scripts/mkreq


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

#!/bin/sh

ca_host="ca.sunet.se"
ca_name="infra"
type=""

usage ()
{
    echo "\
Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn>


  -h, --help                show this help text and exit
  -s                        request server cert (default if <fqdn> exists in cosmos repo)
  -c                        request client cert
  -C                        ca host (ca.sunet.se)
  -N                        ca name (infra)

  <fqdn>                    fully qualified name of host

" 1>&2
}

if [ "x$1" = "x" ]; then
    usage
    exit 1
fi

{
   while test $# -gt 0; do
      case "$1" in
          -s)
             type="server"
	     shift
             ;;
          -c)
             type="client"
	     shift
             ;;
          -C)
             ca_host="$2"
             shift
             ;;
          -N)
             ca_name="$2"
             shift
             ;;
          -h)
             usage
             exit 0
             ;;
          --)
             break
             ;;
	  *)
	      echo $1 | grep -q '^-' || break  # found the fqdn
	      echo "$0: Unknown option $1"
	      echo ""
	      usage
	      exit 1
      esac
   done
}

host="$1"

if [ "x$host" = "x" ]; then
    echo "$0: No fqdn supplied"
    echo ""
    usage
    exit 1
fi

if [ -d $host -a -z $type ]; then
   type="server"
fi


cfg=`mktemp`
key=`mktemp`
csr=`mktemp`

trap 'rm -f $cfg' EXIT

cat>$cfg<<EOC
[ req ]
default_bits           = 4096
distinguished_name     = req_distinguished_name
req_extensions         = req_extensions
prompt		       = no
string_mask            = nombstr

[ req_distinguished_name ]
C			= SE
O			= SUNET
CN			= $host

[ req_extensions ]
subjectAltName          = DNS:$host
EOC

reqs="$ca_host/overlay/var/lib/ca/$ca_name/requests/$type"
if [ ! -d $reqs ]; then
   echo "*** ERROR - missing request directory $reqs"
   exit 1
fi

openssl req -config $cfg -new -newkey rsa:4096 -sha256 -keyout $key -nodes -out $csr
mv $csr "$reqs/$host.csr"
git add "$reqs/$host.csr" && git commit -m "certification request for $host from $ca_host:$ca_name"

if [ -d $host ]; then
   ssh root@$host mkdir -p /etc/ssl/private && scp "$key" "root@$host:/etc/ssl/private/${host}_${ca_name}.key" && rm -f "$key" && echo "** private key given to $host" || echo "** private key left in $key - should be in root@$host:/etc/ssl/private/${host}_${ca_name}.key"
else
    echo ""
    echo "** Generated the following RSA key, keep it safe:"
    cat $key
    rm -f $key
    echo ""
fi

echo "** successfully generated key and certification request for $host from $ca_host:$ca_name"