Bash-Funk “openssl” module
The following commands are available when this module is loaded:
License
SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
SPDX-License-Identifier: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-gen-x509cert
Usage: -gen-x509cert [OPTION]... FQ_DNS_NAME
Generates a (self-signed) X509 server certificate.
Parameters:
FQ_DNS_NAME (required, pattern: "[*a-zA-Z0-9_.-]+")
Fully qualified DNS name of the server.
Options:
--CAcert FILE (file)
Certificate file of the signing CA.
--CAkey FILE (file)
Private key file of the signing CA.
--aliases NAME1[,...] (pattern: "[*a-zA-Z0-9_.-]+")
Additional DNS aliases (alternative subject names).
--dh1024
Generate a certificate with DH 1024 params, that will also works with older Java 5/6 clients which otherwise would throw 'Could not generate DH keypair' exception.
-f, --force
Do not prompt before overwriting.
--keysize SIZE (integer: 1-?)
Number of bits of the private key. Default is 2048.
--subject VALUE
Certificate subject instead of '/CN=<COMMON_NAME>'.
--validity DAYS
Validity in days. Default is 1095.
-----------------------------
--help
Prints this help.
--tracecmd
Enables bash debug mode (set -x).
--selftest
Performs a self-test.
--
Terminates the option list.
Implementation:
if [[ ! ${_force:-} ]]; then
if [[ -e "${_FQ_DNS_NAME}.key" ]]; then
echo "${_FQ_DNS_NAME}.key already exists. Use option --force to overwrite."
return 1
fi
if [[ -e "${_FQ_DNS_NAME}.csr" ]]; then
echo "${_FQ_DNS_NAME}.csr already exists. Use option --force to overwrite."
return 1
fi
if [[ -e "${_FQ_DNS_NAME}.crt" ]]; then
echo "${_FQ_DNS_NAME}.crt already exists. Use option --force to overwrite."
return 1
fi
fi
if [[ ${_CAkey:-} && ! ${_CAcert:-} ]]; then
echo "Using option --CAkey requires option --CAcert";
return 1
fi
if [[ ${_CAcert:-} && ! ${_CAkey:-} ]]; then
echo "Using option --CAcert requires option --CAkey";
return 1
fi
local _subject=${_subject:-/CN=${_FQ_DNS_NAME}}
openssl genrsa -out "${_FQ_DNS_NAME}.key" ${_keysize:-2048} || return 1
echo " -> file [${_FQ_DNS_NAME}.key] created."
openssl req -new -key "${_FQ_DNS_NAME}.key" -out "${_FQ_DNS_NAME}.csr" -subj "${_subject}" || return 1
echo " -> file [${_FQ_DNS_NAME}.csr] created."
echo "Generating certificate with subject [$_subject]..."
local opts="x509 -req -sha256 -days ${_validity:-1095} -in \"${_FQ_DNS_NAME}.csr\" -out \"${_FQ_DNS_NAME}.crt\""
if [[ ${_CAcert:-} ]]; then
opts="$opts -CA \"$_CAcert\" -CAkey \"$_CAkey\" "
local caSerialFile="${_CAcert%.*}.srl"
if [[ -e $caSerialFile ]]; then
opts="$opts -CAserial \"$caSerialFile\" "
else
opts="$opts -CAcreateserial "
fi
else
opts="$opts -set_serial 01 -signkey \"${_FQ_DNS_NAME}.key\" "
fi
if [[ ${_aliases:-} ]]; then
local altName altNames
for altName in "${_aliases[@]}"; do
if [[ $altNames ]]; then
altNames="$altNames, DNS:$altName"
else
altNames="DNS:$altName"
fi
done
local extfile="$(mktemp)"
echo subjectAltName="$altNames" > $extfile
eval "openssl $opts -extfile $extfile" || return 1
rm $extfile
else
eval "openssl $opts" || return 1
fi
echo " -> file [${_FQ_DNS_NAME}.crt] created."
if [[ ${_dh1024:-} ]]; then
# http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh
# will degrade website rating to B on https://www.ssllabs.com/ssltest/
openssl dhparam 1024 >> "${_FQ_DNS_NAME}.crt"
fi
-gen-x509rootca
Usage: -gen-x509rootca [OPTION]... COMMON_NAME
Generates a self-signed X509 root CA certificate.
Parameters:
COMMON_NAME (required, pattern: "[a-zA-Z0-9_.-]+")
Common name of the CA.
Options:
-f, --force
Do not prompt before overwriting.
--keysize SIZE (integer: 1-?)
Number of bits of the private key. Default is 4096.
--subject VALUE
Certificate subject instead of '/CN=<COMMON_NAME>'.
--validity DAYS
Validity in days. Default is 3650.
-----------------------------
--help
Prints this help.
--tracecmd
Enables bash debug mode (set -x).
--selftest
Performs a self-test.
--
Terminates the option list.
Implementation:
if [[ ! ${_force:-} ]]; then
if [[ -e "${_COMMON_NAME}.key" ]]; then
echo "${_COMMON_NAME}.key already exists. Use option --force to overwrite."
return 1
fi
if [[ -e "${_COMMON_NAME}.crt" ]]; then
echo "${_COMMON_NAME}.crt already exists. Use option --force to overwrite."
return 1
fi
fi
local _subject=${_subject:-/CN=${_COMMON_NAME}}
openssl genrsa -out "${_COMMON_NAME}.key" ${_keysize:-4096} || return 1
echo " -> file [${_COMMON_NAME}.key] created."
echo "Generating certificate with subject [$_subject]..."
openssl req -x509 -new -key "${_COMMON_NAME}.key" -days ${_validity:-3650} -out "${_COMMON_NAME}.crt" -subj "${_subject}" || return 1
echo " -> file [${_COMMON_NAME}.crt] created."
-test-all-openssl
Usage: -test-all-openssl [OPTION]...
Performs a selftest of all functions of this module by executing each function with option '--selftest'.
Options:
--help
Prints this help.
--tracecmd
Enables bash debug mode (set -x).
--selftest
Performs a self-test.
--
Terminates the option list.
Implementation:
-gen-x509cert --selftest && echo || return 1
-gen-x509rootca --selftest && echo || return 1