Skip to content

Commit 70a36ae

Browse files
aledbfaledbf
committed
Improve certificate generation
1 parent 7c543dc commit 70a36ae

File tree

1 file changed

+118
-90
lines changed

1 file changed

+118
-90
lines changed

create_ca_cert.sh

100644100755
Lines changed: 118 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,50 @@
22

33
set -Eeuo pipefail
44

5-
declare -i DEBUG=0
5+
# Default values
6+
CERT_PASSWORD=${CERT_PASSWORD:-foobar} # Allow override via environment
7+
KEY_SIZE_CA=${KEY_SIZE_CA:-4096}
8+
KEY_SIZE_WEB=${KEY_SIZE_WEB:-2048}
9+
ENCRYPTION_CIPHER="des3"
10+
ALLDOMAINS=${ALLDOMAINS:-""}
11+
12+
# Cleanup function
13+
cleanup() {
14+
local exit_code=$?
15+
# Clean up temporary files if any
16+
rm -f *.tmp 2>/dev/null
17+
exit $exit_code
18+
}
19+
20+
trap cleanup EXIT
21+
trap 'trap - EXIT; cleanup; exit -1' INT PIPE TERM
622

23+
# Enhanced logging
724
logInfo() {
8-
echo "INFO: $@"
25+
echo "[INFO] $(date '+%Y-%m-%d %H:%M:%S') - $*"
26+
}
27+
28+
logError() {
29+
echo "[ERROR] $(date '+%Y-%m-%d %H:%M:%S') - $*" >&2
30+
}
31+
32+
# Create directory with proper permissions
33+
create_secure_dir() {
34+
local dir=$1
35+
mkdir -p "$dir"
36+
chmod 700 "$dir"
37+
}
38+
39+
# Generate key with proper permissions
40+
generate_secure_key() {
41+
local keyfile=$1
42+
local keysize=$2
43+
openssl genrsa -${ENCRYPTION_CIPHER} -passout "pass:${CERT_PASSWORD}" -out "$keyfile" "$keysize" &>/dev/null
44+
chmod 600 "$keyfile"
945
}
1046

47+
# Main script starts here
48+
1149
PROJ_NAME=DockerMirrorBox
1250
logInfo "Will create certificate with names $ALLDOMAINS"
1351

@@ -22,104 +60,94 @@ CN_CA=${CN_CA:0:64}
2260
CN_IA=${CN_IA:0:64}
2361
CN_WEB=${CN_WEB:0:64}
2462

25-
mkdir -p /ca /certs
63+
mkdir -p /certs ca
2664
cd /ca
2765

2866
CA_KEY_FILE=${CA_KEY_FILE:-/ca/ca.key}
2967
CA_CRT_FILE=${CA_CRT_FILE:-/ca/ca.crt}
3068
CA_SRL_FILE=${CA_SRL_FILE:-/ca/ca.srl}
3169

3270
if [ -f "$CA_CRT_FILE" ]; then
33-
logInfo "CA already exists. Good. We'll reuse it."
34-
if [ ! -f "$CA_SRL_FILE" ]; then
35-
echo 01 >${CA_SRL_FILE}
36-
fi
71+
logInfo "CA already exists. Good. We'll reuse it."
72+
if [ ! -f "$CA_SRL_FILE" ]; then
73+
echo 01 >"${CA_SRL_FILE}"
74+
fi
3775
else
38-
logInfo "No CA was found. Generating one."
39-
logInfo "*** Please *** make sure to mount /ca as a volume -- if not, everytime this container starts, it will regenerate the CA and nothing will work."
40-
41-
openssl genrsa -des3 -passout pass:foobar -out ${CA_KEY_FILE} 4096
42-
43-
logInfo "generate CA cert with key and self sign it: ${CAID}"
44-
openssl req -new -x509 -days 1300 -sha256 -key ${CA_KEY_FILE} -out ${CA_CRT_FILE} -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_CA}" -extensions IA -config <(
45-
cat <<-EOF
46-
[req]
47-
distinguished_name = dn
48-
[dn]
49-
[IA]
50-
basicConstraints = critical,CA:TRUE
51-
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
52-
subjectKeyIdentifier = hash
53-
EOF
54-
)
55-
56-
[[ ${DEBUG} -gt 0 ]] && logInfo "show the CA cert details"
57-
[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ${CA_CRT_FILE}
58-
59-
echo 01 >${CA_SRL_FILE}
76+
logInfo "No CA was found. Generating one."
77+
logInfo "*** Please *** make sure to mount /ca as a volume -- if not, everytime this container starts, it will regenerate the CA and nothing will work."
78+
79+
create_secure_dir "/ca"
80+
generate_secure_key "${CA_KEY_FILE}" "${KEY_SIZE_CA}"
81+
82+
logInfo "generate CA cert with key and self sign it: ${CAID}"
83+
openssl req -new -x509 -days 36500 -sha256 -key "${CA_KEY_FILE}" -out "${CA_CRT_FILE}" -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_CA}" -extensions IA -config <(
84+
cat <<-EOF
85+
[req]
86+
distinguished_name = dn
87+
[dn]
88+
[IA]
89+
basicConstraints = critical,CA:TRUE
90+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
91+
subjectKeyIdentifier = hash
92+
EOF
93+
)
94+
95+
echo 01 >"${CA_SRL_FILE}"
6096

6197
fi
6298

6399
cd /certs
64100

65-
if [ ! -f "fullchain_with_key.pem" ]; then
66-
logInfo "Generate IA key"
67-
openssl genrsa -des3 -passout pass:foobar -out ia.key 4096 &>/dev/null
68-
69-
logInfo "Create a signing request for the IA: ${CAID}"
70-
openssl req -new -key ia.key -out ia.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_IA}" -reqexts IA -config <(
71-
cat <<-EOF
72-
[req]
73-
distinguished_name = dn
74-
[dn]
75-
[IA]
76-
basicConstraints = critical,CA:TRUE,pathlen:0
77-
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
78-
subjectKeyIdentifier = hash
79-
EOF
80-
)
81-
82-
[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there"
83-
[[ ${DEBUG} -gt 0 ]] && openssl req -in ia.csr -noout -text
84-
85-
logInfo "Sign the IA request with the CA cert and key, producing the IA cert"
86-
openssl x509 -req -days 730 -in ia.csr -CA ${CA_CRT_FILE} -CAkey ${CA_KEY_FILE} -CAserial ${CA_SRL_FILE} -out ia.crt -passin pass:foobar -extensions IA -extfile <(
87-
cat <<-EOF
88-
[req]
89-
distinguished_name = dn
90-
[dn]
91-
[IA]
92-
basicConstraints = critical,CA:TRUE,pathlen:0
93-
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
94-
subjectKeyIdentifier = hash
95-
EOF
96-
) &>/dev/null
97-
98-
[[ ${DEBUG} -gt 0 ]] && logInfo "show the IA cert details"
99-
[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ia.crt
100-
101-
logInfo "Initialize the serial number for signed certificates"
102-
echo 01 >ia.srl
103-
104-
logInfo "Create the key (w/o passphrase..)"
105-
openssl genrsa -des3 -passout pass:foobar -out web.orig.key 2048 &>/dev/null
106-
openssl rsa -passin pass:foobar -in web.orig.key -out web.key &>/dev/null
107-
108-
logInfo "Create the signing request, using extensions"
109-
openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}"))
110-
111-
[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there"
112-
[[ ${DEBUG} -gt 0 ]] && openssl req -in web.csr -noout -text
113-
114-
logInfo "Sign the request, using the intermediate cert and key"
115-
openssl x509 -req -days 365 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}")) &>/dev/null
116-
117-
[[ ${DEBUG} -gt 0 ]] && logInfo "Show the final cert details"
118-
[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in web.crt
119-
120-
logInfo "Concatenating fullchain.pem..."
121-
cat web.crt ia.crt ${CA_CRT_FILE} >fullchain.pem
122-
123-
logInfo "Concatenating fullchain_with_key.pem"
124-
cat fullchain.pem web.key >fullchain_with_key.pem
125-
fi
101+
logInfo "Generate IA key"
102+
openssl genrsa -des3 -passout pass:foobar -out ia.key 4096 &>/dev/null
103+
104+
logInfo "Create a signing request for the IA: ${CAID}"
105+
openssl req -new -key ia.key -out ia.csr -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_IA}" -reqexts IA -config <(
106+
cat <<-EOF
107+
[req]
108+
distinguished_name = dn
109+
[dn]
110+
[IA]
111+
basicConstraints = critical,CA:TRUE,pathlen:0
112+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
113+
subjectKeyIdentifier = hash
114+
EOF
115+
)
116+
117+
logInfo "Sign the IA request with the CA cert and key, producing the IA cert"
118+
openssl x509 -req -days 36500 -in ia.csr -CA "${CA_CRT_FILE}" -CAkey "${CA_KEY_FILE}" -CAserial "${CA_SRL_FILE}" -out ia.crt -passin pass:foobar -extensions IA -extfile <(
119+
cat <<-EOF
120+
[req]
121+
distinguished_name = dn
122+
[dn]
123+
[IA]
124+
basicConstraints = critical,CA:TRUE,pathlen:0
125+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
126+
subjectKeyIdentifier = hash
127+
EOF
128+
) &>/dev/null
129+
130+
logInfo "Initialize the serial number for signed certificates"
131+
echo 01 >ia.srl
132+
133+
logInfo "Create the key (w/o passphrase..)"
134+
openssl genrsa -des3 -passout pass:foobar -out web.orig.key 2048 &>/dev/null
135+
openssl rsa -passin pass:foobar -in web.orig.key -out web.key &>/dev/null
136+
137+
logInfo "Create the signing request, using extensions"
138+
openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=%s" "$ALLDOMAINS"))
139+
140+
logInfo "Sign the request, using the intermediate cert and key"
141+
openssl x509 -req -days 36500 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf '[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=%s' "$ALLDOMAINS")) &>/dev/null
142+
143+
logInfo "Concatenating fullchain.pem..."
144+
cat web.crt ia.crt "${CA_CRT_FILE}" >fullchain.pem
145+
146+
logInfo "Concatenating fullchain_with_key.pem"
147+
cat fullchain.pem web.key >fullchain_with_key.pem
148+
149+
# Secure the generated files
150+
chmod 600 /certs/*.key
151+
chmod 644 /certs/*.crt /certs/*.pem
152+
153+
logInfo "Certificate generation completed successfully"

0 commit comments

Comments
 (0)