Merge pull request #1 from Schm1tz1/csr-only-mode

CSR only mode added for external CA services preparation
Schm1tz1 · Aug 13, 2023 · 93c4bbf · 93c4bbf
2 parents c522cd0 + 1e9c01a
commit 93c4bbf
Show file tree

Hide file tree

Showing 11 changed files with 81 additions and 45 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
-### OpenSSL-based Certificate Creation in Docker
-This repo is used to create certificates by a trusted CA (either provided or generated here). Configuration will be completely done based on a Jinja2-template and a host configuration in YAML or JSON that is used for the certificate creation. Several key types, Java trust-/keystores will be created automatically in addition.
+### OpenSSL-based Certificate Preparation / Creation in Docker
+This repo is used to prepare (for signing with an external CA service) or create certificates by a trusted CA (either provided or generated in the same step). Configuration will be completely done based on a Jinja2-template and a host configuration in YAML or JSON that is used for the certificate creation. Several key types, Java trust-/keystores will be created automatically in addition.
 
 We are using a Docker-based approach to ensure that the correct versions are used (e.g. JDK 11, OpenSSL 3).
 
@@ -94,11 +94,12 @@ schmitzi/openssl-alpine-j11:1.0.0
 
 | Variable | Description | Default |
 |---|---|---|
+| PREPARE_CSR_ONLY  | Create private key and CSR only instead on generating the full certificates. This is iseful when preparing a CSR for external (paid) certificate services that require you to provide a CSR and will return the signed certificate. Valid values: yes/no | no |
 | PASSWD  | Password for keystores / containers | changeme! |
 | DAYS_CA | Validity for CA in days | 3650 |
 | DAYS | Validity for certificates in days | 389 |
 
-* Please note: Only new certificates will be created in th existing directory - if a .crt file exists already, it will not be overwritten !
+* Please note: Only new certificates will be created in the existing directory - if a .csr file exists already, it will not be overwritten !
 * How to provide an existing CA - simply put the following files in your certificate/output directory
     * `ca-root.crt`: certificate im PEM format
     * `ca-root.key`: private key (preferrably unencrypted)

diff --git a/build_docker_image.sh b/build_docker_image.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-docker build ./scripts -t schmitzi/openssl-alpine-j11:1.1.0 -f Dockerfile
+docker build ./scripts -t schmitzi/openssl-alpine-j11:1.2.0 -f Dockerfile
diff --git a/examples/confluent-platform/run_cp.sh b/examples/confluent-platform/run_cp.sh
@@ -4,4 +4,4 @@ docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
 -v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
 -v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.1.0
+schmitzi/openssl-alpine-j11:1.2.0
diff --git a/examples/csr-test/README.md b/examples/csr-test/README.md
@@ -0,0 +1,2 @@
+This is a simple example creating a CSR as a demonstration. 
+Run with `./run_test_yaml.sh` for YAML input and take a look at the resulting output in `certs/`.
diff --git a/examples/csr-test/certs/README.md b/examples/csr-test/certs/README.md
@@ -0,0 +1 @@
+This is where the configurations and certificates are stored.
diff --git a/examples/csr-test/hosts.yml b/examples/csr-test/hosts.yml
@@ -0,0 +1,16 @@
+global:
+  country: DE
+  org: My Org
+  locality: Berlin
+certs:
+  - fileName: test
+    CN: me.at.home
+    CN_as_SAN: "false"
+    CA: "false"
+    SANs:
+      - name: me
+      - name: me.at
+      - ip: 10.0.0.1
+  - CN: me.at.home
+    SANs:
+      - name: me.at
diff --git a/examples/csr-test/run_test_yaml.sh b/examples/csr-test/run_test_yaml.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+docker run --rm \
+-e PREPARE_CSR_ONLY=yes \
+-e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
+-v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
+-v $(pwd)/certs:/opt/certs/current \
+schmitzi/openssl-alpine-j11:1.2.0
diff --git a/examples/test/run_test_json.sh b/examples/test/run_test_json.sh
@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
+-v $(pwd)/hosts.json:/opt/certs/hosts.txt \
 -v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.1.0
+schmitzi/openssl-alpine-j11:1.2.0
diff --git a/examples/test/run_test_yaml.sh b/examples/test/run_test_yaml.sh
@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.json:/opt/certs/hosts.txt \
+-v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
 -v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.1.0
+schmitzi/openssl-alpine-j11:1.2.0
diff --git a/scripts/gen_ca.sh b/scripts/gen_ca.sh
@@ -3,17 +3,21 @@
 [[ -z "${PASSWD}" ]] && echo "No keystore password PASSWD provided - using default 'changeme!'" && PASSWD="changeme!"
 [[ -z "${DAYS_CA}" ]] && echo "No validity for CA (DAYS_CA) provided - using default 3650" && DAYS_CA="3650"
 
-# Generate Root CA certificates and concatenate to PEM
-openssl req -new -nodes -x509 -days ${DAYS_CA} -newkey rsa:2048 -keyout current/ca-root.key -out current/ca-root.crt -config current/ca-root.cnf
-cat current/ca-root.crt current/ca-root.key > current/ca-root.pem
+if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
+    # Generate Root CA certificates and concatenate to PEM
+    openssl req -new -nodes -x509 -days ${DAYS_CA} -newkey rsa:2048 -keyout current/ca-root.key -out current/ca-root.crt -config current/ca-root.cnf
+    cat current/ca-root.crt current/ca-root.key > current/ca-root.pem
 
-# show certificate
-echo
-echo "############################"
-echo "Created CA:"
-openssl x509 -in current/ca-root.crt -text
+    # show certificate
+    echo
+    echo "############################"
+    echo "Created CA:"
+    openssl x509 -in current/ca-root.crt -text
 
-# Create truststore
-keytool -keystore current/truststore.jks -alias CARoot \
--import -file current/ca-root.crt \
--storepass ${PASSWD} -noprompt -storetype PKCS12
+    # Create truststore
+    keytool -keystore current/truststore.jks -alias CARoot \
+    -import -file current/ca-root.crt \
+    -storepass ${PASSWD} -noprompt -storetype PKCS12
+else
+    echo "Skipping CA generation as it is not required for CSR creation..."
+fi
diff --git a/scripts/gen_new_certs.sh b/scripts/gen_new_certs.sh
@@ -8,31 +8,35 @@ ROOTCA="ca-root"
 
 for i in ${CERTDIR}/*.cnf; do
   CERTNAME=${i%.*}
-  if [ "${CERTNAME}" == "${CERTDIR}/${ROOTCA}" ] || [ -e "${CERTNAME}".crt ] ; then continue; fi
-  echo "Generating new certificate '${CERTNAME}' ..."
+  if [ "${CERTNAME}" == "${CERTDIR}/${ROOTCA}" ] || [ -e "${CERTNAME}".csr ] ; then continue; fi
 
+  echo "Generating new private key and CSR for '${CERTNAME}' ..."
   openssl req -new -newkey rsa:2048 -keyout ${CERTNAME}.key -out ${CERTNAME}.csr -config ${CERTNAME}.cnf -nodes
-  openssl x509 -req -days ${DAYS} -in ${CERTNAME}.csr -CA ${CERTDIR}/${ROOTCA}.crt -CAkey ${CERTDIR}/${ROOTCA}.key -CAcreateserial -out ${CERTNAME}.crt -extfile ${CERTNAME}.cnf -extensions v3_req
-
-  # show certificate
-  echo
-  echo "############################"
-  echo "Created Certificate:"
-  openssl x509 -in ${CERTNAME}.crt -text -subject -issuer
-
-  # Create PEM output required by some services
-  openssl pkcs12 -export -in ${CERTNAME}.crt -inkey ${CERTNAME}.key \
-  -chain -CAfile ${CERTDIR}/${ROOTCA}.pem \
-  -name $(echo ${i%.*} | cut -d '/' -f2) -out ${CERTNAME}.p12 -password pass:${PASSWD}
-
-  openssl pkcs12 -in ${CERTNAME}.p12 -out ${CERTNAME}.pem -passin pass:${PASSWD} -passout pass:${PASSWD}
-
-  # Create Java Key Store
-  keytool -importkeystore -deststorepass ${PASSWD} -destkeystore ${CERTNAME}.keystore.jks \
-    -srckeystore ${CERTNAME}.p12 \
-    -deststoretype PKCS12  \
-    -srcstoretype PKCS12 \
-    -noprompt \
-    -srcstorepass ${PASSWD}
+
+  if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
+    echo "Generating new certificate for'${CERTNAME}' ..."
+    openssl x509 -req -days ${DAYS} -in ${CERTNAME}.csr -CA ${CERTDIR}/${ROOTCA}.crt -CAkey ${CERTDIR}/${ROOTCA}.key -CAcreateserial -out ${CERTNAME}.crt -extfile ${CERTNAME}.cnf -extensions v3_req
+
+    # show certificate
+    echo
+    echo "############################"
+    echo "Created Certificate:"
+    openssl x509 -in ${CERTNAME}.crt -text -subject -issuer
+
+    # Create PEM output required by some services
+    openssl pkcs12 -export -in ${CERTNAME}.crt -inkey ${CERTNAME}.key \
+    -chain -CAfile ${CERTDIR}/${ROOTCA}.pem \
+    -name $(echo ${i%.*} | cut -d '/' -f2) -out ${CERTNAME}.p12 -password pass:${PASSWD}
+
+    openssl pkcs12 -in ${CERTNAME}.p12 -out ${CERTNAME}.pem -passin pass:${PASSWD} -passout pass:${PASSWD}
+
+    # Create Java Key Store
+    keytool -importkeystore -deststorepass ${PASSWD} -destkeystore ${CERTNAME}.keystore.jks \
+      -srckeystore ${CERTNAME}.p12 \
+      -deststoretype PKCS12  \
+      -srcstoretype PKCS12 \
+      -noprompt \
+      -srcstorepass ${PASSWD}
+  fi
 
 done
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		This is a simple example creating a CSR as a demonstration.
		Run with `./run_test_yaml.sh` for YAML input and take a look at the resulting output in `certs/`.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		This is where the configurations and certificates are stored.