| Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame^] | 1 | # |
| 2 | # Streamlined AAF Bootstrap initial Cert |
| 3 | # Removed Variables so it can be run for AutoDeployments |
| 4 | # |
| 5 | echo "Bootstrap AAF Certificate" |
| 6 | NAME=aaf.bootstrap |
| 7 | FQDN=$(uname -n) |
| 8 | FQI=aaf@aaf.osaaf.org |
| 9 | SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`" |
| 10 | SIGNER_P12=$1 |
| 11 | SIGNER_KEY=/tmp/aaf_signer.key |
| 12 | SIGNER_CRT=/tmp/aaf_signer.crt |
| 13 | PASSPHRASE=$2 |
| 14 | if [ "PASSPHRASE" = "" ]; then |
| 15 | PASSPHRASE="something easy" |
| 16 | fi |
| 17 | BOOTSTRAP_SAN=/tmp/$NAME.san |
| 18 | BOOTSTRAP_KEY=/tmp/$NAME.key |
| 19 | BOOTSTRAP_CSR=/tmp/$NAME.csr |
| 20 | BOOTSTRAP_CRT=/tmp/$NAME.crt |
| 21 | BOOTSTRAP_P12=$NAME.p12 |
| 22 | |
| 23 | |
| 24 | # If Signer doesn't exist, create Self-Signed CA |
| 25 | if [ ! -e "$SIGNER_P12" ]; then |
| 26 | # Creating Signer CA |
| 27 | openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \ |
| 28 | -newkey rsa:4096 -nodes -subj /CN="RootCA$(cat subject.aaf)" \ |
| 29 | -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 |
| 30 | |
| 31 | # Move to P12 (Signer) |
| 32 | openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF |
| 33 | $PASSPHRASE |
| 34 | $PASSPHRASE |
| 35 | $PASSPHRASE |
| 36 | EOF |
| 37 | |
| 38 | else |
| 39 | # Get Private key from P12 |
| 40 | openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF |
| 41 | $PASSPHRASE |
| 42 | $PASSPHRASE |
| 43 | EOF |
| 44 | |
| 45 | # Get Cert from P12 |
| 46 | openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF |
| 47 | $PASSPHRASE |
| 48 | EOF |
| 49 | |
| 50 | fi |
| 51 | |
| 52 | # SANS |
| 53 | cp san.conf $BOOTSTRAP_SAN |
| 54 | NUM=1 |
| 55 | for D in $FQDN aaf.osaaf.org service.aaf.osaaf.org locate.aaf.osaaf.org oauth.aaf.osaaf.org gui.aaf.osaaf.org cm.aaf.osaaf.org hello.aaf.osaaf.org; do |
| 56 | echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN |
| 57 | NUM=$((NUM+1)) |
| 58 | done |
| 59 | |
| 60 | # Create CSR |
| 61 | openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout $BOOTSTRAP_KEY \ |
| 62 | -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" |
| 63 | #-passout stdin << EOF |
| 64 | #$PASSPHRASE |
| 65 | #EOF |
| 66 | |
| 67 | ls -l BOOTSTRAP_CSR $BOOTSTRAP_CSR |
| 68 | # Sign it |
| 69 | openssl ca -batch -config openssl.conf -extensions server_cert -out $BOOTSTRAP_CRT \ |
| 70 | -cert $SIGNER_CRT -keyfile $SIGNER_KEY \ |
| 71 | -policy policy_loose \ |
| 72 | -days 90 \ |
| 73 | -extfile $BOOTSTRAP_SAN \ |
| 74 | -infiles $BOOTSTRAP_CSR |
| 75 | |
| 76 | # Make a P12 |
| 77 | # Add THIS Intermediate CA into chain |
| 78 | cat $SIGNER_CRT >> $BOOTSTRAP_CRT |
| 79 | |
| 80 | # Note: Openssl will pickup and load all Certs in the Chain file |
| 81 | openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF |
| 82 | $PASSPHRASE |
| 83 | $PASSPHRASE |
| 84 | $PASSPHRASE |
| 85 | EOF |
| 86 | |
| 87 | # Cleanup |
| 88 | rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT |