Untitled

#!/bin/bash

function usage () {
 echo "$0 [CA section name] [username] [first name last name] [certificate password] [CA password]"
 echo "example: $0 bncpstest karel.jelinek@unicornsystems.eu \"Karel Jelinek\" password ia81sYLm"
 exit 1
}

if [ $# -ne 5 ]
then
        usage
fi

CA_NAME="$1"
USERNAME="$2"
NAME="$3"
CERT_PASS="$4"
CA_PASS="$5"

SSL_DIR="/etc/ssl"
SSL_PRIVATE_DIR="$SSL_DIR/${CA_NAME}/private"
SSL_CERTS_DIR="$SSL_DIR/${CA_NAME}/certs"
USERS_DIR="${SSL_CERTS_DIR}/users"

mkdir -p ${USERS_DIR}

# Create the Client Key and CSR
openssl genrsa -des3 -out ${USERS_DIR}/${USERNAME}.key -passout pass:${CERT_PASS} 1024
openssl req \
    -new \
    -key ${USERS_DIR}/${USERNAME}.key\
    -out ${USERS_DIR}/${USERNAME}.csr\
    -subj "/C=EU/ST=Czech Republic/L=Prague/O=Unicorn Systems/CN=${NAME}/emailAddress=${USERNAME}" \
    -passout pass:${CERT_PASS}\
    -passin pass:${CERT_PASS}

# Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 1825 -in ${USERS_DIR}/${USERNAME}.csr -CA $SSL_CERTS_DIR/ca.crt -CAkey $SSL_PRIVATE_DIR/ca.key -CAserial $SSL_DIR/${CA_NAME}/serial -CAcreateserial -out ${USERS_DIR}/${USERNAME}.crt -passin pass:${CA_PASS}

echo "making p12 file"
#browsers need P12s (contain key and cert)
openssl pkcs12 -export -clcerts -in ${USERS_DIR}/${USERNAME}.crt -inkey ${USERS_DIR}/${USERNAME}.key -out ${USERS_DIR}/${USERNAME}.p12 -passin pass:${CERT_PASS} -passout pass:${CERT_PASS}

echo "made ${USERS_DIR}/${USERNAME}.p12"
echo "Certificate serial number:"
openssl x509 -in ${USERS_DIR}/${USERNAME}.crt -serial -noout