Let’s walkthrough the script cert_ecdsa_client.sh, which is designed to create an ECDSA client certificate. This script handles the generation of the private key, creation of the Certificate Signing Request (CSR), issuance of the certificate, creation of an extension file, bundling the certificate with an intermediate CA chain, and verifying the certificate and its chain bundle. It also converts the certificate into different formats suitable for various applications.

Here’s a detailed explanation:

Script Metadata

  • Filename: cert_ecdsa_client.sh
  • Author: GJS (homelab-alpha)
  • Date: June 9, 2024
  • Version: 1.0.1
  • Description: This script automates the generation of an ECDSA client certificate, including key creation, CSR generation, certificate issuance, and verification.
  • RAW Script: cert_ecdsa_client.sh

Detailed Explanation

Functions

  1. print_cyan: This function prints text in cyan color for better readability in the terminal.

    print_cyan() {
      echo -e "\e[36m$1\e[0m" # \e[36m sets text color to cyan, \e[0m resets it
    }
    

  2. generate_random_hex: This function generates a random hexadecimal value, which is used for serial numbers and CRL numbers.

    generate_random_hex() {
      openssl rand -hex 16
    }
    

  3. print_section_header: This function prints section headers in cyan to clearly delineate different parts of the script.

    print_section_header() {
      echo ""
      echo ""
      echo -e "$(print_cyan "=== $1 === ")"
    }
    

Main Script Execution

Prompt for Certificate Information

The script prompts the user for the certificate name and FQDN.

read -r -p "$(print_cyan "Enter the name of the new certificate: ")" file_name
read -r -p "$(print_cyan "Enter the FQDN name of the new certificate: ")" fqdn

Define Directory Paths

It defines the necessary directory paths for storing SSL files and certificates.

print_section_header "Define directory paths"
ssl_dir="$HOME/ssl"
certificates_dir="$ssl_dir/certificates"
intermediate_dir="$ssl_dir/intermediate"

Renew Database Serial Numbers

The script renews database serial numbers by generating random hex values and writing them to the respective serial files for the root, intermediate, and TSA directories.

print_section_header "Renew db serial numbers"
for dir in "$ssl_dir/root/db" "$intermediate_dir/db" "$ssl_dir/tsa/db"; do
  generate_random_hex >"$dir/serial"
done
generate_random_hex >"$ssl_dir/root/db/crlnumber"
generate_random_hex >"$intermediate_dir/db/crlnumber"

Generate ECDSA Key

It generates an ECDSA key using the secp384r1 curve and saves it to the private directory for the client certificate.

print_section_header "Generate ECDSA key"
openssl ecparam -name secp384r1 -genkey -out "$certificates_dir/private/${file_name}.pem"

Generate Certificate Signing Request (CSR)

The script creates a CSR for the client certificate using the generated ECDSA key and a configuration file.

print_section_header "Generate Certificate Signing Request (CSR)"
openssl req -new -sha384 -config "$certificates_dir/cert.cnf" -key "$certificates_dir/private/${file_name}.pem" -out "$certificates_dir/csr/${file_name}.pem"

Create an Extfile with All the Alternative Names

It creates an extfile with parameters for the client certificate, such as key usage and extended key usage.

print_section_header "Create an extfile with all the alternative names"
{
  echo "basicConstraints = critical, CA:FALSE"
  echo "keyUsage = critical, digitalSignature"
  echo "extendedKeyUsage = clientAuth, emailProtection"
  echo "nsCertType = client, email"
  echo "nsComment = OpenSSL Generated Client Certificate"
} >>"$certificates_dir/extfile/${file_name}.cnf"

Generate Certificate

The script issues the certificate based on the CSR and extfile, valid for a specific period.

print_section_header "Generate Certificate"
openssl ca -config "$certificates_dir/cert.cnf" -notext -batch -in "$certificates_dir/csr/${file_name}.pem" -out "$certificates_dir/certs/${file_name}.pem" -extfile "$certificates_dir/extfile/${file_name}.cnf"

Create Certificate Chain Bundle

It creates a certificate chain bundle by concatenating the client certificate and the intermediate CA chain bundle.

print_section_header "Create Certificate Chain Bundle"
cat "$certificates_dir/certs/${file_name}.pem" "$intermediate_dir/certs/ca_chain_bundle.pem" >"$certificates_dir/certs/${file_name}_chain_bundle.pem"

Verification Steps

The script performs several verification steps to ensure the integrity and correctness of the certificates and keys.

  1. Verify Certificate against the Certificate Chain Bundle

    print_section_header "Verify ${file_name} Certificate against the ${file_name} Certificate Chain Bundle"
    openssl verify -CAfile "$certificates_dir/certs/${file_name}_chain_bundle.pem" "$certificates_dir/certs/${file_name}.pem"
    

  2. Verify Certificate against the Intermediate Certificate Authority Chain Bundle

    print_section_header "Verify ${file_name} Certificate against the Intermediate Certificate Authority Chain Bundle"
    openssl verify -CAfile "$intermediate_dir/certs/ca_chain_bundle.pem" "$certificates_dir/certs/${file_name}.pem"
    

  3. Verify Certificate Chain Bundle against the Intermediate Certificate Authority Chain Bundle

    print_section_header "Verify ${file_name} Certificate Chain Bundle against the Intermediate Certificate Authority Chain Bundle"
    openssl verify -CAfile "$intermediate_dir/certs/ca_chain_bundle.pem" "$certificates_dir/certs/${file_name}_chain_bundle.pem"
    

Check Generated Files

The script includes steps to check the private key, CSR, client certificate, and the chain bundle to verify their contents.

  1. Check Private Key

    print_section_header "Check Private Key"
    openssl ecparam -in "$certificates_dir/private/${file_name}.pem" -text -noout
    

  2. Check CSR

    print_section_header "Check Certificate Signing Request (CSR)"
    openssl req -text -noout -verify -in "$certificates_dir/csr/${file_name}.pem"
    

  3. Check Certificate

    print_section_header "Check Certificate"
    openssl x509 -in "$certificates_dir/certs/${file_name}.pem" -text -noout
    

  4. Check Certificate Chain Bundle

    print_section_header "Check Certificate Chain Bundle"
    openssl x509 -in "$certificates_dir/certs/${file_name}_chain_bundle.pem" -text -noout
    

Convert Certificate to Different Formats

The script converts the certificate from PEM to CRT and KEY formats for compatibility with various applications.

print_section_header "Convert Certificate from ${fqdn}.pem to"
cat "$certificates_dir/certs/${file_name}.pem" >"$certificates_dir/certs/${file_name}.crt"
cat "$certificates_dir/certs/${file_name}_chain_bundle.pem" >"$certificates_dir/certs/${file_name}_chain_bundle.crt"
cat "$certificates_dir/private/${file_name}.pem" >"$certificates_dir/private/${file_name}.key"
chmod 600 "$certificates_dir/private/${file_name}.key"
echo -e "$(print_cyan "--> ")""${fqdn}.crt"
echo -e "$(print_cyan "--> ")""${fqdn}_chain_bundle.crt"
echo -e "$(print_cyan "--> ")""${fqdn}.key"

Conclusion

This script ensures that every step in generating and managing an ECDSA client certificate is performed correctly and securely, from key generation to certificate verification and format conversion.

Last updated 22 Sep 2024, 12:15 CEST . history