-
Notifications
You must be signed in to change notification settings - Fork 7
/
generate_keys.sh
executable file
·66 lines (55 loc) · 2.19 KB
/
generate_keys.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/bin/bash
set -e
KEY_FOLDER="keys"
HOSTNAME=${1:-"meesign.local"}
mkdir --parent "./${KEY_FOLDER}"
# MeeSign CA certificate configuration
cat > ca-cert.conf << EOT
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
utf8 = yes
[req_distinguished_name]
C = CS
O = MeeSign
CN = MeeSign CA
[v3_req]
basicConstraints = critical, CA:TRUE, pathlen: 0
authorityKeyIdentifier = keyid, issuer
subjectKeyIdentifier = hash
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
EOT
# MeeSign server certificate configuration
cat > server-csr.conf << EOT
[req]
distinguished_name = req_distinguished_name
prompt = no
utf8 = yes
[req_distinguished_name]
C = CS
O = MeeSign
CN = MeeSign Server
EOT
# Standard server X509v3 extensions
cat > server-ext.conf << EOT
basicConstraints = critical, CA:FALSE
authorityKeyIdentifier = keyid, issuer
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
EOT
echo "subjectAltName = DNS: ${HOSTNAME}" >> server-ext.conf
# Generate MeeSign CA private key
openssl ecparam -name prime256v1 -genkey -noout -out "./${KEY_FOLDER}/meesign-ca-key.pem"
# Issue self-signed certificate for MeeSign CA
openssl req -new -x509 -key "./${KEY_FOLDER}/meesign-ca-key.pem" -out "./${KEY_FOLDER}/meesign-ca-cert.pem" -days 1461 -config ca-cert.conf -nodes -extensions v3_req
# Generate MeeSign server private key
openssl ecparam -name prime256v1 -genkey -noout -out "./${KEY_FOLDER}/meesign-server-key-ec.pem"
openssl pkcs8 -topk8 -nocrypt -in "./${KEY_FOLDER}/meesign-server-key-ec.pem" -out "./${KEY_FOLDER}/meesign-server-key.pem"
rm "./${KEY_FOLDER}/meesign-server-key-ec.pem"
# Create certificate signing request for MeeSign server certificate
openssl req -new -key "./${KEY_FOLDER}/meesign-server-key.pem" -out csr.pem -config server-csr.conf
# Sign MeeSign server certificate signing request by MeeSign CA
openssl x509 -req -days 365 -in csr.pem -CA "./${KEY_FOLDER}/meesign-ca-cert.pem" -CAkey "./${KEY_FOLDER}/meesign-ca-key.pem" -CAcreateserial -out "./${KEY_FOLDER}/meesign-server-cert.pem" -extfile server-ext.conf
rm ca-cert.conf server-csr.conf server-ext.conf csr.pem