Add CA helper script

2022-03-21 10:56:46 +00:00 · 2022-03-21 10:56:46 +00:00 · 565e982f7e
commit 565e982f7e
parent 62986bd197
1 changed files with 71 additions and 0 deletions
--- a/scripts/ca
+++ b/scripts/ca
@ -0,0 +1,71 @@
+#!/bin/sh -e
+
+create_ca() {
+  # Folder structure
+  mkdir -p vimium/ca/{certs,crl,newcerts,private}
+  mkdir -p vimium/ca/intermediate/{certs,crl,csr,newcerts,private}
+  chmod 700 vimium/ca/private
+  chmod 700 vimium/ca/intermediate/private
+
+  pushd vimium/ca
+  touch index.txt intermediate/index.txt
+  echo 1000 | tee -a serial intermediate/serial intermediate/crlnumber
+
+  # Root generation
+  openssl genrsa -aes256 -out private/ca.key.pem 4096
+  chmod 400 private/ca.key.pem
+  openssl req -config openssl.cnf \
+    -key private/ca.key.pem \
+    -new -x509 -days 7300 -sha256 -extensions v3_ca \
+    -out certs/ca.cer.pem
+
+  # Intermediate generation
+  openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
+  chmod 400 intermediate/private/intermediate.key.pem
+  openssl req -config intermediate/openssl.cnf -new -sha256 \
+    -key intermediate/private/intermediate.key.pem \
+    -out intermediate/csr/intermediate.csr.pem
+  openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
+    -days 3650 -notext -md sha256 \
+    -in intermediate/csr/intermediate.csr.pem \
+    -out intermediate/certs/intermediate.cer.pem
+  chmod 444 intermediate/certs/intermediate.cer.pem
+
+  # Chain generation
+  cat intermediate/certs/intermediate.cer.pem \
+    certs/ca.cer.pem > intermediate/certs/ca-chain.cer.pem
+}
+
+# Must be in intermediate CA dir for below
+
+create_key() {
+  openssl genrsa -out private/$1.key.pem 2048
+  chmod 400 private/$1.key.pem
+}
+
+create_cert() {
+  openssl req -config openssl.cnf \
+    -key private/$1.key.pem \
+    -new -sha256 -out csr/$1.csr.pem
+
+  openssl ca -config openssl.cnf \
+    -extensions server_cert -days 375 -notext -md sha256 \
+    -in csr/$1.csr.pem \
+    -out certs/$1.cer.pem
+}
+
+create_crl() {
+  openssl ca -config openssl.cnf \
+    -gencrl -out crl/intermediate.crl.pem
+}
+
+revoke_cert() {
+  openssl ca -config openssl.cnf \
+    -revoke certs/$1.cer.pem
+
+  create_crl
+}
+
+view_crl() {
+  openssl crl -in crl/intermediate.crl.pem -noout -text
+}