make-cert

#!/usr/bin/env bash

export DATA_PATH=${DATA_PATH:-}
export CERT_PATH=${CERT_PATH:-"${DATA_PATH}/%s.crt"}
export KEY_PATH=${KEY_PATH:-"${DATA_PATH}/%s.key"}
export OPENSSL_CONFIG=${OPENSSL_CONFIG:-./openssl.conf}

if [[ -z "$DATA_PATH" ]]; then
    echo "DATA_PATH is required" >&2
    exit 1;
fi

export CERT_PREFIX=$(date +%Y)
export START_DATE=$(TZ=UTC date +"%y%m%d000000Z")
export SERIAL_PATH="$DATA_PATH/serial"
export DATABASE_PATH="$DATA_PATH/database"

create_openssl_config() {
    declare target=$1

    local source="${target%.conf}.tmpl"

    sed \
        -e s,\$ENV::SERIAL_PATH,"$SERIAL_PATH",g \
        -e s,\$ENV::DATABASE_PATH,"$DATABASE_PATH",g \
        -e s,\$ENV::CA_KEY,"$CA_KEY",g \
        -e s,\$ENV::CA_CERT,"$CA_CERT",g \
        -e s,\$ENV::START_DATE,"$START_DATE",g \
        -e s,\$ENV::SUBJECT_ALT_NAME,"$SUBJECT_ALT_NAME",g \
        "$source" > "$target"
}

init() {
    mkdir -p "$DATA_PATH"
    mkdir -p "$(dirname "$CERT_PREFIX")/$CERT_PREFIX"
    mkdir -p "$(dirname "$KEY_PATH")/$CERT_PREFIX"

    if [[ ! -f "$SERIAL_PATH" ]]; then
        echo "0001" > "$SERIAL_PATH"
    fi

    if [[ ! -f "$DATABASE_PATH" ]]; then
        > "$DATABASE_PATH"
    fi
}

make_ca() {

    local ca="$1" cert="$2" key="$3"

    if [[ -f "$cert" ]] && [[ -f "$key" ]]; then
        return;
    fi

    create_openssl_config "$OPENSSL_CONFIG"

    openssl req -new -x509 -nodes -config "$OPENSSL_CONFIG" \
                -keyout "$key" \
                -out "temp_cert.crt" \
                -subj "/CN=$ca" \
                -extensions "standard_ca"

    openssl req -new -nodes -config "$OPENSSL_CONFIG" \
                -key "$key" \
                -out "temp_csr.csr" \
                -subj "/CN=$ca" \
                -extensions "standard_ca"

    openssl ca -config "$OPENSSL_CONFIG" \
               -batch \
               -cert "temp_cert.crt" \
               -out "$cert" \
               -in "temp_csr.csr" \
               -extensions "standard_ca"

    rm temp_* *.pem "$OPENSSL_CONFIG"
}

make_cert() {
    local ca="$1"
    local domain="$2"

    local key_path="$(printf "$KEY_PATH" "$CERT_PREFIX/$domain")"
    local req_path="${domain}.csr"
    local cert_path="$(printf "$CERT_PATH" "$CERT_PREFIX/$domain")"

    if [[ -f "$key_path" ]] && [[ -f "$cert_path" ]]; then
        return;
    fi

    export SUBJECT_ALT_NAME="DNS:${domain}"

    create_openssl_config "$OPENSSL_CONFIG"

    openssl req -new -config "$OPENSSL_CONFIG" \
            -keyout "$key_path" \
            -out "$req_path" \
            -subj "/CN=$domain" \
            -nodes \
            -extensions "standard"

    openssl ca -config "$OPENSSL_CONFIG" \
               -batch \
               -noemailDN \
               -in "$req_path" \
               -out "$cert_path" \
               -extensions "standard"

    rm "$req_path" "$OPENSSL_CONFIG"
}

main() {
    local ca="$1"

    if [[ -z "$ca" ]]; then
        echo "You need to specify the CA name as the first parameter" >&2
        return 2;
    fi

    init

    export CA_KEY="$(printf "$KEY_PATH" "$CERT_PREFIX/$ca")"
    export CA_CERT="$(printf "$CERT_PATH" "$CERT_PREFIX/$ca")"
    export SUBJECT_ALT_NAME="DNS:$ca"

    make_ca "$ca" "$CA_CERT" "$CA_KEY"

    for name in "${@:2}"; do
        make_cert "$ca" "$name"
    done

}

main "$@"