From c8cec2320c629c0c2c8fe0b2b8dbfb34dad455fd Mon Sep 17 00:00:00 2001 From: Rodrigo Goncalves <rodrigo.g@ufsc.br> Date: Mon, 5 Aug 2024 13:42:36 +0000 Subject: [PATCH] Scripts and config for client certificate management --- docker/certmanager/.gitignore | 1 + docker/certmanager/config | 12 +++++++ docker/certmanager/create-ca.sh | 7 ++++ docker/certmanager/genclient.sh | 59 +++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+) create mode 100644 docker/certmanager/.gitignore create mode 100644 docker/certmanager/config create mode 100755 docker/certmanager/create-ca.sh create mode 100755 docker/certmanager/genclient.sh diff --git a/docker/certmanager/.gitignore b/docker/certmanager/.gitignore new file mode 100644 index 0000000..195e616 --- /dev/null +++ b/docker/certmanager/.gitignore @@ -0,0 +1 @@ +/certificates/ \ No newline at end of file diff --git a/docker/certmanager/config b/docker/certmanager/config new file mode 100644 index 0000000..d265935 --- /dev/null +++ b/docker/certmanager/config @@ -0,0 +1,12 @@ +export CERTNAME=rootCA +export KEYSIZE=2048 +export CLIENTEXP=1491 +export ROOTEXP=2992 + +export NUMCLIENTS=1 + +export STATE="SC" +export CITY="Florianopolis" +export ORG="UFSC" +export UNIT="Lisha" +export HOST="localhost" diff --git a/docker/certmanager/create-ca.sh b/docker/certmanager/create-ca.sh new file mode 100755 index 0000000..91fe315 --- /dev/null +++ b/docker/certmanager/create-ca.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +cd /certmanager + +. config +openssl genpkey -algorithm RSA -out certificates/rootCA.key -pkeyopt rsa_keygen_bits:2048 +openssl req -x509 -new -nodes -key certificates/rootCA.key -sha256 -days 3650 -out certificates/rootCA.pem -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -set_serial "0x$(openssl rand -hex 8)" \ No newline at end of file diff --git a/docker/certmanager/genclient.sh b/docker/certmanager/genclient.sh new file mode 100755 index 0000000..6c5dccb --- /dev/null +++ b/docker/certmanager/genclient.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# Caciano Machado/Juliano Zatta - 16/10/2017 + +cd /certmanager + +. config + +cd certificates + +# Initilize if not available the certificate list +NUMPREVCERT=`tail -n 1 certificate_list | cut -d " " -f 1` +ISNUM='^[0-9]+$' + +# Update - 30-10-2020 - Roberto M. Scheffel - Added receiver and purpose description, for documentation + +receiver=$1 +descr=$2 +if [ -z "$receiver" ] +then + echo 'Usage: ' $0 '<receiver name>' '<purpose short description>.' + exit +fi +if [ -z "$descr" ] +then + echo 'Usage: ' $0 '<receiver name>' '<purpose short description>.' + exit +fi + +if [[ -a certificate_list ]]; then + if ! [[ $NUMPREVCERT =~ $ISNUM ]]; then + echo "ERROR: File certificate_list corrupted. This file stores the list of generated certificates and respective serial numbers." + exit -1 + fi + CURRCLIENT=$((NUMPREVCERT + 1)) + LASTCLIENT=$((NUMCLIENTS + NUMPREVCERT)) +else + CURRCLIENT=1 + LASTCLIENT=$NUMCLIENTS +fi + +for i in `seq $CURRCLIENT $LASTCLIENT`; do + # Generate RSA key + + echo "openssl genrsa -out client-$i.key $KEYSIZE" + openssl genrsa -out client-$i.key $KEYSIZE + + # Generate certificate request + echo "openssl req -subj \"/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST\" -new -key client-$i.key -out client-$i.req" + openssl req -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -new -key client-$i.key -out client-$i.req + # Generate certificate + echo "openssl x509 -req -in client-$i.req -CA ${CERTNAME}.pem -CAkey ${CERTNAME}.key -CAcreateserial -out client-$i.pem -days $CLIENTEXP -sha256" + openssl x509 -req -in client-$i.req -CA ${CERTNAME}.pem -CAkey ${CERTNAME}.key -CAcreateserial -out client-$i.pem -days $CLIENTEXP -sha256 + serial=`openssl x509 -in client-$i.pem -serial -noout | cut -d "=" -f 2` + echo $i $serial + echo $i $serial `date "+%F-%T"` `whoami` ' | ' $receiver ' | ' $descr >> certificate_list + mv client-$i.key client-$i-$serial.key + mv client-$i.pem client-$i-$serial.pem + rm -f client-$i.req +done \ No newline at end of file -- GitLab