Automate bootstrap with use of passfile

8465f797 · Raymond Kristiansen · 08dbd7f0 · 8465f797 · 8465f797 · 8465f797
Commit 8465f797 authored Aug 09, 2016 by Raymond Kristiansen
--- a/bootstrap.sh
+++ b/bootstrap.sh
 #!/bin/bash

+if [ ! -f "./passfile" ]; then
+  echo "Please create a file called ./passfile with a secure password"
+  exit 1
+fi
+
 mkdir -p certs crl newcerts private
 chmod 700 private
 touch index.txt
 echo 1000 > serial


-openssl genrsa -aes256 -out private/ca.key.pem 4096
+openssl genrsa -aes256 -passout file:passfile -out private/ca.key.pem 4096
 chmod 400 private/ca.key.pem

 openssl req -config openssl.cnf \
-      -key private/ca.key.pem \
+      -key private/ca.key.pem -passin file:passfile -batch \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem


--- a/create_intermediate.sh
+++ b/create_intermediate.sh
 #!/bin/bash

+if [ ! -f "./passfile" ]; then
+  echo "Please create a file called ./passfile with a secure password"
+  exit 1
+fi
+
+
 # Generate intermediate key
-openssl genrsa -aes256 \
+openssl genrsa -aes256 -passout file:passfile \
        -out intermediate/private/intermediate.key.pem 4096
 chmod 400 intermediate/private/intermediate.key.pem

 # Generate intermediate cert request
 openssl req -config intermediate/openssl.cnf -new -sha256 \
+    -passin file:passfile \
    -key intermediate/private/intermediate.key.pem \
    -out intermediate/csr/intermediate.csr.pem

 # Sign with root ca
 openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-    -days 3650 -notext -md sha256 \
+    -days 3650 -notext -md sha256 -passin file:passfile \
    -in intermediate/csr/intermediate.csr.pem \
    -out intermediate/certs/intermediate.cert.pem


--- a/intermediate/openssl.cnf
+++ b/intermediate/openssl.cnf
@@ -74,19 +74,14 @@ x509_extensions     = v3_ca
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
-localityName                    = Locality Name
 0.organizationName              = Organization Name
-organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
-emailAddress                    = Email Address

 # Optionally, specify some defaults.
 countryName_default             = NO
 stateOrProvinceName_default     = Norway
-localityName_default            =
 0.organizationName_default      = UH-IaaS
-organizationalUnitName_default  =
-emailAddress_default            =
+commonName_default              = Intermediate CA

 [ v3_ca ]
 # Extensions for a typical CA (`man x509v3_config`).

--- a/openssl.cnf
+++ b/openssl.cnf
@@ -72,19 +72,14 @@ x509_extensions     = v3_ca
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
-localityName                    = Locality Name
 0.organizationName              = Organization Name
-organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
-emailAddress                    = Email Address

 # Optionally, specify some defaults.
 countryName_default             = NO
 stateOrProvinceName_default     = Norway
-localityName_default            = 
 0.organizationName_default      = UH-IaaS
-organizationalUnitName_default  =
-emailAddress_default            =
+commonName_default              = Root CA

 [ v3_ca ]
 # Extensions for a typical CA (`man x509v3_config`).