#!/bin/sh ca_host="ca.sunet.se" ca_name="infra" type="" usage () { echo "\ Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn> -h, --help show this help text and exit -s request server cert (default if <fqdn> exists in cosmos repo) -c request client cert -C ca host (ca.sunet.se) -N ca name (infra) <fqdn> fully qualified name of host " 1>&2 } if [ "x$1" = "x" ]; then usage exit 1 fi { while test $# -gt 0; do case "$1" in -s) type="server" shift ;; -c) type="client" shift ;; -C) ca_host="$2" shift ;; -N) ca_name="$2" shift ;; -h) usage exit 0 ;; --) break ;; *) echo $1 | grep -q '^-' || break # found the fqdn echo "$0: Unknown option $1" echo "" usage exit 1 esac done } host="$1" if [ "x$host" = "x" ]; then echo "$0: No fqdn supplied" echo "" usage exit 1 fi if [ -d $host -a -z $type ]; then type="server" fi cfg=`mktemp` key=`mktemp` csr=`mktemp` trap 'rm -f $cfg' EXIT cat>$cfg<<EOC [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_extensions prompt = no [ req_distinguished_name ] C = SE O = SUNET CN = $host [ req_extensions ] subjectAltName = DNS:$host EOC reqs="$ca_host/overlay/var/lib/ca/$ca_name/requests/$type" if [ ! -d $reqs ]; then echo "*** ERROR - missing request directory $reqs" exit 1 fi openssl req -config $cfg -new -newkey rsa:4096 -sha256 -keyout $key -nodes -out $csr mv $csr "$reqs/$host.csr" git add "$reqs/$host.csr" && git commit -m "certification request for $host from $ca_host:$ca_name" if [ -d $host ]; then ssh root@$host mkdir -p /etc/ssl/private && scp "$key" "root@$host:/etc/ssl/private/${host}_${ca_name}.key" && rm -f "$key" && echo "** private key given to $host" || echo "** private key left in $key - should be in root@$host:/etc/ssl/private/${host}_${ca_name}.key" else echo "" echo "** Generated the following RSA key, keep it safe:" cat $key rm -f $key echo "" fi echo "** successfully generated key and certification request for $host from $ca_host:$ca_name"