req

if [[ -z CA_KEYPASSWD ]]; then
openssl x509 -req -days ${DAYS} -in ${CERTNAME}.csr -CA ${CERTDIR}/${ROOTCA}.crt -CAkey ${CERTDIR}/${ROOTCA}.key -CAcreateserial -out ${CERTNAME}.crt -extfile ${CERTNAME}.cnf -extensions v3_req
else
openssl x509 -req -days ${DAYS} -in ${CERTNAME}.csr -CA ${CERTDIR}/${ROOTCA}.crt -CAkey ${CERTDIR}/${ROOTCA}.key -CAcreateserial -out ${CERTNAME}.crt -extfile ${CERTNAME}.cnf -extensions v3_req -passin pass:${CA_KEYPASSWD}
fi

# show certificate
echo
Expand All @@ -38,5 +43,12 @@ for i in ${CERTDIR}/*.cnf; do
-noprompt \
-srcstorepass ${PASSWD}
fi

done

if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
echo "Creating truststore..."
# Create truststore
keytool -keystore current/truststore.jks -alias CARoot \
-import -file current/ca-root.crt \
-storepass ${PASSWD} -noprompt -storetype PKCS12
fi
21 changes: 16 additions & 5 deletions scripts/run.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,22 @@ fi
echo "Creating certificate configurations from template..."
./create_configs.py

echo "Checking for existing root CA and creating one otherwise..."
if [ -e /opt/certs/current/ca-root.crt ] ; then
echo "Re-using CA that was provided !"
else
./gen_ca.sh
if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
if [ -e /opt/certs/current/ca-root.crt ] && [ -e /opt/certs/current/ca-root.key ]; then
echo "Re-using CA that was provided !"
./check_ca.sh
elif [ -e /opt/certs/current/ca-root.crt ] || [ -e /opt/certs/current/ca-root.key ]; then
echo "ERROR: Missing CA Cert or Key file. Please provide both or none."
exit 1
else
echo "Generating new CA..."
./gen_ca.sh
fi
fi

if [ $? -ne 0 ]; then
echo "Cannot create certificates. Check for previous errors and correct them before re-running the script"
exit 1
fi

echo "Creating certificates..."
Expand Down

0 comments on commit 58d251f

Please sign in to comment.