blob: b46d9fe15e506d7d5ee0cb94df46252a253dc1f2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#!/bin/sh
ca_host="ca.sunet.se"
ca_name="infra"
type=""
usage ()
{
echo "\
Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn>
-h, --help show this help text and exit
-s request server cert (default if <fqdn> exists in cosmos repo)
-c request client cert
-C ca host (ca.sunet.se)
-N ca name (infra)
<fqdn> fully qualified name of host
" 1>&2
}
if [ "x$1" = "x" ]; then
usage
exit 1
fi
{
while test $# -gt 0; do
case "$1" in
-s)
type="server"
shift
;;
-c)
type="client"
shift
;;
-C)
ca_host="$2"
shift
;;
-N)
ca_name="$2"
shift
;;
-h)
usage
exit 0
;;
--)
break
;;
*)
echo $1 | grep -q '^-' || break # found the fqdn
echo "$0: Unknown option $1"
echo ""
usage
exit 1
esac
done
}
host="$1"
if [ "x$host" = "x" ]; then
echo "$0: No fqdn supplied"
echo ""
usage
exit 1
fi
if [ -d $host -a -z $type ]; then
type="server"
fi
cfg=`mktemp`
key=`mktemp`
csr=`mktemp`
trap 'rm -f $cfg' EXIT
cat>$cfg<<EOC
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_extensions
prompt = no
string_mask = utf8only
[ req_distinguished_name ]
C = SE
O = SUNET
CN = $host
[ req_extensions ]
subjectAltName = DNS:$host
EOC
reqs="$ca_host/overlay/var/lib/ca/$ca_name/requests/$type"
if [ ! -d $reqs ]; then
echo "*** ERROR - missing request directory $reqs"
exit 1
fi
openssl req -config $cfg -new -newkey rsa:4096 -sha256 -keyout $key -nodes -out $csr
mv $csr "$reqs/$host.csr"
git add "$reqs/$host.csr" && git commit -m "certification request for $host from $ca_host:$ca_name"
if [ -d $host ]; then
ssh root@$host mkdir -p /etc/ssl/private && scp "$key" "root@$host:/etc/ssl/private/${host}_${ca_name}.key" && rm -f "$key" && echo "** private key given to $host" || echo "** private key left in $key - should be in root@$host:/etc/ssl/private/${host}_${ca_name}.key"
else
echo ""
echo "** Generated the following RSA key, keep it safe:"
cat $key
rm -f $key
echo ""
fi
echo "** successfully generated key and certification request for $host from $ca_host:$ca_name"
|