mirror of https://github.com/lework/script
lework
5 years ago
3 changed files with 216 additions and 2 deletions
@ -0,0 +1,205 @@
@@ -0,0 +1,205 @@
|
||||
#!/bin/bash |
||||
# |
||||
# Author: lework |
||||
# Desc: Use cfssl tool to conveniently generate self-signed certificates. |
||||
# Date: 2020/07/01 |
||||
|
||||
set -o errexit # Exit on most errors (see the manual) |
||||
set -o errtrace # Make sure any error trap is inherited |
||||
set -o nounset # Disallow expansion of unset variables |
||||
set -o pipefail # Use last non-zero exit code in a pipeline |
||||
|
||||
|
||||
###################################################################################################### |
||||
# environment configuration |
||||
###################################################################################################### |
||||
|
||||
# Colors |
||||
RED='\033[0;31m' |
||||
GREEN='\033[0;32m' |
||||
YELLOW='\033[0;33m' |
||||
BLUE='\033[0;36m' |
||||
PLAIN='\033[0m' |
||||
|
||||
|
||||
CFSSL_VERSION="1.4.1" |
||||
|
||||
|
||||
###################################################################################################### |
||||
# function |
||||
###################################################################################################### |
||||
|
||||
echo_title() { |
||||
echo -e "${GREEN}$1${PLAIN}" |
||||
} |
||||
|
||||
function check() { |
||||
for bin in cfssl cfssl-certinfo cfssljson |
||||
do |
||||
if ! $(command -v ${bin} > /dev/null 2>&1);then |
||||
echo_title "[Installing] $bin..." |
||||
curl -sSL https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/{$bin}_${CFSSL_VERSION}_linux_amd64 > /tmp/${bin} |
||||
sudo install /tmp/${bin} /usr/local/bin/${bin} |
||||
fi |
||||
done |
||||
|
||||
if ! $(command -v openssl > /dev/null 2>&1);then |
||||
echo_title "[Installing] openssl..." |
||||
command -v yum > /dev/null 2>&1 && yum -y install openssl |
||||
command -v apt-get > /dev/null 2>&1 && apt-get install openssl -y |
||||
fi |
||||
} |
||||
|
||||
|
||||
function ca() { |
||||
project=${1:-demo} |
||||
server_hostname="${2:-server.${project}.com}" |
||||
client_hostname="${3:-client.${project}.com}" |
||||
|
||||
[ ! -d "${project}_ca" ] && mkdir "${project}_ca" |
||||
cd "${project}_ca" |
||||
|
||||
echo_title "\n[Generating] cfssl config..." |
||||
cat << EOF > cfssl-config.json |
||||
{ |
||||
"signing": { |
||||
"default": { |
||||
"expiry": "87600h", |
||||
"usages": [ |
||||
"signing", |
||||
"digital signature", |
||||
"key encipherment", |
||||
"server auth", |
||||
"client auth" |
||||
] |
||||
}, |
||||
"profiles": { |
||||
"peer": { |
||||
"expiry": "87600h", |
||||
"usages": [ |
||||
"signing", |
||||
"digital signature", |
||||
"key encipherment", |
||||
"server auth", |
||||
"client auth" |
||||
] |
||||
}, |
||||
"server": { |
||||
"expiry": "87600h", |
||||
"usages": [ |
||||
"signing", |
||||
"digital signature", |
||||
"key encipherment", |
||||
"server auth" |
||||
] |
||||
}, |
||||
"client": { |
||||
"expiry": "87600h", |
||||
"usages": [ |
||||
"signing", |
||||
"digital signature", |
||||
"key encipherment", |
||||
"client auth" |
||||
] |
||||
} |
||||
} |
||||
} |
||||
} |
||||
EOF |
||||
|
||||
echo_title "\n[Generating] ca csr..." |
||||
cat << EOF > ca-csr.json |
||||
{ |
||||
"CN": "${project^^} CA", |
||||
"key": { |
||||
"algo": "ecdsa", |
||||
"size": 256 |
||||
}, |
||||
"names": [ |
||||
{ |
||||
"C": "CN", |
||||
"ST": "Shanghai", |
||||
"L": "Shanghai", |
||||
"O": "${project}", |
||||
"OU": "${project^^} Service" |
||||
} |
||||
] |
||||
} |
||||
EOF |
||||
|
||||
echo_title "\n[Generating] csr..." |
||||
cat << EOF > csr.json |
||||
{ |
||||
"key": { |
||||
"algo": "ecdsa", |
||||
"size": 256 |
||||
}, |
||||
"names": [ |
||||
{ |
||||
"C": "CN", |
||||
"ST": "Shanghai", |
||||
"L": "Shanghai", |
||||
"O": "${project}", |
||||
"OU": "${project^^} Service" |
||||
} |
||||
] |
||||
} |
||||
EOF |
||||
|
||||
echo_title "\n[Generating] certificate authority..." |
||||
cfssl gencert -initca ca-csr.json | cfssljson -bare ca |
||||
|
||||
echo_title "\n[Generating] server certificate..." |
||||
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \ |
||||
-hostname="${server_hostname},localhost,127.0.0.1" csr.json \ |
||||
| cfssljson -bare server |
||||
|
||||
echo_title "\n[Generating] client certificate..." |
||||
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \ |
||||
-hostname="${client_hostname},localhost,127.0.0.1" csr.json \ |
||||
| cfssljson -bare client |
||||
|
||||
echo_title "\n[Generating] server and client node certificate..." |
||||
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \ |
||||
-hostname="${server_hostname},${client_hostname},localhost,127.0.0.1" csr.json \ |
||||
| cfssljson -bare dev |
||||
|
||||
echo_title "\n[Generating] user certificates..." |
||||
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-config.json \ |
||||
-profile=client csr.json | cfssljson -bare user |
||||
openssl pkcs12 -export -inkey user-key.pem -in user.pem -out user.pfx -password pass: |
||||
|
||||
echo_title "\n[Generating] The $(pwd) directory file list..." |
||||
ls -al . |
||||
} |
||||
|
||||
|
||||
usage_help() { |
||||
cat <<EOM |
||||
|
||||
Use cfssl tool to conveniently generate self-signed certificates. |
||||
|
||||
Usage: |
||||
$(basename $0) [ -h | --help ] [project_name server_hostname client_hostname] |
||||
|
||||
Example: |
||||
$(basename $0) # Generate demo self-signed certificate |
||||
$(basename $0) -h # View help. |
||||
$(basename $0) project web-server.project.com,api-server.project.com rpc-client.project.com,api-client.project.com |
||||
EOM |
||||
exit 1 |
||||
} |
||||
|
||||
|
||||
|
||||
###################################################################################################### |
||||
# main |
||||
###################################################################################################### |
||||
|
||||
|
||||
case ${1-} in |
||||
-h | --help ) usage_help |
||||
;; |
||||
* ) check |
||||
ca $@ |
||||
esac |
Loading…
Reference in new issue