pki/scripts/cactl

#!/bin/sh -e

create_ca() {
  # Folder structure
  mkdir -p vimium/ca/{certs,crl,newcerts,private}
  mkdir -p vimium/ca/intermediate/{certs,crl,csr,newcerts,private}
  chmod 700 vimium/ca/private
  chmod 700 vimium/ca/intermediate/private

  pushd vimium/ca
  touch index.txt intermediate/index.txt
  echo 1000 | tee -a serial intermediate/serial intermediate/crlnumber

  # Root generation
  openssl genrsa -aes256 -out private/ca.key.pem 4096
  chmod 400 private/ca.key.pem
  openssl req -config openssl.cnf \
    -key private/ca.key.pem \
    -new -x509 -days 7300 -sha256 -extensions v3_ca \
    -out certs/ca.cer.pem

  # Intermediate generation
  openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
  chmod 400 intermediate/private/intermediate.key.pem
  openssl req -config intermediate/openssl.cnf -new -sha256 \
    -key intermediate/private/intermediate.key.pem \
    -out intermediate/csr/intermediate.csr.pem
  openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
    -days 3650 -notext -md sha256 \
    -in intermediate/csr/intermediate.csr.pem \
    -out intermediate/certs/intermediate.cer.pem
  chmod 444 intermediate/certs/intermediate.cer.pem

  # Chain generation
  cat intermediate/certs/intermediate.cer.pem \
    certs/ca.cer.pem > intermediate/certs/ca-chain.cer.pem
}

# Must be in intermediate CA dir for below

create_key() {
  openssl genrsa -out private/$1.key.pem 2048
  chmod 400 private/$1.key.pem
}

create_cert() {
  openssl req -config openssl.cnf \
    -key private/$1.key.pem \
    -new -sha256 -out csr/$1.csr.pem

  openssl ca -config openssl.cnf \
    -extensions server_cert -days 375 -notext -md sha256 \
    -in csr/$1.csr.pem \
    -out certs/$1.cer.pem
}

create_crl() {
  openssl ca -config openssl.cnf \
    -gencrl -out crl/intermediate.crl.pem
}

revoke_cert() {
  openssl ca -config openssl.cnf \
    -revoke certs/$1.cer.pem

  create_crl
}

view_crl() {
  openssl crl -in crl/intermediate.crl.pem -noout -text
}