-
Notifications
You must be signed in to change notification settings - Fork 2
/
make_CA.sh
58 lines (44 loc) · 1.6 KB
/
make_CA.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/bin/bash
export SLAPKEYNAME="slapd"
export PEM_PATH="keys/pem"
export CERT_PATH=`pwd`"/certs"
export DOMAIN="testunical.it"
export SERVER_FQDN="ldap.$DOMAIN"
apt install easy-rsa
rm -f easy-rsa
cp -Rp /usr/share/easy-rsa/ .
cd easy-rsa
# link easy-rsa ssl config defaults
# You can also edit it to change some informations about issuer and remove EASY-Rsa messages
ln -s openssl-1.0.0.cnf openssl.cnf # won't works with CommonName
# using original openssl file (needs more customizations)
# cp /etc/ssl/openssl.cnf openssl.cnf
# sed -i '1s/^/# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*\n/' openssl.cnf
# customize informations in vars file (or override them later with env VAR)
# remember to configure "Common Name (your server's hostname)" in your certs
# to let your client avoids "does not match common name in certificate"
#nano vars
# then source it
. ./vars
# override for speedup
export KEY_ALTNAMES=$SERVER_FQDN
export KEY_OU=$SERVER_FQDN
export KEY_NAME=$SERVER_FQDN
export KEY_CN=$SERVER_FQDN
export KEY_COUNTRY="IT"
export KEY_PROVINCE="CS"
export KEY_CITY="Cosenza"
export KEY_ORG="$DOMAIN"
export KEY_EMAIL="me@$DOMAIN"
./clean-all
./build-ca
#./build-dh
./build-key-server $SERVER_FQDN
mkdir -p $PEM_PATH
openssl x509 -inform PEM -in keys/ca.crt > $PEM_PATH/slapd-cacert.pem
openssl x509 -inform PEM -in keys/$SERVER_FQDN.crt > $PEM_PATH/$SLAPKEYNAME-cert.pem
openssl rsa -in keys/$SERVER_FQDN.key -text > $PEM_PATH/$SLAPKEYNAME-key.pem
mkdir -p $CERT_PATH
cp $PEM_PATH/slapd-cacert.pem $CERT_PATH/
cp $PEM_PATH/$SLAPKEYNAME-cert.pem $CERT_PATH/
cp $PEM_PATH/$SLAPKEYNAME-key.pem $CERT_PATH/