forked from kanidm/kanidm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
insecure_generate_tls.sh
executable file
·110 lines (85 loc) · 3 KB
/
insecure_generate_tls.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/sh
set -e
# you can set the hostname if you want, but it'll default to localhost
if [ -z "$CERT_HOSTNAME" ]; then
CERT_HOSTNAME="localhost"
fi
# also where the files are stored
if [ -z "$KANI_TMP" ]; then
KANI_TMP=/tmp/kanidm/
fi
ALTNAME_FILE="${KANI_TMP}altnames.cnf"
CACERT="${KANI_TMP}ca.pem"
CAKEY="${KANI_TMP}cakey.pem"
KEYFILE="${KANI_TMP}key.pem"
CERTFILE="${KANI_TMP}cert.pem"
CSRFILE="${KANI_TMP}cert.csr"
CHAINFILE="${KANI_TMP}chain.pem"
DHFILE="${KANI_TMP}dh.pem"
if [ ! -d "${KANI_TMP}" ]; then
echo "Creating temp kanidm dir: ${KANI_TMP}"
mkdir -p "${KANI_TMP}"
fi
cat > "${ALTNAME_FILE}" << DEVEOF
[req]
nsComment = "Certificate"
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name (eg, city)
localityName_default = Brisbane
0.organizationName = Organization Name (eg, company)
0.organizationName_default = INSECURE EXAMPLE
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = kanidm
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
commonName_default = localhost
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
DEVEOF
# Make the ca
openssl req -x509 -new -newkey rsa:4096 -sha256 \
-keyout "${CAKEY}" \
-out "${CACERT}" \
-days +31 \
-subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes
# generate the ca private key
openssl genrsa -out "${KEYFILE}" 4096
# generate the certficate signing request
openssl req -sha256 \
-config "${ALTNAME_FILE}" \
-new -extensions v3_req \
-key "${KEYFILE}"\
-subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=${CERT_HOSTNAME}" \
-nodes \
-out "${CSRFILE}"
# sign the cert
openssl x509 -req -days 31 \
-extfile "${ALTNAME_FILE}" \
-CA "${CACERT}" \
-CAkey "${CAKEY}" \
-CAcreateserial \
-in "${CSRFILE}" \
-out "${CERTFILE}" \
-extensions v3_req -sha256
# Create the chain
cat "${CERTFILE}" "${CACERT}" > "${CHAINFILE}"
# create the dh file for RADIUS
openssl dhparam -in "${CAFILE}" -out "${DHFILE}" 2048
echo "Certificate chain is at: ${CHAINFILE}"
echo "Private key is at: ${KEYFILE}"
echo ""
echo "**Remember** the default action is to store the files in /tmp/ so they'll be deleted on reboot! Set the KANI_TMP environment variable before running this script if you want to change that. You'll need to update server config elsewhere if you do, however."