77 lines
2.1 KiB
Bash
77 lines
2.1 KiB
Bash
#!/bin/sh
|
|
|
|
mkdir certs certs_by_serial private &&
|
|
chmod 700 private &&
|
|
echo 01 > ./serial &&
|
|
touch ./index.txt &&
|
|
cat >./openssl.conf <<EOF
|
|
[ ca ]
|
|
default_ca = telegraf_ca
|
|
|
|
[ telegraf_ca ]
|
|
certificate = ./certs/cacert.pem
|
|
database = ./index.txt
|
|
new_certs_dir = ./certs_by_serial
|
|
private_key = ./private/cakey.pem
|
|
serial = ./serial
|
|
|
|
default_crl_days = 3650
|
|
default_days = 3650
|
|
default_md = sha256
|
|
|
|
policy = telegraf_ca_policy
|
|
x509_extensions = certificate_extensions
|
|
|
|
[ telegraf_ca_policy ]
|
|
commonName = supplied
|
|
|
|
[ certificate_extensions ]
|
|
basicConstraints = CA:false
|
|
|
|
[ req ]
|
|
default_bits = 1024
|
|
default_keyfile = ./private/cakey.pem
|
|
default_md = sha256
|
|
prompt = yes
|
|
distinguished_name = root_ca_distinguished_name
|
|
x509_extensions = root_ca_extensions
|
|
|
|
[ root_ca_distinguished_name ]
|
|
commonName = hostname
|
|
|
|
[ root_ca_extensions ]
|
|
basicConstraints = CA:true
|
|
keyUsage = keyCertSign, cRLSign
|
|
|
|
[ client_ca_extensions ]
|
|
basicConstraints = CA:false
|
|
keyUsage = digitalSignature
|
|
subjectAltName = @client_alt_names
|
|
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
|
|
|
|
[ client_alt_names ]
|
|
DNS.1 = localhost
|
|
IP.1 = 127.0.0.1
|
|
|
|
[ server_ca_extensions ]
|
|
basicConstraints = CA:false
|
|
subjectAltName = @server_alt_names
|
|
keyUsage = keyEncipherment, digitalSignature
|
|
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
|
|
|
|
[ server_alt_names ]
|
|
DNS.1 = localhost
|
|
IP.1 = 127.0.0.1
|
|
EOF
|
|
openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes &&
|
|
|
|
# Create server keypair
|
|
openssl genrsa -out ./private/serverkey.pem 1024 &&
|
|
openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" &&
|
|
openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
|
|
|
|
# Create client keypair
|
|
openssl genrsa -out ./private/clientkey.pem 1024 &&
|
|
openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" &&
|
|
openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions
|