-
Notifications
You must be signed in to change notification settings - Fork 2
/
create-intermediate-certs.sh
executable file
·68 lines (54 loc) · 1.9 KB
/
create-intermediate-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
echo "***************** Certs creation *************************"
function echo {
COLOR="\e[93m";
ENDCOLOR="\e[0m";
printf "$COLOR%b$ENDCOLOR\n" "$1";
}
export CERT_FOLDER="$(pwd)/certs"
export DOMAIN="example.com"
mkdir -p $CERT_FOLDER
rm -rf $CERT_FOLDER/*
cd $CERT_FOLDER
echo "Certs creation on folder: $CERT_FOLDER"
echo ">> SSL create CA cert"
openssl genrsa -out rootCA.key 4096
openssl req -batch -new -x509 -nodes -subj "/CN=root.ca" \
-extensions v3_ca \
-key rootCA.key -sha256 -days 1024 -out rootCA.pem
echo ">> Intermediate CA cert"
openssl genrsa -out subCA.key 4096
openssl req -batch -new -x509 -subj "/CN=sub.ca" -nodes \
-extensions v3_ca \
-key subCA.key -sha256 -days 1024 -out subCA.pem
echo ">> Intermediate CA sign by RootCA"
cat <<EOF > ca_config.cfg
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
EOF
openssl x509 -x509toreq -days 365 -in subCA.pem -signkey subCA.key -out subCA.req
openssl x509 -req -in subCA.req \
-days 500 -sha256 \
-CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
-extfile ca_config.cfg \
-extensions v3_ca \
-out intermediateCA.crt
echo ">> Verify Intermediate CA"
openssl verify -CAfile rootCA.pem intermediateCA.crt
openssl x509 -in intermediateCA.crt -noout -purpose
echo ">> SSL listen certificates"
openssl req -subj "/CN=$DOMAIN" -newkey rsa:4096 -nodes \
-sha256 \
-days 3650 \
-keyout $DOMAIN.key \
-out $DOMAIN.csr
openssl x509 -req -in $DOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $DOMAIN.crt -days 500 -sha256
echo ">> SSL create client cert"
openssl genrsa -out client.key 4096
openssl req -new -subj '/CN=test' -key client.key -out client.req
openssl x509 -req -in client.req \
-CA intermediateCA.crt -CAkey subCA.key \
-CAcreateserial -out client.crt \
-days 500 -sha256
cat client.crt intermediateCA.crt rootCA.pem > client_chain.crt