jhamrick · January 17, 2024 07:33 · Feb 2, 2015 · Feb 2, 2015 · Feb 2, 2015 · Feb 2, 2015
diff --git a/genkeys.sh b/genkeys.sh
@@ -11,7 +11,6 @@ set -o errexit
 
 USAGE="usage: sh ./genkeys.sh NAME HOSTNAME IP"
 ROOT="$(pwd)"
-FIRSTCERT="true"
 PASSFILE="${ROOT}/dev.password"
 PASSOPT="file:${ROOT}/dev.password"
 CAFILE="${ROOT}/ca.pem"
@@ -50,12 +49,12 @@ keypair() {
   local HOSTNAME=$2
   local IP=$3
 
-  local SERIALOPT="-CAserial ${ROOT}/ca.srl"
-  local EXTOPT=""
-
-  if [ "${FIRSTCERT}" = "true" ]; then
+  local SERIALOPT=""
+  if [ ! -f "${ROOT}/ca.srl" ]; then
+    echo ">> creating serial"
     SERIALOPT="-CAcreateserial"
-    FIRSTCERT="false"
+  else
+    SERIALOPT="-CAserial ${ROOT}/ca.srl"
   fi
 
   echo ">> generating a keypair for: ${NAME}"

diff --git a/genkeys.sh b/genkeys.sh
@@ -5,11 +5,11 @@
 # Based on script by Ash Wilson (@smashwilson)
 # https://github.com/cloudpipe/cloudpipe/pull/45/files#diff-15
 #
-# usage: ./genkeys.sh name hostname ip
+# usage: sh ./genkeys.sh NAME HOSTNAME IP
 
 set -o errexit
 
-USAGE="genkeys.sh name hostname ip"
+USAGE="usage: sh ./genkeys.sh NAME HOSTNAME IP"
 ROOT="$(pwd)"
 FIRSTCERT="true"
 PASSFILE="${ROOT}/dev.password"
@@ -66,7 +66,7 @@ keypair() {
     -out ${ROOT}/${NAME}-key.pem 2048
 
   cp ${ROOT}/openssl.cnf ${ROOT}/openssl-${NAME}.cnf
-  echo "IP.1 = ${IP}" >> ${ROOT}/openssl-${NAME}.cnf
+  echo "\nIP.1 = ${IP}" >> ${ROOT}/openssl-${NAME}.cnf
 
   echo ".. request"
   openssl req -subj "/CN=${HOSTNAME}" -new \

diff --git a/genkeys.sh b/genkeys.sh
@@ -11,6 +11,7 @@ set -o errexit
 
 USAGE="genkeys.sh name hostname ip"
 ROOT="$(pwd)"
+FIRSTCERT="true"
 PASSFILE="${ROOT}/dev.password"
 PASSOPT="file:${ROOT}/dev.password"
 CAFILE="${ROOT}/ca.pem"

diff --git a/openssl.cnf b/openssl.cnf
@@ -22,4 +22,4 @@ basicConstraints = CA:FALSE
 extendedKeyUsage = clientAuth,serverAuth
 subjectAltName = @alt_names
 
-[alt_names]
+[alt_names]
diff --git a/genkeys.sh b/genkeys.sh
@@ -97,15 +97,15 @@ keypair() {
 }
 
 # call with arguments name, hostname, and ip address
-if [ -x "$1" ]; then
+if [ -z "$1" ]; then
   echo "${USAGE}"
   exit 1
 fi
-if [ -x "$2" ]; then
+if [ -z "$2" ]; then
   echo "${USAGE}"
   exit 1
 fi
-if [ -x "$3" ]; then
+if [ -z "$3" ]; then
   echo "${USAGE}"
   exit 1
 fi

diff --git a/genkeys.sh b/genkeys.sh
@@ -9,6 +9,7 @@
 
 set -o errexit
 
+USAGE="genkeys.sh name hostname ip"
 ROOT="$(pwd)"
 PASSFILE="${ROOT}/dev.password"
 PASSOPT="file:${ROOT}/dev.password"
@@ -96,4 +97,17 @@ keypair() {
 }
 
 # call with arguments name, hostname, and ip address
+if [ -x "$1" ]; then
+  echo "${USAGE}"
+  exit 1
+fi
+if [ -x "$2" ]; then
+  echo "${USAGE}"
+  exit 1
+fi
+if [ -x "$3" ]; then
+  echo "${USAGE}"
+  exit 1
+fi
+
 keypair "$1" "$2" "$3"
diff --git a/genkeys.sh b/genkeys.sh
@@ -9,7 +9,7 @@
 
 set -o errexit
 
-ROOT="/root/certificates"
+ROOT="$(pwd)"
 PASSFILE="${ROOT}/dev.password"
 PASSOPT="file:${ROOT}/dev.password"
 CAFILE="${ROOT}/ca.pem"

diff --git a/genkeys.sh b/genkeys.sh
@@ -9,11 +9,11 @@
 
 set -o errexit
 
-FIRSTCERT="true"
-PASSFILE="/root/certificates/dev.password"
-PASSOPT="file:/root/certificates/dev.password"
-CAFILE="/root/certificates/ca.pem"
-CAKEY="/root/certificates/ca-key.pem"
+ROOT="/root/certificates"
+PASSFILE="${ROOT}/dev.password"
+PASSOPT="file:${ROOT}/dev.password"
+CAFILE="${ROOT}/ca.pem"
+CAKEY="${ROOT}/ca-key.pem"
 
 # Randomly create a password file, if you haven't supplied one already.
 # For development mode, we'll just use the same (random) password for everything.
@@ -48,7 +48,7 @@ keypair() {
   local HOSTNAME=$2
   local IP=$3
 
-  local SERIALOPT="-CAserial /root/certificates/ca.srl"
+  local SERIALOPT="-CAserial ${ROOT}/ca.srl"
   local EXTOPT=""
 
   if [ "${FIRSTCERT}" = "true" ]; then
@@ -61,36 +61,36 @@ keypair() {
   echo ".. key"
   openssl genrsa -des3 \
     -passout ${PASSOPT} \
-    -out /root/certificates/${NAME}-key.pem 2048
+    -out ${ROOT}/${NAME}-key.pem 2048
 
-  cp /root/certificates/openssl.cnf /root/certificates/openssl-${NAME}.cnf
-  echo "IP.1 = ${IP}" >> /root/certificates/openssl-${NAME}.cnf
+  cp ${ROOT}/openssl.cnf ${ROOT}/openssl-${NAME}.cnf
+  echo "IP.1 = ${IP}" >> ${ROOT}/openssl-${NAME}.cnf
 
   echo ".. request"
   openssl req -subj "/CN=${HOSTNAME}" -new \
     -batch \
     -passin ${PASSOPT} \
-    -key /root/certificates/${NAME}-key.pem \
+    -key ${ROOT}/${NAME}-key.pem \
     -passout ${PASSOPT} \
-    -out /root/certificates/${NAME}-req.csr \
-    -config /root/certificates/openssl-${NAME}.cnf
+    -out ${ROOT}/${NAME}-req.csr \
+    -config ${ROOT}/openssl-${NAME}.cnf
 
   echo ".. certificate"
   openssl x509 -req -days 365 \
     -passin ${PASSOPT} \
-    -in /root/certificates/${NAME}-req.csr \
+    -in ${ROOT}/${NAME}-req.csr \
     -CA ${CAFILE} \
     -CAkey ${CAKEY} \
     ${SERIALOPT} \
     -extensions v3_req \
-    -extfile /root/certificates/openssl-${NAME}.cnf \
-    -out /root/certificates/${NAME}-cert.pem \
+    -extfile ${ROOT}/openssl-${NAME}.cnf \
+    -out ${ROOT}/${NAME}-cert.pem \
 
   echo ".. removing key password"
   openssl rsa \
     -passin ${PASSOPT} \
-    -in /root/certificates/${NAME}-key.pem \
-    -out /root/certificates/${NAME}-key.pem
+    -in ${ROOT}/${NAME}-key.pem \
+    -out ${ROOT}/${NAME}-key.pem
 
   echo "<< ${NAME} keypair generated."
 }

diff --git a/genkeys.sh b/genkeys.sh
@@ -4,12 +4,16 @@
 #
 # Based on script by Ash Wilson (@smashwilson)
 # https://github.com/cloudpipe/cloudpipe/pull/45/files#diff-15
+#
+# usage: ./genkeys.sh name hostname ip
 
 set -o errexit
 
 FIRSTCERT="true"
 PASSFILE="/root/certificates/dev.password"
 PASSOPT="file:/root/certificates/dev.password"
+CAFILE="/root/certificates/ca.pem"
+CAKEY="/root/certificates/ca-key.pem"
 
 # Randomly create a password file, if you haven't supplied one already.
 # For development mode, we'll just use the same (random) password for everything.
@@ -24,17 +28,19 @@ if [ ! -f "${PASSFILE}" ]; then
 fi
 
 # Generate the certificate authority that we'll use as the root for all the things.
-echo ">> generating a certificate authority"
-openssl genrsa -des3 \
-  -passout ${PASSOPT} \
-  -out /root/certificates/ca-key.pem 2048
-openssl req -new -x509 -days 365 \
-  -batch \
-  -passin ${PASSOPT} \
-  -key /root/certificates/ca-key.pem \
-  -passout ${PASSOPT} \
-  -out /root/certificates/ca.pem
-echo "<< certificate authority generated."
+if [ ! -f "${CAFILE}" ]; then
+  echo ">> generating a certificate authority"
+  openssl genrsa -des3 \
+    -passout ${PASSOPT} \
+    -out ${CAKEY} 2048
+  openssl req -new -x509 -days 365 \
+    -batch \
+    -passin ${PASSOPT} \
+    -key ${CAKEY} \
+    -passout ${PASSOPT} \
+    -out ${CAFILE}
+  echo "<< certificate authority generated."
+fi
 
 # Generate a named keypair
 keypair() {
@@ -73,8 +79,8 @@ keypair() {
   openssl x509 -req -days 365 \
     -passin ${PASSOPT} \
     -in /root/certificates/${NAME}-req.csr \
-    -CA /root/certificates/ca.pem \
-    -CAkey /root/certificates/ca-key.pem \
+    -CA ${CAFILE} \
+    -CAkey ${CAKEY} \
     ${SERIALOPT} \
     -extensions v3_req \
     -extfile /root/certificates/openssl-${NAME}.cnf \
@@ -89,4 +95,5 @@ keypair() {
   echo "<< ${NAME} keypair generated."
 }
 
-keypair <name> <hostname> <ipaddress>
+# call with arguments name, hostname, and ip address
+keypair "$1" "$2" "$3"
diff --git a/genkeys → genkeys.sh b/genkeys → genkeys.sh
@@ -87,4 +87,6 @@ keypair() {
     -out /root/certificates/${NAME}-key.pem
 
   echo "<< ${NAME} keypair generated."
-}
+}
+
+keypair <name> <hostname> <ipaddress>
diff --git a/openssl.cnf b/openssl.cnf
@@ -0,0 +1,25 @@
+# From http://apetec.com/support/GenerateSAN-CSR.htm
+
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = Country Name (2 letter code)
+countryName_default = US
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = MN
+localityName = Locality Name (eg, city)
+localityName_default = Minneapolis
+organizationalUnitName	= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Domain Control Validated
+commonName = Internet Widgits Ltd
+commonName_max	= 64
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+extendedKeyUsage = clientAuth,serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
diff --git a/genkeys b/genkeys
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+#
+# Generate a set of TLS credentials that can be used to run development mode.
+#
+# Based on script by Ash Wilson (@smashwilson)
+# https://github.com/cloudpipe/cloudpipe/pull/45/files#diff-15
+
+set -o errexit
+
+FIRSTCERT="true"
+PASSFILE="/root/certificates/dev.password"
+PASSOPT="file:/root/certificates/dev.password"
+
+# Randomly create a password file, if you haven't supplied one already.
+# For development mode, we'll just use the same (random) password for everything.
+if [ ! -f "${PASSFILE}" ]; then
+  echo ">> creating a random password in ${PASSFILE}."
+  touch ${PASSFILE}
+  chmod 600 ${PASSFILE}
+  # "If the same pathname argument is supplied to -passin and -passout arguments then the first
+  # line will be used for the input password and the next line for the output password."
+  cat /dev/random | head -c 128 | base64 | sed -n '{p;p;}' >> ${PASSFILE}
+  echo "<< random password created"
+fi
+
+# Generate the certificate authority that we'll use as the root for all the things.
+echo ">> generating a certificate authority"
+openssl genrsa -des3 \
+  -passout ${PASSOPT} \
+  -out /root/certificates/ca-key.pem 2048
+openssl req -new -x509 -days 365 \
+  -batch \
+  -passin ${PASSOPT} \
+  -key /root/certificates/ca-key.pem \
+  -passout ${PASSOPT} \
+  -out /root/certificates/ca.pem
+echo "<< certificate authority generated."
+
+# Generate a named keypair
+keypair() {
+  local NAME=$1
+  local HOSTNAME=$2
+  local IP=$3
+
+  local SERIALOPT="-CAserial /root/certificates/ca.srl"
+  local EXTOPT=""
+
+  if [ "${FIRSTCERT}" = "true" ]; then
+    SERIALOPT="-CAcreateserial"
+    FIRSTCERT="false"
+  fi
+
+  echo ">> generating a keypair for: ${NAME}"
+
+  echo ".. key"
+  openssl genrsa -des3 \
+    -passout ${PASSOPT} \
+    -out /root/certificates/${NAME}-key.pem 2048
+
+  cp /root/certificates/openssl.cnf /root/certificates/openssl-${NAME}.cnf
+  echo "IP.1 = ${IP}" >> /root/certificates/openssl-${NAME}.cnf
+
+  echo ".. request"
+  openssl req -subj "/CN=${HOSTNAME}" -new \
+    -batch \
+    -passin ${PASSOPT} \
+    -key /root/certificates/${NAME}-key.pem \
+    -passout ${PASSOPT} \
+    -out /root/certificates/${NAME}-req.csr \
+    -config /root/certificates/openssl-${NAME}.cnf
+
+  echo ".. certificate"
+  openssl x509 -req -days 365 \
+    -passin ${PASSOPT} \
+    -in /root/certificates/${NAME}-req.csr \
+    -CA /root/certificates/ca.pem \
+    -CAkey /root/certificates/ca-key.pem \
+    ${SERIALOPT} \
+    -extensions v3_req \
+    -extfile /root/certificates/openssl-${NAME}.cnf \
+    -out /root/certificates/${NAME}-cert.pem \
+
+  echo ".. removing key password"
+  openssl rsa \
+    -passin ${PASSOPT} \
+    -in /root/certificates/${NAME}-key.pem \
+    -out /root/certificates/${NAME}-key.pem
+
+  echo "<< ${NAME} keypair generated."
+}