|
#!/bin/bash
|
|
|
|
CERTS_DIR=certs
|
|
|
|
THIRDPARTY_CA_CERT_NAME=ca-thirdparty
|
|
if [[ ! -f "$CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.key" || ! -f "$CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.crt" ]]; then
|
|
echo "Generate CA"
|
|
openssl genrsa -out $CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.key 2048
|
|
openssl req -x509 -new -nodes -key $CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.key -sha256 -days 3650 -out $CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.crt -subj "/CN=Thirdparty CA"
|
|
else
|
|
echo "Thirdparty CA certificate exists. Skipping."
|
|
fi
|
|
|
|
CA_CERT_NAME=ca
|
|
if [[ ! -f "$CERTS_DIR/$CA_CERT_NAME.key" || ! -f "$CERTS_DIR/$CA_CERT_NAME.crt" ]]; then
|
|
echo "Generate CA"
|
|
openssl genrsa -out $CERTS_DIR/$CA_CERT_NAME.key 2048
|
|
openssl req -x509 -new -nodes -key $CERTS_DIR/$CA_CERT_NAME.key -sha256 -days 3650 -out $CERTS_DIR/$CA_CERT_NAME.crt -subj "/CN=Test Self-Signed CA"
|
|
else
|
|
echo "CA certificate exists. Skipping."
|
|
fi
|
|
|
|
CA_BUNDLE=ca-bundle
|
|
if [[ ! -f "$CERTS_DIR/$CA_BUNDLE.crt" ]]; then
|
|
echo "Generate CA bundle"
|
|
cat $CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.crt $CERTS_DIR/$CA_CERT_NAME.crt > $CERTS_DIR/$CA_BUNDLE.crt
|
|
else
|
|
echo "CA certificate bundle exists. Skipping."
|
|
fi
|
|
|
|
CA_BUNDLE=ca-bundle-with-trust-rules
|
|
CA_CERT_WITH_TRUST_RULES=ca-with-trust-rules
|
|
if [[ ! -f "$CERTS_DIR/$CA_BUNDLE.crt" ]]; then
|
|
echo "Generate CA bundle with trust rules"
|
|
openssl x509 -in $CERTS_DIR/$CA_CERT_NAME.crt -addtrust serverAuth -out $CERTS_DIR/$CA_CERT_WITH_TRUST_RULES.crt
|
|
cat $CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.crt $CERTS_DIR/$CA_CERT_WITH_TRUST_RULES.crt > $CERTS_DIR/$CA_BUNDLE.crt
|
|
else
|
|
echo "CA certificate bundle with trust rules exists. Skipping."
|
|
fi
|
|
|
|
CERT_NAME=foreman.example.com
|
|
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
|
|
echo "Generate server certificate"
|
|
openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
|
|
openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=foreman.example.com"
|
|
openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions extensions
|
|
else
|
|
echo "Server certificate exists. Skipping."
|
|
fi
|
|
|
|
CERT_NAME=invalid
|
|
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
|
|
echo "Generate invalid server certificate"
|
|
openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
|
|
openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=foreman.example.com"
|
|
openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions client_extensions
|
|
else
|
|
echo "Invalid server certificate exists. Skipping."
|
|
fi
|
|
|
|
CERT_NAME=wildcard
|
|
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
|
|
echo "Generate server certificate"
|
|
openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
|
|
openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=*.example.com"
|
|
openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions wildcard_extensions
|
|
else
|
|
echo "Wildcard server certificate exists. Skipping."
|
|
fi
|
|
|
|
CERT_NAME=shortname
|
|
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
|
|
echo "Generate shortname server certificate"
|
|
openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
|
|
openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=foreman"
|
|
openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions shortname_extensions
|
|
else
|
|
echo "Shortname server certificate exists. Skipping."
|
|
fi
|