Muryor
/
script
mirror of https://github.com/lework/script
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 Commits
1 Branch
0 Tags
744 KiB
Tree: b233d11f0b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b233d11f0b'
${ noResults }
script/shell/ssl/cfssl.sh

206 lines
5.6 KiB
Raw Normal View History Unescape

update
4 years ago
#!/bin/bash
#
# Author: lework
# Desc: Use cfssl tool to conveniently generate self-signed certificates.
# Date: 2020/07/01
set -o errexit # Exit on most errors (see the manual)
set -o errtrace # Make sure any error trap is inherited
set -o nounset # Disallow expansion of unset variables
set -o pipefail # Use last non-zero exit code in a pipeline
######################################################################################################
# environment configuration
######################################################################################################
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
BLUE='\033[0;36m'
PLAIN='\033[0m'
CFSSL_VERSION="1.4.1"
######################################################################################################
# function
######################################################################################################
echo_title() {
echo -e "${GREEN}$1${PLAIN}"
}
function check() {
for bin in cfssl cfssl-certinfo cfssljson
do
if ! $(command -v ${bin} > /dev/null 2>&1);then
echo_title "[Installing] $bin..."
curl -sSL https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/{$bin}_${CFSSL_VERSION}_linux_amd64 > /tmp/${bin}
sudo install /tmp/${bin} /usr/local/bin/${bin}
fi
done
if ! $(command -v openssl > /dev/null 2>&1);then
echo_title "[Installing] openssl..."
command -v yum > /dev/null 2>&1 && yum -y install openssl
command -v apt-get > /dev/null 2>&1 && apt-get install openssl -y
fi
}
function ca() {
project=${1:-demo}
server_hostname="${2:-server.${project}.com}"
client_hostname="${3:-client.${project}.com}"
[ ! -d "${project}_ca" ] && mkdir "${project}_ca"
cd "${project}_ca"
echo_title "\n[Generating] cfssl config..."
cat << EOF > cfssl-config.json
{
"signing": {
"default": {
"expiry": "87600h",
"usages": [
"signing",
"digital signature",
"key encipherment",
"server auth",
"client auth"
]
},
"profiles": {
"peer": {
"expiry": "87600h",
"usages": [
"signing",
"digital signature",
"key encipherment",
"server auth",
"client auth"
]
},
"server": {
"expiry": "87600h",
"usages": [
"signing",
"digital signature",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "87600h",
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
]
}
}
}
}
EOF
echo_title "\n[Generating] ca csr..."
cat << EOF > ca-csr.json
{
"CN": "${project^^} CA",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "${project}",
"OU": "${project^^} Service"
}
]
}
EOF
echo_title "\n[Generating] csr..."
cat << EOF > csr.json
{
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "${project}",
"OU": "${project^^} Service"
}
]
}
EOF
echo_title "\n[Generating] certificate authority..."
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
echo_title "\n[Generating] server certificate..."
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \
-hostname="${server_hostname},localhost,127.0.0.1" csr.json \
| cfssljson -bare server
echo_title "\n[Generating] client certificate..."
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \
-hostname="${client_hostname},localhost,127.0.0.1" csr.json \
| cfssljson -bare client
echo_title "\n[Generating] server and client node certificate..."
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \
-hostname="${server_hostname},${client_hostname},localhost,127.0.0.1" csr.json \
| cfssljson -bare dev
echo_title "\n[Generating] user certificates..."
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \
-profile=client csr.json | cfssljson -bare user
openssl pkcs12 -export -inkey user-key.pem -in user.pem -out user.pfx -password pass:
echo_title "\n[Generating] The $(pwd) directory file list..."
ls -al .
}
usage_help() {
cat <<EOM
Use cfssl tool to conveniently generate self-signed certificates.
Usage:
$(basename $0) [ -h | --help ] [project_name server_hostname client_hostname]
Example:
$(basename $0) # Generate demo self-signed certificate
$(basename $0) -h # View help.
$(basename $0) project web-server.project.com,api-server.project.com rpc-client.project.com,api-client.project.com
EOM
exit 1
}
######################################################################################################
# main
######################################################################################################
case ${1-} in
-h | --help ) usage_help
;;
* ) check
ca $@
esac