configs/keygen.sh

   1 #! /bin/sh
   2
   3 while getopts h:e:y:bf c
   4      do
   5          case $c in
   6            b)         BATCH=1;;
   7            f)         FORCE=1;;
   8            h)         FQDN=$OPTARG;;
   9            e)         ENTITYID=$OPTARG;;
  10            y)         YEARS=$OPTARG;;
  11            \?)        echo keygen [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]
  12                       exit 1;;
  13          esac
  14      done
  15
  16 if [ -n "$FORCE" ] ; then
  17     rm sp-key.pem sp-cert.pem
  18 fi
  19
  20 if  [ -s sp-key.pem -o -s sp-cert.pem ] ; then
  21     if [ -z "$BATCH" ] ; then
  22         echo The files sp-key.pem and/or sp-cert.pem already exist!
  23         echo Use -f option to force recreation of keypair.
  24         exit 2
  25     fi
  26     exit 0
  27 fi
  28
  29 if [ -z "$FQDN" ] ; then
  30     FQDN=`hostname`
  31 fi
  32
  33 if [ -z "$YEARS" ] ; then
  34     YEARS=10
  35 fi
  36
  37 DAYS=`expr $YEARS \* 365`
  38
  39 if [ -z "$ENTITYID" ] ; then
  40     ALTNAME=DNS:$FQDN
  41 else
  42     ALTNAME=DNS:$FQDN,URI:$ENTITYID
  43 fi
  44
  45 cat >sp-cert.cnf <<EOF
  46 # OpenSSL configuration file for creating sp-cert.pem
  47 [req]
  48 prompt=no
  49 default_bits=2048
  50 encrypt_key=no
  51 default_md=sha1
  52 distinguished_name=dn
  53 # PrintableStrings only
  54 string_mask=MASK:0002
  55 x509_extensions=ext
  56 [dn]
  57 CN=$FQDN
  58 [ext]
  59 subjectAltName=$ALTNAME
  60 subjectKeyIdentifier=hash
  61 EOF
  62
  63 touch sp-key.pem
  64 chmod 600 sp-key.pem
  65 if [ -z "$BATCH" ] ; then
  66     openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
  67 else
  68     openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem 2> /dev/null
  69 fi
  70 rm sp-cert.cnf