forked from vanvuvuong/genericssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
generate-certs
executable file
·162 lines (141 loc) · 4.57 KB
/
generate-certs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/bash
if [[ -z $SILENT ]]; then
echo "----------------------------"
echo "| GENERICSSL Cert Generator |"
echo "----------------------------"
echo
fi
export CA_KEY=${CA_KEY-"ca-key.pem"}
export CA_CERT=${CA_CERT-"ca.pem"}
export CA_SUBJECT=${CA_SUBJECT:-"test-ca"}
export CA_EXPIRE=${CA_EXPIRE:-"60"}
export PEM_BUNDLE=${PEM_BUNDLE}
export SSL_CONFIG=${SSL_CONFIG:-"openssl.cnf"}
export SSL_KEY=${SSL_KEY:-"key.pem"}
export SSL_CSR=${SSL_CSR:-"key.csr"}
export SSL_CERT=${SSL_CERT:-"cert.pem"}
export SSL_SIZE=${SSL_SIZE:-"2048"}
export SSL_EXPIRE=${SSL_EXPIRE:-"60"}
export SSL_SUBJECT=${SSL_SUBJECT:-"example.com"}
export SSL_DNS=${SSL_DNS}
export SSL_IP=${SSL_IP}
export K8S_NAME=${K8S_NAME:-"genericssl"}
export K8S_NAMESPACE=${K8S_NAMESPACE:-"default"}
export K8S_SAVE_CA_KEY=${K8S_SAVE_CA_KEY}
export K8S_SAVE_CA_CRT=${K8S_SAVE_CA_CRT}
export K8S_SHOW_SECRET=${K8S_SHOW_SECRET}
export OUTPUT=${OUTPUT:-"yaml"}
[[ -z $SILENT ]] && echo "--> Certificate Authority"
if [[ -e ./${CA_KEY} ]]; then
[[ -z $SILENT ]] && echo "====> Using existing CA Key ${CA_KEY}"
else
[[ -z $SILENT ]] && echo "====> Generating new CA key ${CA_KEY}"
openssl genrsa -out "${CA_KEY}" "${SSL_SIZE}" >/dev/null
fi
if [[ -e ./${CA_CERT} ]]; then
[[ -z $SILENT ]] && echo "====> Using existing CA Certificate ${CA_CERT}"
else
[[ -z $SILENT ]] && echo "====> Generating new CA Certificate ${CA_CERT}"
openssl req -x509 -new -nodes -key "${CA_KEY}" -days "${CA_EXPIRE}" -out "${CA_CERT}" -subj "/CN=${CA_SUBJECT}" >/dev/null || exit 1
fi
echo "====> Generating new config file ${SSL_CONFIG}"
cat >"${SSL_CONFIG}" <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
if [[ -n ${SSL_DNS} || -n ${SSL_IP} ]]; then
cat >>"${SSL_CONFIG}" <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
IFS=";"
read -ra dns <<<"$SSL_DNS"
dns+=("${SSL_SUBJECT}")
for ((i = 0; i < ${#dns[@]}; i++)); do
if [ -z "${dns[$i]}" ]; then
continue
fi
echo DNS.$((i + 1)) = "${dns[$i]}" >>"${SSL_CONFIG}"
done
if [[ -n ${SSL_IP} ]]; then
read -ra ip <<<"$SSL_IP"
for ((i = 0; i < ${#ip[@]}; i++)); do
if [ -z "${ip[$i]}" ]; then
continue
fi
echo IP.$((i + 1)) = "${ip[$i]}" >>"${SSL_CONFIG}"
done
fi
fi
[[ -z $SILENT ]] && echo "====> Generating new SSL KEY ${SSL_KEY}"
openssl genrsa -out "${SSL_KEY}" "${SSL_SIZE}" >/dev/null || exit 1
[[ -z $SILENT ]] && echo "====> Generating new SSL CSR ${SSL_CSR}"
openssl req -new -key "${SSL_KEY}" -out "${SSL_CSR}" -subj "/CN=${SSL_SUBJECT}" -config "${SSL_CONFIG}" >/dev/null || exit 1
[[ -z $SILENT ]] && echo "====> Generating new SSL CERT ${SSL_CERT}"
openssl x509 -req -in "${SSL_CSR}" -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial -out "${SSL_CERT}" \
-days "${SSL_EXPIRE}" -extensions v3_req -extfile "${SSL_CONFIG}" >/dev/null || exit 1
if [[ -n ${PEM_BUNDLE} ]]; then
cat "${SSL_KEY}" > "${PEM_BUNDLE}"
cat "${SSL_CERT}" >> "${PEM_BUNDLE}"
cat "${CA_CERT}" >> "${PEM_BUNDLE}"
fi
# create k8s secret file
cat <<EOM >/certs/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: ${K8S_NAME}
namespace: ${K8S_NAMESPACE}
type: kubernetes.io/tls
data:
EOM
if [[ -n $K8S_SAVE_CA_KEY ]]; then
echo -n " ca.key: " >>/certs/secret.yaml
cat "$CA_KEY" | base64 | tr '\n' ',' | sed 's/,//g' >>/certs/secret.yaml
echo >>/certs/secret.yaml
fi
if [[ -n $K8S_SAVE_CA_CRT ]]; then
echo -n " ca.crt: " >>/certs/secret.yaml
cat "$CA_CERT" | base64 | tr '\n' ',' | sed 's/,//g' >>/certs/secret.yaml
echo >>/certs/secret.yaml
fi
echo -n " tls.key: " >>/certs/secret.yaml
cat "$SSL_KEY" | base64 | tr '\n' ',' | sed 's/,//g' >>/certs/secret.yaml
echo >>/certs/secret.yaml
echo -n " tls.crt: " >>/certs/secret.yaml
cat "$SSL_CERT" | base64 | tr '\n' ',' | sed 's/,//g' >>/certs/secret.yaml
echo >>/certs/secret.yaml
if [[ -z $SILENT ]]; then
echo "====> Complete"
echo "keys can be found in volume mapped to $(pwd)"
echo
if [[ ${OUTPUT} == "k8s" ]]; then
echo "====> Output results as base64 k8s secrets"
echo "---"
cat /certs/secret.yaml
else
echo "====> Output results as YAML"
echo "---"
echo "ca_key: |"
cat "$CA_KEY" | sed 's/^/ /'
echo
echo "ca_crt: |"
cat "$CA_CERT" | sed 's/^/ /'
echo
echo "ssl_key: |"
cat "$SSL_KEY" | sed 's/^/ /'
echo
echo "ssl_csr: |"
cat "$SSL_CSR" | sed 's/^/ /'
echo
echo "ssl_crt: |"
cat "$SSL_CERT" | sed 's/^/ /'
echo
fi
fi