forked from etdey/ssl.ca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
new-user-cert.sh
executable file
·60 lines (52 loc) · 1.46 KB
/
new-user-cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/bash
##
## new-user-cert.sh - create the user cert for personal use.
## Copyright (c) 2000 Yeak Nai Siew, All Rights Reserved.
##
KEYBITS=2048
HASHALGO="sha256"
# Create the key. This should be done once per cert.
CERT=$1
if [ $# -ne 1 ]; then
echo "Usage: $0 [email protected]"
exit 1
fi
# if private key exists, ask if we want to generate a new key
if [ -f $CERT.key ]; then
read -p "a key for this cn is already existing, generate a new one? " ANSWER
if [ "$ANSWER" == "Y" ] || [ "$ANSWER" == "y" ]; then
rm -f $CERT.key
fi
fi
if [ ! -f $CERT.key ]; then
echo "No $CERT.key found. Generating one"
openssl genrsa -out $CERT.key $KEYBITS
echo ""
fi
# Fill the necessary certificate data
CONFIG="user-cert.conf"
cat >$CONFIG <<EOT
[ req ]
default_bits = $KEYBITS
default_keyfile = user.key
default_md = $HASHALGO
distinguished_name = req_distinguished_name
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
commonName = Common Name (eg, John Doe)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ v3_req ]
subjectKeyIdentifier=hash
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning, msCodeInd, msCodeCom
nsCertType = client, email, objsign
EOT
echo "Fill in certificate data"
openssl req -new -config $CONFIG -key $CERT.key -out $CERT.csr
rm -f $CONFIG
echo ""
echo "You may now run ./sign-user-cert.sh to get it signed"