2

bin/gen-cert-1.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+# if the server name is undefined, lets default to 'Some-Server'
+SERVER="${SERVER:-Some-Server}"
+
+CORPORATION="NgTech LTD"
+GROUP="IT"
+CITY="Karney Shomron"
+STATE="Center"
+COUNTRY="IL"
+DAYS="3650"
+
+CERT_AUTH_PASS=`openssl rand -base64 32`
+echo $CERT_AUTH_PASS > cert_auth_password
+CERT_AUTH_PASS=`cat cert_auth_password`
+
+# create the certificate authority
+openssl \
+  req \
+  -subj "/CN=$SERVER.ca/OU=$GROUP/O=$CORPORATION/L=$CITY/ST=$STATE/C=$COUNTRY" \
+  -new \
+  -x509 \
+  -keyout ca-cert.key \
+  -out ca-cert.crt \
+  -days ${DAYS}
+
+#  -passout pass:$CERT_AUTH_PASS \
+
+# create client private key (used to decrypt the cert we get from the CA)
+openssl genrsa -out $SERVER.key
+
+# create the CSR(Certitificate Signing Request)
+openssl \
+  req \
+  -new \
+  -nodes \
+  -subj "/CN=$SERVER/OU=$GROUP/O=$CORPORATION/L=$CITY/ST=$STATE/C=$COUNTRY" \
+  -sha256 \
+  -extensions v3_req \
+  -reqexts SAN \
+  -key $SERVER.key \
+  -out $SERVER.csr \
+  -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER")) \
+  -days 36500
+
+# sign the certificate with the certificate authority
+openssl \
+  x509 \
+  -req \
+  -days ${DAYS} \
+  -in $SERVER.csr \
+  -CA ca-cert.crt \
+  -CAkey ca-cert.key \
+  -CAcreateserial \
+  -out $SERVER.crt \
+  -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER")) \
+  -extensions SAN 
+#  -passin pass:$CERT_AUTH_PASS

bin/gen-cert-2.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+
+STATE=$(head -1 vars/state)
+COUNTRY=$(head -1 vars/country)
+LOCALITY=$(head -1 vars/locality)
+ORGANIZATION=$(head -1 vars/organization)
+LOCALITRY=$(head -1 vars/locality)
+CN=$(head -1 vars/cn)
+
+SUBJECT_ALTERNATIVES=$( python3 gen-subject-alternatives.py )
+#sed -e "s/###CN##/commonName = $COMMON_NAME/g" \
+#	-e "s/###COUNTRY###/countryName = $COUNTRY/g" \
+#	-e "s/###STATE###/stateOrProvinceName = $STATE/g" \
+#	-e  "s/###LOCALITY###/localityName = $LOCALITY/g" \
+#	-e "s/###ORGANIZATION###/organizationName = $ORGANIZATION/g" \
+#	templates/csrconfig.txt.in
+
+jinja2 templates/csrconfig.txt.j2 -D cn="${CN}" -D country="${COUNTRY}" -D state="${STATE}" -D locality="${LOCALITY}" \
+	-D org="${ORGANIZATION}" -D subj_alternative="${SUBJECT_ALTERNATIVES}" > tmp/csrconfig.txt
+
+
+#generate the RSA private key
+openssl genpkey -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out output/priv.key
+
+#Create the CSR
+openssl req -new -nodes -key output/priv.key -config tmp/csrconfig.txt -out output/cert.csr

bin/gen-subject-alternatives.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+def read_file(file_name):
+    with open(file_name, 'r') as file:
+        data = file.readlines()
+    return [line.strip() for line in data if line.strip()]
+
+def generate_san_config(ips, domains, emails):
+    san_config = ""
+    entries = []
+
+    for i, ip in enumerate(ips):
+        entries.append(f"IP.{i} = {ip}")
+
+    for i, domain in enumerate(domains):
+        entries.append(f"DNS.{i} = {domain}")
+
+    for i, email in enumerate(emails):
+        entries.append(f"email.{i} = {email}")
+
+    san_config += "\n".join(entries)
+    return san_config
+
+def main():
+    ip_file = "vars/ips"
+    domain_file = "vars/domains"
+    email_file = "vars/emails"
+
+    ips = read_file(ip_file)
+    domains = read_file(domain_file)
+    emails = read_file(email_file)
+
+    if not ips and not domains and not emails:
+        return
+
+    san_config = generate_san_config(ips, domains, emails)
+
+    print(san_config)
+
+if __name__ == "__main__":
+    main()
+

bin/gen-subject-alternatives.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/env ruby
+
+def read_file(file_name)
+  File.readlines(file_name).map(&:strip).reject(&:empty?)
+end
+
+def generate_san_config(ips, domains, emails)
+  entries = []
+
+  ips.each_with_index do |ip, i|
+    entries << "IP.#{i} = #{ip}"
+  end
+
+  domains.each_with_index do |domain, i|
+    entries << "DNS.#{i} = #{domain}"
+  end
+
+  emails.each_with_index do |email, i|
+    entries << "email.#{i} = #{email}"
+  end
+
+  entries.join("\n")
+end
+
+def main
+  ip_file = "vars/ips"
+  domain_file = "vars/domains"
+  email_file = "vars/emails"
+
+  ips = read_file(ip_file)
+  domains = read_file(domain_file)
+  emails = read_file(email_file)
+
+  return if ips.empty? && domains.empty? && emails.empty?
+
+  san_config = generate_san_config(ips, domains, emails)
+
+  puts san_config
+end
+
+if __FILE__ == $PROGRAM_NAME
+  main
+end
+

bin/templates/csrconfig.txt.in

@@ -0,0 +1,20 @@
+[ req ]
+default_md = sha256
+prompt = no
+req_extensions = req_ext
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+commonName = ###CN##
+countryName = ###COUNTRY###
+stateOrProvinceName = ###STATE###
+localityName = ###LOCALITY###
+organizationName = ###ORGANIZATION###
+
+[ req_ext ]
+keyUsage=critical,digitalSignature,keyEncipherment
+extendedKeyUsage=critical,serverAuth,clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
+###ALTERNATIVE_NAMES###

bin/templates/csrconfig.txt.j2

@@ -0,0 +1,20 @@
+[ req ]
+default_md = sha256
+prompt = no
+req_extensions = req_ext
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+commonName = {{ cn }}
+countryName = {{ country }}
+stateOrProvinceName = {{ state }}
+localityName = {{ locality }}
+organizationName = {{ org }}
+
+[ req_ext ]
+keyUsage=critical,digitalSignature,keyEncipherment
+extendedKeyUsage=critical,serverAuth,clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
+{{ subj_alternative }}

bin/vars/cn

@@ -0,0 +1 @@
+example.org

bin/vars/country

@@ -0,0 +1 @@
+IL

bin/vars/domains

@@ -0,0 +1,2 @@
+example.org
+*.example.org

bin/vars/ips

@@ -0,0 +1,3 @@
+10.0.0.138
+192.168.0.1
+192.168.1.1

bin/vars/locality

@@ -0,0 +1 @@
+Karney Shomron

bin/vars/organization

@@ -0,0 +1 @@
+NgTech LTD

bin/vars/state

@@ -0,0 +1 @@
+Center