Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #/bin/bash
- domain="sebfia.net"
- ipAddress=""
- years=1
- days=365
- printip="127.0.0.1"
- writeip="IP:127.0.0.1"
- pwd=""
- read -p "Enter the domain for your server certificate: [$domain] >" response
- if [[ $response != "" ]]; then
- domain=$response
- fi
- clientName=$(echo $domain | tr '.' '_')
- read -p "Enter a forward facing ip-address besides loopback or leave empty: [$ipAddress] >" response
- if [[ $response != "" ]]; then
- ipAddress=$response
- printip="127.0.0.1 and "$ipAddress
- writeip="IP:127.0.0.1,IP:"$ipAddress
- fi
- read -p "Enter the number of years your certificates should be valid for: [$years] >" response
- if [[ $response != "" ]]; then
- years=$response
- let days=$days*$years
- fi
- read -s -p "Enter the password for your Certificate Authority: " pwd
- response="yes"
- printf "Creating certificates for '$domain' and ip-address(es): $printip with a validity of $days days.\n"
- read -p "Continue (yes|no)? [$response]" response
- if [[ $response != "no" ]]; then
- #create server certificate
- openssl genrsa -out ./certs/server-key.pem 4096
- openssl req -subj "/CN=$domain" -sha256 -new -key ./certs/server-key.pem -out ./certs/server.csr
- echo subjectAltName = $writeip > ./certs/extfile.cnf
- openssl x509 -req -days $days -sha256 -in ./certs/server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/server-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd
- printf "Server certificate has been generated. Creating client certificate..."
- #create client certificate
- openssl genrsa -out ./certs/$clientName-key.pem 4096
- openssl req -subj '/CN=client' -new -key ./certs/$clientName-key.pem -out ./certs/client.csr
- echo extendedKeyUsage = clientAuth > ./certs/extfile.cnf
- openssl x509 -req -days $days -sha256 -in ./certs/client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/$clientName-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd
- #clean up
- rm -v ./certs/{client.csr,server.csr,extfile.cnf}
- chmod -v 0400 ./certs/{$clientName-key.pem,server-key.pem}
- chmod -v 0444 ./certs/{server-cert.pem,$clientName-cert.pem}
- response="no"
- printf "Done creating certificates!\n"
- read -p "Would you like to move the authentication certificate to your local .docker directory (yes|no)? [$response] >" response
- if [[ $response != "no" ]]; then
- mv -v ./certs/{$clientName-key.pem,$clientName-cert.pem} ~/.docker/
- printf "Client certificates have been moved.\n"
- fi
- response="no"
- read -p "Would you like to transfer your server certificates to a remote machine (yes|no)? [$response] >" response
- if [[ $response != "no" ]]; then
- domain="192.168.1.10"
- read -p "Enter the address of your remote machine (can be IP or domain): [$domain] >" response
- if [[ $response != "" ]]; then
- domain=$response
- fi
- user="root"
- read -p "Enter the user on your remote machine (you will need the user's password or ssh-key): [$user] >" response
- if [[ $response != "" ]]; then
- user=$response
- fi
- destDir="/tmp/"
- read -p "Enter the directory on your remote machine where you would like to put the certificates: [$destDir] >" response
- if [[ $response != "" ]]; then
- destDir=$response
- fi
- scp -v {ca.pem,./certs/server-*.*} $user@$domain:$destDir
- response="yes"
- read -p "Done copying! Remove server certs?: [$response] >" response
- if [[ $response != "no" ]]; then
- rm -v ./certs/*.*
- fi
- fi
- fi
- printf "OK, we're done. Don't forget to change the DOCKER_OPTS on your remote machine's /etc/default/docker file!"
Add Comment
Please, Sign In to add comment