ca.info

Let’s break down what this script does in detail. The script is named ca.sh, authored by GJS (homelab-alpha), and its purpose is to facilitate the setup and management of an Intermediate Certificate Authority (CA). The script defines directory paths, renews database serial numbers, generates ECDSA keys, creates Certificate Signing Requests (CSRs), issues the intermediate certificate, and verifies the intermediate CA chain bundle. It ensures the validity and integrity of the generated keys, CSRs, and certificates.

Script Metadata link

• Filename: ca.sh
• Author: GJS (homelab-alpha)
• Date: February 20, 2025
• Version: 2.6.3
• Description: This script manages an Intermediate Certificate Authority, handling key generation, CSR creation, certificate issuance, and verification processes.
• RAW Script: ca.sh

Detailed Explanation link

Before diving into the script, it’s important to know that the script will stop execution on any error using the following line:

set -e

Functions link

1. print_cyan: This function is used to print text in cyan color for better readability in the terminal.

   print_cyan() {
     echo -e "\e[36m$1\e[0m"
   }
   
   

2. generate_random_hex: This function generates a random hexadecimal value, which is used for serial numbers and CRL numbers.

   generate_random_hex() {
     openssl rand -hex 16 || return 1
   }
   
   

3. print_section_header: This function prints section headers in cyan to clearly delineate different parts of the script.

   print_section_header() {
     echo ""
     print_cyan "=== $1 ==="
   }
   
   

4. check_success: This function checks the success of the last command and exits the script if the command failed.

   check_success() {
     if [ $? -ne 0 ]; then
       echo "[ERROR] $1" >&2
       exit 1
     fi
   }

Main Script Execution link

Define Directory Paths link

The script defines necessary directory paths for the Intermediate Certificate Authority components.

print_section_header "Define directory paths"
base_dir="$HOME/ssl"
certs_dir="$base_dir/certs"
csr_dir="$base_dir/csr"
private_dir="$base_dir/private"
db_dir="$base_dir/db"
openssl_conf_dir="$base_dir/openssl.cnf"

The following directories are specifically defined for the Intermediate Certificate Authority components:

certs_root_dir="$certs_dir/root"
certs_intermediate_dir="$certs_dir/intermediate"
private_intermediate_dir="$private_dir/intermediate"

Renew Database Serial Numbers and CRL link

The script renews database serial numbers and CRL by generating random hexadecimal values and writing them to the respective files.

print_section_header "Renew db numbers (serial and CRL)"
for type in "serial" "crlnumber"; do
  for dir in $db_dir; do
    generate_random_hex >"$dir/$type" || check_success "Failed to generate $type for $dir"
  done
done

Check if Unique Subject and Intermediate Certificate Authority Exists link

The script checks whether the unique_subject flag is set to yes in the index.txt.attr file, and whether the Intermediate Certificate Authority (ca.pem) already exists.

unique_subject="no"
if grep -q "^unique_subject\s*=\s*yes" "$db_dir/index.txt.attr" 2>/dev/null; then
  unique_subject="yes"
fi

ca_path="$certs_intermediate_dir/ca.pem"
ca_exists=false
if [[ -f "$ca_path" ]]; then
  ca_exists=true
fi

If unique_subject is enabled and the Intermediate Certificate Authority exists, the script stops and reports an error. If not, it prompts the user for confirmation before overwriting the Intermediate Certificate Authority.

if [[ "$unique_subject" == "yes" && "$ca_exists" == "true" ]]; then
  echo "[ERROR] unique_subject is enabled and Intermediate Certificate Authority already exists." >&2
  exit 1
fi

if [[ "$unique_subject" == "no" && -f "$ca_path" ]]; then
  print_section_header "⚠️  WARNING: Overwriting Intermediate Certificate Authority"

  echo "[WARNING] Intermediate Certificate Authority already exists and will be OVERWRITTEN!" >&2
  echo "[WARNING] This action will require REGENERATING ALL ISSUED CERTIFICATES!" >&2
  echo "[WARNING] If you continue, all issued certificates will become INVALID!" >&2

  read -r -p "Do you want to continue? (yes/no): " confirm
  if [[ "$confirm" != "yes" ]]; then
    echo "[INFO] Operation aborted by user." >&2
    exit 1
  fi
fi

Generate ECDSA Key link

The script generates an ECDSA key for the Intermediate Certificate Authority using the secp384r1 curve and saves it to the private directory.

print_section_header "Generate ECDSA key"
openssl ecparam -name secp384r1 -genkey -out "$private_intermediate_dir/ca.pem"
check_success "Failed to generate ECDSA key"

Generate Certificate Signing Request (CSR) link

A CSR for the Intermediate Certificate Authority is generated using the generated ECDSA key.

print_section_header "Generate Certificate Signing Request"
openssl req -new -sha384 -config "$openssl_conf_dir/ca.cnf" -key "$private_intermediate_dir/ca.pem" -out "$csr_dir/ca.pem"
check_success "Failed to generate Certificate Signing Request"

Generate Intermediate Certificate Authority link

The Intermediate Certificate Authority is generated and signed for a validity of 1826 days (5 years).

print_section_header "Generate Intermediate Certificate Authority"
openssl ca -config "$openssl_conf_dir/ca.cnf" -extensions v3_intermediate_ca -notext -batch -in "$csr_dir/ca.pem" -days 1826 -out "$certs_intermediate_dir/ca.pem"
check_success "Failed to generate Intermediate Certificate Authority"

Create Intermediate Certificate Authority Chain Bundle link

The Intermediate Certificate Authority and Root Certificate Authority are concatenated into a chain bundle.

print_section_header "Create Intermediate Certificate Authority Chain Bundle"
cat "$certs_intermediate_dir/ca.pem" "$certs_root_dir/root_ca_chain_bundle.pem" >"$certs_intermediate_dir/ca_chain_bundle.pem"
check_success "Failed to create Intermediate Certificate Authority Chain Bundle"

Verify Certificates link

The script verifies the integrity of the certificates using openssl verify.

print_section_header "Verify Certificates"
verify_certificate() {
  openssl verify -CAfile "$1" "$2"
  check_success "Verification failed for $2"
}

verify_certificate "$certs_intermediate_dir/ca_chain_bundle.pem" "$certs_intermediate_dir/ca.pem"
verify_certificate "$certs_root_dir/root_ca_chain_bundle.pem" "$certs_intermediate_dir/ca.pem"
verify_certificate "$certs_root_dir/root_ca_chain_bundle.pem" "$certs_intermediate_dir/ca_chain_bundle.pem"

Convert Certificate from PEM to CRT Format link

The Intermediate Certificate Authority and chain bundle are converted from PEM to CRT format.

print_section_header "Convert Intermediate Certificate Authority from .pem to .crt"
cp "$certs_intermediate_dir/ca.pem" "$certs_intermediate_dir/ca.crt"
cp "$certs_intermediate_dir/ca_chain_bundle.pem" "$certs_intermediate_dir/ca_chain_bundle.crt"
check_success "Failed to convert Intermediate Certificate Authority from .pem to .crt"
echo
print_cyan "--> ca.crt"
print_cyan "--> ca_chain_bundle.crt"

Script Completion Message link

The script prints a completion message when the process is successfully completed.

echo
print_cyan "Intermediate Certificate Authority process successfully completed."

Exit link

The script exits with a success code (0).

exit 0

Conclusion link

This comprehensive script ensures that every step in setting up and managing an Intermediate Certificate Authority is performed correctly and securely, from key generation to certificate verification.