49 lines
1.4 KiB
Bash
49 lines
1.4 KiB
Bash
|
#!/bin/sh
|
||
|
|
||
|
DAYS=$((10*365))
|
||
|
LEVELS=1
|
||
|
DN="/C=US/ST=Illinois/L=Chicago/O=Safemobile/OU=PKI"
|
||
|
CERTS_PATH=certs
|
||
|
CHAIN="$CERTS_PATH/chain.crt"
|
||
|
|
||
|
# OPENSSL_CNF="/etc/pki/tls/openssl.cnf"
|
||
|
OPENSSL_CNF="/etc/ssl/openssl.cnf"
|
||
|
|
||
|
mkdir -p $CERTS_PATH
|
||
|
|
||
|
#generate root key pair
|
||
|
openssl genrsa -out "$CERTS_PATH/root-key.pem" 4096
|
||
|
|
||
|
#generate root self-signed cert
|
||
|
openssl req -new -x509 -days $DAYS -key "$CERTS_PATH/root-key.pem" -subj "$DN/CN=Root" -out "$CERTS_PATH/root-cert.pem"
|
||
|
cat "$CERTS_PATH/root-cert.pem" > $CHAIN
|
||
|
|
||
|
|
||
|
for i in `seq 1 $LEVELS`; do
|
||
|
echo "Level $i"
|
||
|
if [ "$i" -eq 1 ]; then
|
||
|
SIGNER_CERT="$CERTS_PATH/root-cert.pem"
|
||
|
SIGNER_KEY="$CERTS_PATH/root-key.pem"
|
||
|
else
|
||
|
SIGNER_CERT="$CERTS_PATH/ca$((i-1))-cert.pem"
|
||
|
SIGNER_KEY="$CERTS_PATH/ca$((i-1))-key.pem"
|
||
|
fi
|
||
|
|
||
|
#generate key pair
|
||
|
openssl genrsa -out "$CERTS_PATH/ca$i-key.pem" 4096
|
||
|
|
||
|
#generate signing request
|
||
|
openssl req -new -key "$CERTS_PATH/ca$i-key.pem" -subj "$DN/CN=Level$i" -out "$CERTS_PATH/ca$i-csr.pem"
|
||
|
|
||
|
echo "-------------"
|
||
|
echo ">>>>>>>>>>>>>>>>>"$SIGNER_CERT
|
||
|
echo ">>>>>>>>>>>>>>>>>"$SIGNER_KEY
|
||
|
|
||
|
#sign new cert
|
||
|
openssl x509 -req -days $DAYS -in "$CERTS_PATH/ca$i-csr.pem" -CA $SIGNER_CERT -CAkey $SIGNER_KEY \
|
||
|
-set_serial $i -out "$CERTS_PATH/ca$i-cert.pem" -extfile $OPENSSL_CNF -extensions v3_ca
|
||
|
cat "$CERTS_PATH/ca$i-cert.pem" >> $CHAIN
|
||
|
echo "-------------"
|
||
|
|
||
|
done
|