forked from redredgroovy/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 1
/
functions
281 lines (235 loc) · 6.27 KB
/
functions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
#!/bin/bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Derek Moore <[email protected]>
# Christian Göttsche <[email protected]>
# Binaries copied during install
export BINARIES_ROOT="
create-signing-ca
create-server
create-client
sign-csr
revoke-cert
functions
show-status
gen-html
renew-cert
"
export TEMPLATES_ROOT="
client.tpl
server.tpl
signing.tpl
root_index.tpl
sign_index.tpl
"
export BINARIES_SIGN="
create-server
create-client
sign-csr
revoke-cert
functions
show-status
gen-html
renew-cert
"
export TEMPLATES_SIGN="
client.tpl
server.tpl
sign_index.tpl
"
# Output highlighting
NOTE="\033[35;1m[*]\033[0m"
SUCC="\033[32;1m[!]\033[0m"
INPUT="\033[36;1m[>]\033[0m"
ERR="\033[31;1m[!]\033[0m"
fullpath() {
cd "$(dirname "$1")" || exit 2
echo "$PWD/$(basename "$1")"
}
##
## template TEMPLATE_FILE DESTINATION_FILE
##
## Performs variable interpolation on TEMPLATE_FILE and copies
## the result to DESTINATION_FILE. All strings in TEMPLATE_FILE
## that match {{CA_*}} will be replaced with the contents of the
## environment variable with the same name.
##
template() {
local REGEX=""
for VAR in ${!CA_*}; do
REGEX="${REGEX}s#{{\s*${VAR}\s*}}#${!VAR}#g; "
done
sed -e "${REGEX}" < "$1" > "$2"
}
##
## init_ca_home CA_PATH
##
## Initializes a CA directory skeleton at PATH
##
init_ca_home() {
CA_HOME="$1"
# Ensure we're initializing an empty directory
if [ -d "${CA_HOME}" ]; then
echo -e "$ERR Directory '${CA_HOME}' already exists, exiting."
exit 1
fi
if ! mkdir -p "${CA_HOME}"; then
echo -e "$ERR Unable to create directory '${CA_HOME}', exiting."
exit 1
fi
echo -e "$NOTE Initializing CA home"
pushd "${CA_HOME}" > /dev/null || exit
# Create top-level CA structure
mkdir ca
mkdir ca/archive
mkdir ca/crl
mkdir ca/db
mkdir ca/private
mkdir bin
mkdir certs
mkdir certs/clients
mkdir certs/server
# Create empty databases
touch ca/db/certificate.db
touch ca/db/certificate.db.attr
echo 01 > ca/db/crt.srl
echo 01 > ca/db/crl.srl
popd > /dev/null || exit
}
##
## generate_conf CONF
##
## Generate the ca.conf for new root and signing CAs
##
generate_conf() {
DEST="$1"
echo -e -n "$INPUT Short label for new CA [${CA_NAME}]: "
read -r NAME
if [ -n "${NAME}" ]; then
# shellcheck disable=SC2001
CA_NAME=$(echo "${NAME}" | sed 's/[^A-Za-z0-9-]/-/g')
fi
echo -e -n "$INPUT Domain name for new CA [${CA_DOMAIN}]: "
read -r DOMAIN
if [ -n "${DOMAIN}" ]; then
CA_DOMAIN="${DOMAIN}"
elif [ -z "${CA_DOMAIN}" ]; then
echo -e "$ERR Domain is required."
exit 1
fi
echo
echo -e "$SUCC CRL URL will be 'https://${CA_DOMAIN}/ca/${CA_NAME}/${CA_NAME}.crl'"
echo
echo -e -n "$INPUT Default country code for new certificates [${CA_CERT_C}]: "
read -r CERT_C
if [ -n "${CERT_C}" ]; then
CA_CERT_C="${CERT_C}"
fi
echo -e -n "$INPUT Default state for new certificates [${CA_CERT_ST}]: "
read -r CERT_ST
if [ -n "${CERT_ST}" ]; then
CA_CERT_ST="${CERT_ST}"
fi
echo -e -n "$INPUT Default city for new certificates [${CA_CERT_L}]: "
read -r CERT_L
if [ -n "${CERT_L}" ]; then
CA_CERT_L="${CERT_L}"
fi
echo -e -n "$INPUT Default organization for new certificates [${CA_CERT_O}]: "
read -r CERT_O
if [ -n "${CERT_O}" ]; then
CA_CERT_O="${CERT_O}"
fi
echo -e -n "$INPUT Default organization unit for new certificates [${CA_CERT_OU}]: "
read -r CERT_OU
if [ -n "${CERT_OU}" ]; then
CA_CERT_OU="${CERT_OU}"
fi
echo
cat > "${DEST}" << EOF
CA_DOMAIN="${CA_DOMAIN}"
CA_NAME="${CA_NAME}"
CA_CERT_C="${CA_CERT_C}"
CA_CERT_ST="${CA_CERT_ST}"
CA_CERT_L="${CA_CERT_L}"
CA_CERT_O="${CA_CERT_O}"
CA_CERT_OU="${CA_CERT_OU}"
CA_KEY_ALG="${CA_KEY_ALG}"
CA_KEY_LENGTH_ROOTCA="${CA_KEY_LENGTH_ROOTCA}"
CA_KEY_LENGTH_SIGNCA="${CA_KEY_LENGTH_SIGNCA}"
CA_KEY_LENGTH_ENDCRT="${CA_KEY_LENGTH_ENDCRT}"
EOF
}
##
## ask_server_cert_quesetions
##
## Ask questions to fill a server certificate
##
ask_server_cert_questions() {
#echo -e -n "$INPUT Country code for new certificates [${CA_CERT_C}]: "
#read -r CERT_C
#if [ -n "${CERT_C}" ]; then
# CA_CERT_C="${CERT_C}"
#fi
#echo -e -n "$INPUT State for new certificates [${CA_CERT_ST}]: "
#read -r CERT_ST
#if [ -n "${CERT_ST}" ]; then
# CA_CERT_ST="${CERT_ST}"
#fi
echo -e -n "$INPUT City for new certificates [${CA_CERT_L}]: "
read -r CERT_L
if [ -n "${CERT_L}" ]; then
CA_CERT_L="${CERT_L}"
fi
#echo -e -n "$INPUT Organization for new certificates [${CA_CERT_O}]: "
#read -r CERT_O
#if [ -n "${CERT_O}" ]; then
# CA_CERT_O="${CERT_O}"
#fi
echo -e -n "$INPUT Organization unit for new certificates [${CA_CERT_OU}]: "
read -r CERT_OU
if [ -n "${CERT_OU}" ]; then
CA_CERT_OU="${CERT_OU}"
fi
}
##
## ask_client_cert_quesetions
##
## Ask questions to fill a client certificate
##
ask_client_cert_questions() {
#echo -e -n "$INPUT Country code for new certificates [${CA_CERT_C}]: "
#read -r CERT_C
#if [ -n "${CERT_C}" ]; then
# CA_CERT_C="${CERT_C}"
#fi
#echo -e -n "$INPUT State for new certificates [${CA_CERT_ST}]: "
#read -r CERT_ST
#if [ -n "${CERT_ST}" ]; then
# CA_CERT_ST="${CERT_ST}"
#fi
echo -e -n "$INPUT City for new certificates [${CA_CERT_L}]: "
read -r CERT_L
if [ -n "${CERT_L}" ]; then
CA_CERT_L="${CERT_L}"
fi
#echo -e -n "$INPUT Organization for new certificates [${CA_CERT_O}]: "
#read -r CERT_O
#if [ -n "${CERT_O}" ]; then
# CA_CERT_O="${CERT_O}"
#fi
echo -e -n "$INPUT Organization unit for new certificates [${CA_CERT_OU}]: "
read -r CERT_OU
if [ -n "${CERT_OU}" ]; then
CA_CERT_OU="${CERT_OU}"
fi
echo -e -n "$INPUT Email Address (name@fqdn) for new certificates [${CA_CERT_MAIL}]: "
read -r CERT_MAIL
if [ -n "${CERT_MAIL}" ]; then
CA_CERT_MAIL="${CERT_MAIL}"
else
echo -e "$ERR No email address supplied, exiting."
exit 1
fi
}