-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmake-client-cert.sh
More file actions
executable file
·55 lines (43 loc) · 1.31 KB
/
make-client-cert.sh
File metadata and controls
executable file
·55 lines (43 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/sh
. ./common.sh
if [ ! -e cadir/private/icapw2.dat ]
then
echo Need the leaf CA
exit 1
fi
rm -f client.crt client.key
arg=$1
if [ "X$arg" = "X-k" ]
then
cpass=`openssl rand -hex 10`
reqarg="-passout pass:$cpass"
pkcs8arg="-passin pass:$cpass -passout pass:$cpass"
echo Using password $cpass
else
reqarg="-nodes"
pkcs8arg="-passout pass:"
fi
# get the root CA certificate
cp cadir/cacert.pem root.crt
# we'll sign this with the leaf CA
capw=`cat cadir/private/icapw2.dat`
# this will be the CN of the certificate
user=${CERTUSER:-"my_user"}
# generate the CSR
openssl req -new $reqarg -text -days 365 -out client.csr \
-keyout client.key -subj "$SUBJ/CN=$user" >/dev/null 2>&1
# protect the key
chmod og-rwx client.key
# sign the CSR, generating the certificate
openssl ca -in client.csr \
-config cadir/openssl.cnf \
-cert cadir/intermediate2.pem -keyfile cadir/private/intermediate2.key \
-passin pass:$capw -out client.crt -batch >/dev/null 2>&1
# remove the CSR
rm client.csr
# add the intermediate and leaf CA certificates to the cert, so it can be
# validated with the root.crt.
cat cadir/intermediate2.pem cadir/intermediate1.pem >> client.crt
# generate the PKCS#8 version of the client key for jdbc use
openssl pkcs8 -topk8 $pkcs8arg -inform PEM -in client.key \
-outform DER -out client.pk8