-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmake-certs.sh
executable file
·313 lines (249 loc) · 11.4 KB
/
make-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
#!/bin/bash
# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
set -e
# https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
# https://www.shellhacks.com/create-csr-openssl-without-prompt-non-interactive/
# https://akshayranganath.github.io/OCSP-Validation-With-Openssl/
# https://medium.com/@KentaKodashima/generate-pem-keys-with-openssl-on-macos-ecac55791373
# OpenSSL testing of certs: https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
# NOTE: proting to Cygwin required chaging absolute file paths to relative file paths. Cygwin has a wart.
clean_directory() {
rm -rf certs
}
create_root() {
local namespace=$1
local DOMAIN=$2
local DOMAIN_NAME=$3
local OCSP_PORT=$4
echo "Creating Root Key - $namespace"
cd $ROOTDIR
# Make Root Directory tree
mkdir -p certs/$namespace/root
cd $ROOTDIR/certs/$namespace/root
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# go back to root dir to make the certs
cd $ROOTDIR
cat root-ca.cnf.sample | \
sed -e "s;<namespace>;$namespace;g" \
-e "s;<ROOTDIR>;.;g" \
-e "s;<DOMAIN>;$DOMAIN;g" \
-e "s;<OCSP_PORT>;$OCSP_PORT;g" \
-e "s;<DOMAIN_NAME>;$DOMAIN_NAME;g" \
> certs/$namespace/root/openssl.cnf
# cat $ROOTDIR/root-ca.cnf.sample | \
# sed -e "s;<namespace>;$namespace;g" \
# -e "s;<ROOTDIR>;$ROOTDIR;g" \
# -e "s;<DOMAIN>;$DOMAIN;g" \
# -e "s;<OCSP_PORT>;$OCSP_PORT;g" \
# -e "s;<DOMAIN_NAME>;$DOMAIN_NAME;g" \
# > $ROOTDIR/certs/$namespace/root/openssl.cnf
# Generate Root CA private key
# echo "${OUT_DIR}/ca.key.pem"
openssl genrsa -out certs/$namespace/root/private/ca.key.pem 4096
chmod 400 certs/$namespace/root/private/ca.key.pem
# Create Root Certificate (self-signed)
openssl req -config certs/$namespace/root/openssl.cnf \
-key certs/$namespace/root/private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-subj "/C=US/ST=New York/O=$DOMAIN_NAME/CN=$namespace-root-ca.$DOMAIN" \
-out certs/$namespace/root/certs/ca.cert.pem
# openssl req -config $ROOTDIR/certs/$namespace/root/openssl.cnf \
# -key $ROOTDIR/certs/$namespace/root/private/ca.key.pem \
# -new -x509 -days 7300 -sha256 -extensions v3_ca \
# -subj "/C=US/ST=New York/O=$DOMAIN_NAME/CN=$namespace-root-ca.$DOMAIN" \
# -out $ROOTDIR/certs/$namespace/root/certs/ca.cert.pem
# Dump out cert details
openssl x509 -noout -text -in certs/$namespace/root/certs/ca.cert.pem
}
create_intermediate() {
local namespace=$1
local DOMAIN=$2
local DOMAIN_NAME=$3
local OCSP_PORT=$4
echo "Creating Intermediate Key - $namespace"
cd $ROOTDIR
# Create Intermediate CA directory tree
mkdir -p certs/$namespace/intermediate
cd certs/$namespace/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
# cat $ROOTDIR/intermediate-ca.cnf.sample | \
# sed -e "s;<namespace>;$namespace;g" \
# -e "s;<ROOTDIR>;$ROOTDIR;g" \
# -e "s;<DOMAIN>;$DOMAIN;g" \
# -e "s;<OCSP_PORT>;$OCSP_PORT;g" \
# -e "s;<DOMAIN_NAME>;$DOMAIN_NAME;g" \
# > $ROOTDIR/certs/$namespace/intermediate/openssl.cnf
cd $ROOTDIR
cat intermediate-ca.cnf.sample | \
sed -e "s;<namespace>;$namespace;g" \
-e "s;<ROOTDIR>;.;g" \
-e "s;<DOMAIN>;$DOMAIN;g" \
-e "s;<OCSP_PORT>;$OCSP_PORT;g" \
-e "s;<DOMAIN_NAME>;$DOMAIN_NAME;g" \
> certs/$namespace/intermediate/openssl.cnf
# Generate Intermediate private key
openssl genrsa -out certs/$namespace/intermediate/private/intermediate.key.pem 4096
chmod 400 certs/$namespace/intermediate/private/intermediate.key.pem
# Create Intermediate CSR request
openssl req -config certs/$namespace/intermediate/openssl.cnf -new -sha256 \
-subj "/C=US/ST=New York/O=$DOMAIN_NAME/CN=intermediate-ca.$DOMAIN" \
-key certs/$namespace/intermediate/private/intermediate.key.pem \
-out certs/$namespace/intermediate/csr/intermediate.csr.pem
# Sign Intermediate Certificate by Root CA
openssl ca -batch -config certs/$namespace/root/openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in certs/$namespace/intermediate/csr/intermediate.csr.pem \
-out certs/$namespace/intermediate/certs/intermediate.cert.pem
chmod 444 certs/$namespace/intermediate/certs/intermediate.cert.pem
# Verify Certificate
openssl x509 -noout -text -in certs/$namespace/intermediate/certs/intermediate.cert.pem
}
create_certificatechain() {
local namespace=$1
cd $ROOTDIR
# Create certificate chain
cat certs/$namespace/intermediate/certs/intermediate.cert.pem \
certs/$namespace/root/certs/ca.cert.pem > $ROOTDIR/certs/$namespace/intermediate/certs/ca-chain.cert.pem
chmod 444 certs/$namespace/intermediate/certs/ca-chain.cert.pem
cp certs/$namespace/root/certs/ca.cert.pem $ROOTDIR/certs/$namespace/intermediate/certs/root-ca.cert.pem
}
create_server_cert() {
local namespace=$1
local DOMAIN=$2
local DOMAIN_NAME=$3
local hostname=$4
echo "Creating Server Key - $hostname $namespace"
# Make server directory
cd $ROOTDIR/certs/$namespace
mkdir $hostname
cd $hostname
mkdir certs crl csr newcerts private
chmod 700 private
# Create Server Key
cd $ROOTDIR
# Need to create key in PKCS8 format not native RSA
openssl genpkey -out certs/$namespace/$hostname/private/$hostname.$DOMAIN.key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
chmod 400 certs/$namespace/$hostname/private/$hostname.$DOMAIN.key.pem
# Create Server certificate
openssl req -config certs/$namespace/intermediate/openssl.cnf \
-subj "/C=US/ST=New York/O=$DOMAIN_NAME/CN=$hostname.$DOMAIN" \
-addext "subjectAltName = DNS:$hostname.$DOMAIN,DNS:localhost,IP:127.0.0.1,IP:0.0.0.0,IP:$LOCAL_IP" \
-key certs/$namespace/$hostname/private/$hostname.$DOMAIN.key.pem \
-new -sha256 -out certs/$namespace/$hostname/csr/$hostname.$DOMAIN.csr.pem
# Sign Certificate
openssl ca -batch -config certs/$namespace/intermediate/openssl.cnf \
-extensions server_cert -days 365 -notext -md sha256 \
-in certs/$namespace/$hostname/csr/$hostname.$DOMAIN.csr.pem \
-out certs/$namespace/$hostname/certs/$hostname.$DOMAIN.cert.pem
chmod 444 certs/$namespace/$hostname/certs/$hostname.$DOMAIN.cert.pem
openssl x509 -noout -text \
-in certs/$namespace/$hostname/certs/$hostname.$DOMAIN.cert.pem
# Validate chain of trust
openssl verify -CAfile certs/$namespace/intermediate/certs/ca-chain.cert.pem \
certs/$namespace/$hostname/certs/$hostname.$DOMAIN.cert.pem
cat certs/$namespace/$hostname/certs/$hostname.$DOMAIN.cert.pem \
certs/$namespace/intermediate/certs/ca-chain.cert.pem > certs/$namespace/$hostname/certs/$hostname-chain.$DOMAIN.cert.pem
}
verify_cert() {
local namespace=$1
local DOMAIN=$2
local hostname=$3
echo "Validate Server Cert"
cd $ROOTDIR
# Validate Server Certificate
openssl x509 -in certs/$namespace/$hostname/certs/$hostname.$DOMAIN.cert.pem -noout -text
}
create_client() {
local namespace=$1
local DOMAIN=$2
local DOMAIN_NAME=$3
local clientname=$4
echo "Creating Client Key"
# Create a client certificate
cd $ROOTDIR/certs/$namespace
if [ ! -d client ]; then
mkdir client
fi
# cd client
cd $ROOTDIR
openssl genpkey -out certs/$namespace/client/$clientname.$DOMAIN.key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
openssl req -new -key certs/$namespace/client/$clientname.$DOMAIN.key.pem \
-subj "/C=US/ST=New York/O=$DOMAIN_NAME/CN=$clientname" \
-addext "subjectAltName = DNS:$clientname.$DOMAIN,DNS:localhost,IP:127.0.0.1,IP:0.0.0.0,IP:$LOCAL_IP" \
-out certs/$namespace/client/$clientname.$DOMAIN.csr.pem
# Sign Client Cert
openssl ca -batch -config certs/$namespace/intermediate/openssl.cnf \
-extensions usr_cert -notext -md sha256 \
-in certs/$namespace/client/$clientname.$DOMAIN.csr.pem \
-out certs/$namespace/client/$clientname.$DOMAIN.cert.pem
# Validate cert is correct
openssl verify -CAfile certs/$namespace/intermediate/certs/ca-chain.cert.pem \
certs/$namespace/client/$clientname.$DOMAIN.cert.pem
openssl x509 -in certs/$namespace/client/$clientname.$DOMAIN.cert.pem -inform pem -outform der \
-out certs/$namespace/client/$clientname.$DOMAIN.cert.der
openssl pkcs8 -topk8 -inform PEM -outform DER -in certs/$namespace/client/$clientname.$DOMAIN.key.pem \
-out certs/$namespace/client/$clientname.$DOMAIN.key.der -nocrypt
}
revoke_client() {
echo "Revoking client cert"
# Revoke cert
openssl ca -config $ROOTDIR/certs/intermediate/openssl.cnf \
-revoke $ROOTDIR/certs/client/client1.$DOMAIN.cert.pem
}
# On MacOS use brew installed openssl 1.1.1
export PATH=/usr/local/opt/openssl/bin:$PATH
source env.sh
export ROOTDIR=$PWD
cd $ROOTDIR
if [ ! -d certs ] ; then
mkdir certs
fi
clean_directory
create_root "domain" "acme.com" "ACME Corp LLC" $OCSP_DOMAIN_ROOT_PORT
create_intermediate "domain" "acme.com" "ACME Corp LLC" $OCSP_DOMAIN_INTERMEDIATE_PORT
create_certificatechain domain
create_root "participant1" "customer1.com" "Customer1 LLC" $OCSP_PARTICIPANT1_ROOT_PORT
create_intermediate "participant1" "customer1.com" "Customer1 LLC" $OCSP_PARTICIPANT1_INTERMEDIATE_PORT
create_certificatechain participant1
create_root "participant2" "customer2.com" "Customer2 LLC" $OCSP_PARTICIPANT2_ROOT_PORT
create_intermediate "participant2" "customer2.com" "Customer2 LLC" $OCSP_PARTICIPANT2_INTERMEDIATE_PORT
create_certificatechain participant2
create_server_cert "domain" "acme.com" "ACME Corp LLC" domain-manager
create_server_cert "domain" "acme.com" "ACME Corp LLC" sequencer
create_server_cert "domain" "acme.com" "ACME Corp LLC" mediator
create_server_cert "domain" "acme.com" "ACME Corp LLC" db
verify_cert "domain" "acme.com" domain-manager
create_client "domain" "acme.com" "ACME Corp LLC" admin-api
create_client "domain" "acme.com" "ACME Corp LLC" sequencer
create_client "domain" "acme.com" "ACME Corp LLC" mediator
create_client "domain" "acme.com" "ACME Corp LLC" domain
create_client "domain" "acme.com" "ACME Corp LLC" remote-admin
get_os_type
if [[ ${_GET_OS_TYPE} =~ 'CYGWIN_NT' ]];then
# Windows only supports a single postgres instance so all the TLS certs will be from the domain
# for cygwin. Create in the 'domain' pki
create_client "domain" "acme.com" "ACME Corp LLC" participant1
create_client "domain" "acme.com" "ACME Corp LLC" participant2
fi
create_server_cert "participant1" "customer1.com" "Customer1 LLC" participant1
verify_cert "participant1" "customer1.com" participant1
create_server_cert "participant1" "customer1.com" "Customer1 LLC" auth
create_server_cert "participant1" "customer1.com" "Customer1 LLC" db
create_server_cert "participant1" "customer1.com" "Customer1 LLC" json
create_client "participant1" "customer1.com" "Customer1 LLC" admin-api
create_client "participant1" "customer1.com" "Customer1 LLC" participant1
create_server_cert "participant2" "customer2.com" "Customer2 LLC" participant2
create_server_cert "participant2" "customer2.com" "Customer2 LLC" auth
create_server_cert "participant2" "customer2.com" "Customer2 LLC" db
create_server_cert "participant2" "customer2.com" "Customer2 LLC" json
create_client "participant2" "customer2.com" "Customer2 LLC" admin-api
create_client "participant2" "customer2.com" "Customer2 LLC" participant2
echo "Complete making the certificates"