diff options
-rwxr-xr-x | scripts/mkreq | 86 |
1 files changed, 80 insertions, 6 deletions
diff --git a/scripts/mkreq b/scripts/mkreq index c73d598..4493867 100755 --- a/scripts/mkreq +++ b/scripts/mkreq @@ -1,7 +1,68 @@ #!/bin/sh -mkdir -p $1 -cat>/tmp/mkreq-$$.cf<<EOC +host="$1"; shift +ca_host="ca.sunet.se" +ca_name="infra" +type="" + +usage () +{ + echo "\ +Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn> + + + -h, --help show this help text and exit + -s request server cert (default if <fqdn> exists in cosmos repo) + -c request client cert + -C ca host (ca.sunet.se) + -N ca name (infra) + + <fqdn> fully qualified name of host + +" 1>&2 +} + +{ + while test $# -gt 0; do + case "$1" in + -s) + type="server" + ;; + -c) + type="client" + ;; + -C) + ca_host="$2" + shift + ;; + -N) + ca_name="$2" + shift + ;; + -h) + usage + exit 0 + ;; + --) + break + ;; + esac + shift + done +} + +if [ -d $host -a -z $type ]; then + type="server" +fi + + +cfg=`mktemp` +key="/tmp/$host.key" +csr="/tmp/$host.csr" + +trap 'rm -f $cfg' EXIT + +cat>$cfg<<EOC [ req ] default_bits = 4096 distinguished_name = req_distinguished_name @@ -11,11 +72,24 @@ prompt = no [ req_distinguished_name ] C = SE O = SUNET -CN = $1 +CN = $host [ req_extensions ] -subjectAltName = DNS:$1 +subjectAltName = DNS:$host EOC -openssl req -config /tmp/mkreq-$$.cf -new -newkey rsa:4096 -sha1 -keyout $1/$1.key -nodes -out $1/$1.csr -rm /tmp/mkreq-$$.cf +reqs="$ca_host/overlay/var/lib/ca/$ca_name/requests/$type" +if [ ! -d $reqs ]; then + echo "*** ERROR - missing request directory $reqs" + exit 1 +fi + +openssl req -config $cfg -new -newkey rsa:4096 -sha256 -keyout $key -nodes -out $csr +mv $csr "$reqs/$host.csr" +git add "$reqs/$host.csr" && git commit -m "certification request for $host from $ca_host:$ca_name" + +if [ -d $host ]; then + ssh root@$host mkdir -p /etc/ssl/private && scp "$key" "root@$host:/etc/ssl/private/${host}_${ca_name}.key" && rm -f "$key" && echo "** private key given to $host" || echo "** private key left in $key - should be in root@$host:/etc/ssl/private/${host}_${ca_name}.key" +fi + +echo "** successfully generated key and certification request for $host from $ca_host:$ca_name" |