-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerateInfra.sh
executable file
·77 lines (56 loc) · 2.19 KB
/
generateInfra.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/bin/bash
#
set -e
[ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
year=$1
. structure
. commonFunctions
cd generated
CRL="
crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/$year/env-1.crl
authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/$year/env-1.crt"
cat <<TESTCA > req.cnf
basicConstraints = critical,CA:false
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage=serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
$CRL
TESTCA
cat <<TESTCA > reqClient.cnf
basicConstraints = critical,CA:false
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage=clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
$CRL
TESTCA
cat <<TESTCA > reqMail.cnf
basicConstraints = critical,CA:false
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage=emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
$CRL
TESTCA
genserver(){ #key, subject, config
openssl genrsa -out $1.key ${KEYSIZE}
openssl req -new -key $1.key -out $1.csr -subj "$2"
caSign $1 $year/ca/env_${year}_1 "$3" "${year}${points[1]}" "$((${year} + 2))${points[1]}"
TZ=UTC LD_PRELOAD=`ls /usr/lib/*/faketime/libfaketime.so.1` FAKETIME="${year}-01-01 00:00:00" openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 -name "$4"
}
mkdir -p $year/keys
cat $year/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
# generate environment-keys specific to gigi.
# first the server keys
genserver $year/keys/www "/CN=www.${DOMAIN}" req.cnf www
genserver $year/keys/secure "/CN=secure.${DOMAIN}" req.cnf secure
genserver $year/keys/static "/CN=static.${DOMAIN}" req.cnf static
genserver $year/keys/api "/CN=api.${DOMAIN}" req.cnf api
# then the email signing key
genserver $year/keys/mail "/emailAddress=support@${DOMAIN}" reqMail.cnf mail
# then environment-keys for cassiopeia
genserver $year/keys/signer_client "/CN=CAcert signer handler 1" reqClient.cnf signer_client
genserver $year/keys/signer_server "/CN=CAcert signer 1" req.cnf signer_server
rm req.cnf reqMail.cnf reqClient.cnf
rm env.chain.crt