From c8cec2320c629c0c2c8fe0b2b8dbfb34dad455fd Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 13:42:36 +0000
Subject: [PATCH] Scripts and config for client certificate management
---
docker/certmanager/.gitignore | 1 +
docker/certmanager/config | 12 +++++++
docker/certmanager/create-ca.sh | 7 ++++
docker/certmanager/genclient.sh | 59 +++++++++++++++++++++++++++++++++
4 files changed, 79 insertions(+)
create mode 100644 docker/certmanager/.gitignore
create mode 100644 docker/certmanager/config
create mode 100755 docker/certmanager/create-ca.sh
create mode 100755 docker/certmanager/genclient.sh
diff --git a/docker/certmanager/.gitignore b/docker/certmanager/.gitignore
new file mode 100644
index 0000000..195e616
--- /dev/null
+++ b/docker/certmanager/.gitignore
@@ -0,0 +1 @@
+/certificates/
\ No newline at end of file
diff --git a/docker/certmanager/config b/docker/certmanager/config
new file mode 100644
index 0000000..d265935
--- /dev/null
+++ b/docker/certmanager/config
@@ -0,0 +1,12 @@
+export CERTNAME=rootCA
+export KEYSIZE=2048
+export CLIENTEXP=1491
+export ROOTEXP=2992
+
+export NUMCLIENTS=1
+
+export STATE="SC"
+export CITY="Florianopolis"
+export ORG="UFSC"
+export UNIT="Lisha"
+export HOST="localhost"
diff --git a/docker/certmanager/create-ca.sh b/docker/certmanager/create-ca.sh
new file mode 100755
index 0000000..91fe315
--- /dev/null
+++ b/docker/certmanager/create-ca.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+cd /certmanager
+
+. config
+openssl genpkey -algorithm RSA -out certificates/rootCA.key -pkeyopt rsa_keygen_bits:2048
+openssl req -x509 -new -nodes -key certificates/rootCA.key -sha256 -days 3650 -out certificates/rootCA.pem -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -set_serial "0x$(openssl rand -hex 8)"
\ No newline at end of file
diff --git a/docker/certmanager/genclient.sh b/docker/certmanager/genclient.sh
new file mode 100755
index 0000000..6c5dccb
--- /dev/null
+++ b/docker/certmanager/genclient.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Caciano Machado/Juliano Zatta - 16/10/2017
+
+cd /certmanager
+
+. config
+
+cd certificates
+
+# Initilize if not available the certificate list
+NUMPREVCERT=`tail -n 1 certificate_list | cut -d " " -f 1`
+ISNUM='^[0-9]+$'
+
+# Update - 30-10-2020 - Roberto M. Scheffel - Added receiver and purpose description, for documentation
+
+receiver=$1
+descr=$2
+if [ -z "$receiver" ]
+then
+ echo 'Usage: ' $0 '<receiver name>' '<purpose short description>.'
+ exit
+fi
+if [ -z "$descr" ]
+then
+ echo 'Usage: ' $0 '<receiver name>' '<purpose short description>.'
+ exit
+fi
+
+if [[ -a certificate_list ]]; then
+ if ! [[ $NUMPREVCERT =~ $ISNUM ]]; then
+ echo "ERROR: File certificate_list corrupted. This file stores the list of generated certificates and respective serial numbers."
+ exit -1
+ fi
+ CURRCLIENT=$((NUMPREVCERT + 1))
+ LASTCLIENT=$((NUMCLIENTS + NUMPREVCERT))
+else
+ CURRCLIENT=1
+ LASTCLIENT=$NUMCLIENTS
+fi
+
+for i in `seq $CURRCLIENT $LASTCLIENT`; do
+ # Generate RSA key
+
+ echo "openssl genrsa -out client-$i.key $KEYSIZE"
+ openssl genrsa -out client-$i.key $KEYSIZE
+
+ # Generate certificate request
+ echo "openssl req -subj \"/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST\" -new -key client-$i.key -out client-$i.req"
+ openssl req -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -new -key client-$i.key -out client-$i.req
+ # Generate certificate
+ echo "openssl x509 -req -in client-$i.req -CA ${CERTNAME}.pem -CAkey ${CERTNAME}.key -CAcreateserial -out client-$i.pem -days $CLIENTEXP -sha256"
+ openssl x509 -req -in client-$i.req -CA ${CERTNAME}.pem -CAkey ${CERTNAME}.key -CAcreateserial -out client-$i.pem -days $CLIENTEXP -sha256
+ serial=`openssl x509 -in client-$i.pem -serial -noout | cut -d "=" -f 2`
+ echo $i $serial
+ echo $i $serial `date "+%F-%T"` `whoami` ' | ' $receiver ' | ' $descr >> certificate_list
+ mv client-$i.key client-$i-$serial.key
+ mv client-$i.pem client-$i-$serial.pem
+ rm -f client-$i.req
+done
\ No newline at end of file
--
GitLab