From 565e982f7eed66a286da511b4436bd54763948dc Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Mon, 21 Mar 2022 10:56:46 +0000
Subject: [PATCH] Add CA helper script

---
 scripts/ca | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100755 scripts/ca

diff --git a/scripts/ca b/scripts/ca
new file mode 100755
index 0000000..d9da05c
--- /dev/null
+++ b/scripts/ca
@@ -0,0 +1,71 @@
+#!/bin/sh -e
+
+create_ca() {
+  # Folder structure
+  mkdir -p vimium/ca/{certs,crl,newcerts,private}
+  mkdir -p vimium/ca/intermediate/{certs,crl,csr,newcerts,private}
+  chmod 700 vimium/ca/private
+  chmod 700 vimium/ca/intermediate/private
+
+  pushd vimium/ca
+  touch index.txt intermediate/index.txt
+  echo 1000 | tee -a serial intermediate/serial intermediate/crlnumber
+
+  # Root generation
+  openssl genrsa -aes256 -out private/ca.key.pem 4096
+  chmod 400 private/ca.key.pem
+  openssl req -config openssl.cnf \
+    -key private/ca.key.pem \
+    -new -x509 -days 7300 -sha256 -extensions v3_ca \
+    -out certs/ca.cer.pem
+
+  # Intermediate generation
+  openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
+  chmod 400 intermediate/private/intermediate.key.pem
+  openssl req -config intermediate/openssl.cnf -new -sha256 \
+    -key intermediate/private/intermediate.key.pem \
+    -out intermediate/csr/intermediate.csr.pem
+  openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
+    -days 3650 -notext -md sha256 \
+    -in intermediate/csr/intermediate.csr.pem \
+    -out intermediate/certs/intermediate.cer.pem
+  chmod 444 intermediate/certs/intermediate.cer.pem
+
+  # Chain generation
+  cat intermediate/certs/intermediate.cer.pem \
+    certs/ca.cer.pem > intermediate/certs/ca-chain.cer.pem
+}
+
+# Must be in intermediate CA dir for below
+
+create_key() {
+  openssl genrsa -out private/$1.key.pem 2048
+  chmod 400 private/$1.key.pem
+}
+
+create_cert() {
+  openssl req -config openssl.cnf \
+    -key private/$1.key.pem \
+    -new -sha256 -out csr/$1.csr.pem
+
+  openssl ca -config openssl.cnf \
+    -extensions server_cert -days 375 -notext -md sha256 \
+    -in csr/$1.csr.pem \
+    -out certs/$1.cer.pem
+}
+
+create_crl() {
+  openssl ca -config openssl.cnf \
+    -gencrl -out crl/intermediate.crl.pem
+}
+
+revoke_cert() {
+  openssl ca -config openssl.cnf \
+    -revoke certs/$1.cer.pem
+
+  create_crl
+}
+
+view_crl() {
+  openssl crl -in crl/intermediate.crl.pem -noout -text
+}