client-cert-manager/ca.sh at master · datf/client-cert-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/sh
set -e

DATA_DIR="/data"
CONF_FILE="$DATA_DIR/ca.conf"
CA_KEY="$DATA_DIR/ca.key"
CA_CERT="$DATA_DIR/ca.crt"
CRL_FILE="$DATA_DIR/crl.pem"
INDEX_FILE="$DATA_DIR/index.txt"
SERIAL_FILE="$DATA_DIR/serial"

create_config() {
    cat > "$CONF_FILE" <<EOF
[ ca ]
default_ca = my_ca

[ my_ca ]
dir             = $DATA_DIR
database        = $INDEX_FILE
new_certs_dir   = $DATA_DIR
certificate     = $CA_CERT
private_key     = $CA_KEY
serial          = $SERIAL_FILE
crlnumber       = $DATA_DIR/crlnumber
default_md      = sha384
default_days    = 3650
default_crl_days= 30
policy          = policy_loose
copy_extensions = copy

[ policy_loose ]
commonName      = supplied
serialNumber    = optional
EOF
}

cmd_init() {
    CA_NAME="${1:-Test CA}"

    mkdir -p "$DATA_DIR"
    if [ -f "$CA_KEY" ]; then
        echo "CA already exists." >&2
        exit 1
    fi


    echo "Initializing CA \"${CA_NAME}\" (ECDSA P-384)..."
    touch "$INDEX_FILE"
    echo "1000" > "$SERIAL_FILE"
    echo "1000" > "$DATA_DIR/crlnumber"
    create_config

    # Create CA Private Key (ECC)
    openssl ecparam -name secp384r1 -genkey -noout -out "$CA_KEY"

    # Sign Root Cert (Self-Signed, SHA-384)
    openssl req -new -x509 -days 3650 -key "$CA_KEY" -out "$CA_CERT" \
        -subj "/CN=${CA_NAME}" -sha384

    # Initial CRL
    openssl ca -config "$CONF_FILE" -gencrl -out "$CRL_FILE"

    echo "CA Initialized"
}

cmd_new() {
    NAME="$1"
    UUID="$2"
    PASSWORD="${3:-changeit}"

    if [ -z "$NAME" ] || [ -z "$UUID" ]; then
        echo "Usage: new-client <name> <uuid> [password]" >&2
        exit 1
    fi

    SAFE_NAME=$(echo "$NAME" | tr -cd 'a-zA-Z0-9_-')
    KEY_FILE="$DATA_DIR/$SAFE_NAME.key"
    CSR_FILE="$DATA_DIR/$SAFE_NAME.csr"
    CRT_FILE="$DATA_DIR/$SAFE_NAME.crt"
    P12_FILE="$DATA_DIR/$SAFE_NAME.p12"

    echo "Creating Client Cert for $NAME..."

    # Client Key (ECC P-384)
    openssl ecparam -name secp384r1 -genkey -noout -out "$KEY_FILE"

    # CSR (SHA-384)
    SUBJECT="/CN=$NAME/serialNumber=$UUID"
    openssl req -new -key "$KEY_FILE" -out "$CSR_FILE" -subj "$SUBJECT" -sha384

    # Sign (2 Years)
    openssl ca -config "$CONF_FILE" -batch -days 825 -in "$CSR_FILE" -out "$CRT_FILE"

    # Export P12 (AES-256 Encryption with PASSWORD)
    openssl pkcs12 -export -out "$P12_FILE" \
        -inkey "$KEY_FILE" -in "$CRT_FILE" -certfile "$CA_CERT" \
        -keypbe AES-256-CBC -certpbe AES-256-CBC \
        -passout "pass:$PASSWORD"

    rm "$CSR_FILE"

    echo "Created $P12_FILE"

    # openssl verify -CAfile "${CA_FILE}" "${P12_FILE}"

    echo "Import Password: $PASSWORD"
}

cmd_revoke() {
    NAME="$1"
    SAFE_NAME=$(echo "$NAME" | tr -cd 'a-zA-Z0-9_-')
    CRT_FILE="$DATA_DIR/$SAFE_NAME.crt"

    if [ ! -f "$CRT_FILE" ]; then
        echo "Cert not found." >&2
        exit 1
    fi

    echo "Revoking $NAME..."
    openssl ca -config "$CONF_FILE" -revoke "$CRT_FILE"
    openssl ca -config "$CONF_FILE" -gencrl -out "$CRL_FILE"
    echo "Revoked."
}

case "$1" in
    "init") cmd_init "$2" ;;
    "new-client") cmd_new "$2" "$3" "$4" ;;
    "revoke") cmd_revoke "$2" ;;
    *) echo "Usage: $0 {init [ca_name]|new-client <name> <uuid> [password]|revoke <name>}"; exit 1 ;;
esac