From 435b6387017ede59b3ab7423cefc7a3ec13ba4a7 Mon Sep 17 00:00:00 2001 From: progressive-kiwi Date: Mon, 31 Mar 2025 00:52:48 +0200 Subject: [PATCH] feat/mtls-support-cert-script --- .gitignore | 5 +- self-signed-certs-for-mtls.sh | 125 ++++++++++++++++++++++++++++++++++ 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100755 self-signed-certs-for-mtls.sh diff --git a/.gitignore b/.gitignore index 8b1c477..ba74660 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ newt .DS_Store -bin/ \ No newline at end of file +bin/ +.idea +*.iml +certs/ \ No newline at end of file diff --git a/self-signed-certs-for-mtls.sh b/self-signed-certs-for-mtls.sh new file mode 100755 index 0000000..3265123 --- /dev/null +++ b/self-signed-certs-for-mtls.sh @@ -0,0 +1,125 @@ +#!/usr/bin/env bash +set -eu + +echo -n "Enter username for certs (eg alice): " +read CERT_USERNAME +echo + +echo -n "Enter domain of user (eg example.com): " +read DOMAIN +echo + +# Prompt for password at the start +echo -n "Enter password for certificate: " +read -s PASSWORD +echo +echo -n "Confirm password: " +read -s PASSWORD2 +echo + +if [ "$PASSWORD" != "$PASSWORD2" ]; then + echo "Passwords don't match!" + exit 1 +fi +CA_DIR="./certs/ca" +CLIENT_DIR="./certs/clients" +FILE_PREFIX=$(echo "$CERT_USERNAME-at-$DOMAIN" | sed 's/\./-/') + +mkdir -p "$CA_DIR" +mkdir -p "$CLIENT_DIR" + +if [ ! -f "$CA_DIR/ca.crt" ]; then +# Generate CA private key + openssl genrsa -out "$CA_DIR/ca.key" 4096 + echo "CA key ✅" + + # Generate CA root certificate + openssl req -x509 -new -nodes \ + -key "$CA_DIR/ca.key" \ + -sha256 \ + -days 3650 \ + -out "$CA_DIR/ca.crt" \ + -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=ca.$DOMAIN" + + echo "CA cert ✅" +fi + +# Generate client private key +openssl genrsa -aes256 -passout pass:"$PASSWORD" -out "$CLIENT_DIR/$FILE_PREFIX.key" 2048 +echo "Client key ✅" + +# Generate client Certificate Signing Request (CSR) +openssl req -new \ + -key "$CLIENT_DIR/$FILE_PREFIX.key" \ + -out "$CLIENT_DIR/$FILE_PREFIX.csr" \ + -passin pass:"$PASSWORD" \ + -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=$CERT_USERNAME@$DOMAIN" +echo "Client cert ✅" + +echo -n "Signing client cert..." +# Create client certificate configuration file +cat > "$CLIENT_DIR/$FILE_PREFIX.ext" << EOF +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = $DOMAIN +EOF + +# Generate client certificate signed by CA +openssl x509 -req \ + -in "$CLIENT_DIR/$FILE_PREFIX.csr" \ + -CA "$CA_DIR/ca.crt" \ + -CAkey "$CA_DIR/ca.key" \ + -CAcreateserial \ + -out "$CLIENT_DIR/$FILE_PREFIX.crt" \ + -days 365 \ + -sha256 \ + -extfile "$CLIENT_DIR/$FILE_PREFIX.ext" + +# Verify the client certificate +openssl verify -CAfile "$CA_DIR/ca.crt" "$CLIENT_DIR/$FILE_PREFIX.crt" +echo "Signed ✅" + +# Create encrypted PEM bundle +openssl rsa -in "$CLIENT_DIR/$FILE_PREFIX.key" -passin pass:"$PASSWORD" \ + | cat "$CLIENT_DIR/$FILE_PREFIX.crt" - > "$CLIENT_DIR/$FILE_PREFIX-bundle.enc.pem" + + +# Convert to PKCS12 +echo "Converting to PKCS12 format..." +openssl pkcs12 -export \ + -out "$CLIENT_DIR/$FILE_PREFIX.enc.p12" \ + -inkey "$CLIENT_DIR/$FILE_PREFIX.key" \ + -in "$CLIENT_DIR/$FILE_PREFIX.crt" \ + -certfile "$CA_DIR/ca.crt" \ + -name "$CERT_USERNAME@$DOMAIN" \ + -passin pass:"$PASSWORD" \ + -passout pass:"$PASSWORD" +echo "Converted to encrypted p12 for macOS ✅" + +# Convert to PKCS12 format without encryption +echo "Converting to non-encrypted PKCS12 format..." +openssl pkcs12 -export \ + -out "$CLIENT_DIR/$FILE_PREFIX.p12" \ + -inkey "$CLIENT_DIR/$FILE_PREFIX.key" \ + -in "$CLIENT_DIR/$FILE_PREFIX.crt" \ + -certfile "$CA_DIR/ca.crt" \ + -name "$CERT_USERNAME@$DOMAIN" \ + -passin pass:"$PASSWORD" \ + -passout pass:"" +echo "Converted to non-encrypted p12 ✅" + +# Clean up intermediate files +rm "$CLIENT_DIR/$FILE_PREFIX.csr" "$CLIENT_DIR/$FILE_PREFIX.ext" "$CA_DIR/ca.srl" +echo +echo + +echo "CA certificate: $CA_DIR/ca.crt" +echo "CA private key: $CA_DIR/ca.key" +echo "Client certificate: $CLIENT_DIR/$FILE_PREFIX.crt" +echo "Client private key: $CLIENT_DIR/$FILE_PREFIX.key" +echo "Client cert bundle: $CLIENT_DIR/$FILE_PREFIX.p12" +echo "Client cert bundle (encrypted): $CLIENT_DIR/$FILE_PREFIX.enc.p12"