97 lines
3.2 KiB
Bash
97 lines
3.2 KiB
Bash
#!/bin/bash
|
|
|
|
rm -rf CA
|
|
mkdir CA
|
|
cd CA
|
|
|
|
cat >openssl.cnf <<EOF
|
|
[ca]
|
|
default_ca = CA_default
|
|
|
|
[CA_default]
|
|
dir = $PWD
|
|
EOF
|
|
|
|
cat >>openssl.cnf <<'EOF'
|
|
certs = $dir/certs
|
|
new_certs_dir = $dir/newcerts
|
|
database = $dir/index.txt
|
|
serial = $dir/serial
|
|
default_md = sha256
|
|
policy = policy_loose
|
|
copy_extensions = copy
|
|
|
|
private_key = $dir/private/ca.key.pem
|
|
certificate = $dir/certs/ca.crt.pem
|
|
|
|
[policy_loose]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[req]
|
|
default_bits = 2048
|
|
distinguished_name = req_distinguished_name
|
|
default_md = sha256
|
|
|
|
[req_distinguished_name]
|
|
countryName = Country Name (2 letter code)
|
|
EOF
|
|
|
|
mkdir certs csr newcerts private; chmod 0700 private; touch index.txt; echo 1000 >serial
|
|
|
|
function gen_cert() {
|
|
ITEM="$1"
|
|
PRIVKEY_PASS="$2"
|
|
CA_PASS_FILE="$3"
|
|
|
|
FILE_PRIVKEY_PASS="./$ITEM-pass"
|
|
KEY_FILE="private/$ITEM.key.pem"
|
|
KEY_NOPASS_FILE="private/$ITEM.key.nopass.pem"
|
|
SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$ITEM"
|
|
ADDEXT="subjectAltName=DNS:$ITEM"
|
|
CSR="csr/$ITEM.csr.pem"
|
|
CERT_FILE="certs/$ITEM.crt.pem"
|
|
|
|
touch "$FILE_PRIVKEY_PASS"
|
|
chmod 0600 "$FILE_PRIVKEY_PASS"
|
|
echo "$PRIVKEY_PASS" >"$FILE_PRIVKEY_PASS"
|
|
|
|
openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048
|
|
openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1
|
|
openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR"
|
|
openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1
|
|
}
|
|
|
|
|
|
## gen CA
|
|
CA_PASS=CorrectHorseBatteryStapleCA
|
|
CA_PASS_FILE=./ca-pass
|
|
touch "$CA_PASS_FILE"
|
|
chmod 0600 "$CA_PASS_FILE"
|
|
echo "$CA_PASS" >"$CA_PASS_FILE"
|
|
openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096
|
|
#openssl rsa -in private/ca.key.pem -passin file:"$CA_PASS_FILE" -out private/ca.key.nopass.pem >/dev/null 2>&1
|
|
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj '/C=ES/ST=Madrid/L=Madrid/CN=ca.mytld' -out certs/ca.crt.pem
|
|
|
|
|
|
## todos estos en oglog
|
|
gen_cert oglog-os.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE"
|
|
gen_cert oglog-osdb.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE"
|
|
gen_cert oglog-jrem.mytld CorrectHorseBatteryStapleOglogJRem "$CA_PASS_FILE"
|
|
gen_cert oglog-jb.mytld CorrectHorseBatteryStapleOglogJB "$CA_PASS_FILE"
|
|
gen_cert oglog-prom.mytld CorrectHorseBatteryStapleOglogProm "$CA_PASS_FILE"
|
|
gen_cert oglog-graf.mytld CorrectHorseBatteryStapleOglogGraf "$CA_PASS_FILE"
|
|
|
|
## esto podria ser ogcore, ogboot...
|
|
gen_cert ogserver.mytld CorrectHorseBatteryStapleOgserver "$CA_PASS_FILE"
|
|
|
|
## filebeat del agente
|
|
gen_cert ogagent-fb.mytld CorrectHorseBatteryStapleOgagentFB "$CA_PASS_FILE"
|
|
|
|
cd ..
|