configs/keygen.sh

   1 #! /bin/sh
   2
   3 while getopts h:u:g:o:e:y:bf c
   4      do
   5          case $c in
   6            u)         USER=$OPTARG;;
   7            g)         GROUP=$OPTARG;;
   8            o)         OUT=$OPTARG;;
   9            b)         BATCH=1;;
  10            f)         FORCE=1;;
  11            h)         FQDN=$OPTARG;;
  12            e)         ENTITYID=$OPTARG;;
  13            y)         YEARS=$OPTARG;;
  14            \?)        echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
  15                       exit 1;;
  16          esac
  17      done
  18 if [ -z "$OUT" ] ; then
  19     OUT=.
  20 fi
  21
  22 if [ -n "$FORCE" ] ; then
  23     rm $OUT/sp-key.pem $OUT/sp-cert.pem
  24 fi
  25
  26 if  [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
  27     if [ -z "$BATCH" ] ; then
  28         echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
  29         echo Use -f option to force recreation of keypair.
  30         exit 2
  31     fi
  32     exit 0
  33 fi
  34
  35 if [ -z "$FQDN" ] ; then
  36     FQDN=`hostname`
  37 fi
  38
  39 if [ -z "$YEARS" ] ; then
  40     YEARS=10
  41 fi
  42
  43 DAYS=`expr $YEARS \* 365`
  44
  45 if [ -z "$ENTITYID" ] ; then
  46     ALTNAME=DNS:$FQDN
  47 else
  48     ALTNAME=DNS:$FQDN,URI:$ENTITYID
  49 fi
  50
  51 SSLCNF=$OUT/sp-cert.cnf
  52 cat >$SSLCNF <<EOF
  53 # OpenSSL configuration file for creating sp-cert.pem
  54 [req]
  55 prompt=no
  56 default_bits=2048
  57 encrypt_key=no
  58 default_md=sha1
  59 distinguished_name=dn
  60 # PrintableStrings only
  61 string_mask=MASK:0002
  62 x509_extensions=ext
  63 [dn]
  64 CN=$FQDN
  65 [ext]
  66 subjectAltName=$ALTNAME
  67 subjectKeyIdentifier=hash
  68 EOF
  69
  70 touch $OUT/sp-key.pem
  71 chmod 600 $OUT/sp-key.pem
  72 if [ -z "$BATCH" ] ; then
  73     openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
  74 else
  75     openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
  76 fi
  77 rm $SSLCNF
  78
  79 if  [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
  80     chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
  81 fi
  82
  83 if  [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
  84     chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem
  85 fi