Listing 15. setup-ca.sh

#!/bin/bash read -p "Step 0 - Press enter to delete /opt/ca/tmnt" rm -fr /opt/ca/tmnt read -p "Step 1 - Press enter to make the /opt/ca/tmnt directory tree" sudo mkdir -p /opt/ca/tmnt/ { certs,newcerts,private } sudo mkdir -p /opt/ca/tmnt/intermediate/ { certs,csr,newcerts,private } sudo chown -R $( whoami ) /opt/ca/tmnt tree /opt/ca/tmnt read -p "Step 2 - Press enter to prepare auxiliary files" cd /opt/ca/tmnt touch index.txt echo "unique_subject = yes" > index.txt.attr echo FFFFFF > serial cd /opt/ca/tmnt/intermediate touch index.txt echo "unique_subject = yes" > index.txt.attr echo FFFFFF > serial tree /opt/ca/tmnt read -p "Step 3 - Press enter to prepare /opt/ca/tmnt/openssl.root.cnf" cat << ROOT_CONF > /opt/ca/tmnt/openssl.root.cnf [ req ] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name prompt = no x509_extensions = v3_ca [ req_distinguished_name ] commonName = TMNT Root CA stateOrProvinceName = Victoria countryName = AU emailAddress = admin@tmnt.local organizationName = TMNT Inc [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, keyCertSign [ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, keyCertSign [ ca ] default_ca = ca_tmnt_root [ca_tmnt_root] dir = /opt/ca/tmnt database = \$ dir/index.txt new_certs_dir = \$ dir/newcerts serial = \$ dir/serial private_key = \$ dir/private/root.key.pem certificate = \$ dir/certs/root.cert.pem default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 7300 policy = ca_tmnt_root_policy [ca_tmnt_root_policy] commonName = supplied stateOrProvinceName = match countryName = match emailAddress = optional organizationName = match organizationalUnitName = optional ROOT_CONF cat /opt/ca/tmnt/openssl.root.cnf read -p "Step 4 - Press enter to generate the root key pair" cd /opt/ca/tmnt openssl req -config openssl.root.cnf \ -x509 \ -passout pass:rootpass \ -days 7300 \ -newkey rsa \ -keyout private/root.key.pem \ -out certs/root.cert.pem echo "Inspecting root.cert.pem" cd /opt/ca/tmnt openssl x509 -noout -text \ -in certs/root.cert.pem \ -fingerprint -sha256 read -p "Step 5 - Press enter to prepare /opt/ca/tmnt/intermediate/openssl.intermediate.cnf" cat << INTERMEDIATE_CONF > /opt/ca/tmnt/intermediate/openssl.intermediate.cnf [ req ] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address stateOrProvinceName_default = Victoria countryName_default = AU emailAddress_default = admin@tmnt.local organizationName_default = TMNT Inc [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, keyCertSign [ ca ] default_ca = ca_tmnt_intermediate [ ca_tmnt_intermediate ] dir = /opt/ca/tmnt/intermediate database = \$ dir/index.txt new_certs_dir = \$ dir/newcerts serial = \$ dir/serial private_key = \$ dir/private/intermediate.key.pem certificate = \$ dir/certs/intermediate.cert.pem default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 7300 policy = ca_tmnt_intermediate_policy [ ca_tmnt_intermediate_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ client_cert ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth [ server_cert ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth INTERMEDIATE_CONF cat /opt/ca/tmnt/intermediate/openssl.intermediate.cnf read -p "Step 6 - Press enter to generate the intermediate private key" cd /opt/ca/tmnt/intermediate openssl genrsa \ -aes256 \ -passout pass:interpass \ -out private/intermediate.key.pem 2048 read -p "Step 7 - Press enter to generate the CSR for the intermediate CA's certificate" cd /opt/ca/tmnt/intermediate openssl req \ -config openssl.intermediate.cnf \ -new \ -days 7300 \ -sha256 \ -key private/intermediate.key.pem \ -passin pass:interpass \ -subj "/emailAddress=admin@tmnt.local/C=AU/ST=Victoria/O=TMNT Inc/CN=TMNT Intermediate CA" \ -out csr/intermediate.csr.pem read -p "Step 8 - Press enter to sign the the intermediate CA's certificate" cd /opt/ca/tmnt openssl ca -config openssl.root.cnf \ -extensions v3_intermediate_ca \ -notext \ -passin pass:rootpass \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem read -p "Step 9 - Press enter to generate the private key for *.tmnt.local" cd /opt/ca/tmnt/intermediate openssl genrsa \ -passout pass:tmntpass \ -aes256 \ -out private/tmnt.local.key.pem 2048 read -p "Step 10 - Press enter to generate the CSR for *.tmnt.local" cd /opt/ca/tmnt/intermediate openssl req \ -config openssl.intermediate.cnf \ -key private/tmnt.local.key.pem \ -new \ -days 7300 \ -sha256 \ -passin pass:tmntpass \ -subj "/emailAddress=admin@tmnt.local/C=AU/ST=Victoria/O=TMNT Inc/CN=*.tmnt.local" \ -out csr/tmnt.local.csr.pem read -p "Step 11 - Press enter to sign the certificate for *.tmnt.local" cd /opt/ca/tmnt/intermediate openssl ca \ -config openssl.intermediate.cnf \ -passin pass:interpass \ -extensions server_cert \ -days 7500 \ -md sha256 \ -in csr/tmnt.local.csr.pem \ -out certs/tmnt.local.cert.pem read -p "Step 12 - Press enter to generate the private key for Donatello" cd /opt/ca/tmnt/intermediate openssl genrsa \ -passout pass:donatellopass \ -aes256 \ -out private/donatello.key.pem 2048 read -p "Step 13 - Press enter to generate the CSR for Donatello" cd /opt/ca/tmnt/intermediate openssl req \ -config openssl.intermediate.cnf \ -key private/donatello.key.pem \ -new \ -days 7300 \ -sha256 \ -passin pass:donatellopass \ -subj "/emailAddress=donatello@tmnt.local/C=AU/ST=Victoria/O=TMNT Inc/CN=Donatello" \ -out csr/donatello.csr.pem read -p "Step 14 - Press enter to sign the certificate for Donatello" cd /opt/ca/tmnt/intermediate openssl ca \ -config openssl.intermediate.cnf \ -passin pass:interpass \ -extensions client_cert \ -days 7500 \ -md sha256 \ -in csr/donatello.csr.pem \ -out certs/donatello.cert.pem