diff options
| -rwxr-xr-x | tools/generate_certificate.sh | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/tools/generate_certificate.sh b/tools/generate_certificate.sh index 18061f7..8b963de 100755 --- a/tools/generate_certificate.sh +++ b/tools/generate_certificate.sh @@ -8,6 +8,9 @@ # $2 name — identity name (e.g. "ServerLDS", "Client") # $3 uri — (optional) application URI; defaults to urn:localhost:bobink:<name> # +# Options: +# -p <passphrase> — encrypt the private key with the given passphrase +# # Produces: # <certs_dir>/<name>_cert.der — DER-encoded X.509 certificate # <certs_dir>/<name>_cert.pem — PEM-encoded X.509 certificate @@ -17,8 +20,20 @@ set -euo pipefail # Fail fast; no unset vars; catch pipe failures. +passphrase="" +while getopts "p:" opt; do + case "$opt" in + p) passphrase="$OPTARG" ;; + *) + echo "Usage: generate_certificate.sh [-p passphrase] <certs_dir> <name> [uri]" >&2 + exit 1 + ;; + esac +done +shift $((OPTIND - 1)) + if [ $# -lt 2 ] || [ $# -gt 3 ]; then - echo "Usage: generate_certificate.sh <certs_dir> <name> [uri]" >&2 + echo "Usage: generate_certificate.sh [-p passphrase] <certs_dir> <name> [uri]" >&2 exit 1 fi @@ -51,7 +66,13 @@ extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:localhost, URI:${uri} EOF -openssl req -x509 -newkey rsa:2048 -nodes -sha256 \ +if [ -n "$passphrase" ]; then + pass_args=(-passout "pass:$passphrase") +else + pass_args=(-nodes) +fi + +openssl req -x509 -newkey rsa:2048 "${pass_args[@]}" -sha256 \ -days 365 \ -config "$cnf" \ -keyout "$certs_dir/${name}_key.pem" \ @@ -60,8 +81,15 @@ openssl req -x509 -newkey rsa:2048 -nodes -sha256 \ openssl x509 -in "$certs_dir/${name}_cert.pem" -outform der \ -out "$certs_dir/${name}_cert.der" -openssl rsa -in "$certs_dir/${name}_key.pem" -outform der \ - -out "$certs_dir/${name}_key.der" 2>/dev/null + +if [ -n "$passphrase" ]; then + openssl pkcs8 -topk8 -in "$certs_dir/${name}_key.pem" -outform der \ + -out "$certs_dir/${name}_key.der" \ + -passin "pass:$passphrase" -passout "pass:$passphrase" +else + openssl rsa -in "$certs_dir/${name}_key.pem" -outform der \ + -out "$certs_dir/${name}_key.der" 2>/dev/null +fi echo "Generated certificate '$name' (CN=$cn, URI=$uri):" echo " $certs_dir/${name}_cert.der" |