Let’s break down what this script does in detail. The script is named cert_ecdsa_server.sh, authored by GJS (homelab-alpha), and its purpose is to generate an ECDSA server certificate. The script automates the entire certificate creation process, including generating a private key, creating a Certificate Signing Request (CSR), issuing the final certificate, and bundling it with an intermediate Certificate Authority (CA) chain. Additionally, it sets up a certificate bundle for HAProxy, performs various verification checks, and converts the certificate to different formats for compatibility with various applications.

Here’s a detailed explanation:

Script Metadata

  • Filename: cert_ecdsa_server.sh
  • Author: GJS (homelab-alpha)
  • Date: June 9, 2024
  • Version: 1.0.1
  • Description: This script automates the generation of an ECDSA server certificate, handling key generation, CSR creation, certificate issuance, and verification.
  • RAW Script: cert_ecdsa_server.sh

Detailed Explanation

Functions

  1. print_cyan: This function prints text in cyan color for better readability in the terminal.

    print_cyan() {
  echo -e "\e[36m$1\e[0m" # \e[36m sets text color to cyan, \e[0m resets it
}

  2. generate_random_hex: This function generates a random hexadecimal value, which is used for serial numbers and CRL numbers.

    generate_random_hex() {
  openssl rand -hex 16
}

  3. print_section_header: This function prints section headers in cyan to clearly delineate different parts of the script.

    print_section_header() {
  echo ""
  echo ""
  echo -e "$(print_cyan "=== $1 === ")"
}

Main Script Execution

Prompt for Certificate Information

The script prompts the user for the certificate name, FQDN, and IPv4 address.

read -r -p "$(print_cyan "Enter the name of the new certificate: ")" file_name
read -r -p "$(print_cyan "Enter the FQDN name of the new certificate: ")" fqdn
read -r -p "$(print_cyan "Enter the IPv4 address of the new certificate (syntax: , IP:192.168.x.x): ")" ipv4

Define Directory Paths

It defines the necessary directory paths for storing SSL files and certificates.

print_section_header "Define directory paths"
ssl_dir="$HOME/ssl"
certificates_dir="$ssl_dir/certificates"
intermediate_dir="$ssl_dir/intermediate"

Renew Database Serial Numbers

The script renews database serial numbers by generating random hex values and writing them to the respective serial files for the root, intermediate, and TSA directories.

print_section_header "Renew db serial numbers"
for dir in "$ssl_dir/root/db" "$intermediate_dir/db" "$ssl_dir/tsa/db"; do
  generate_random_hex >"$dir/serial"
done
generate_random_hex >"$ssl_dir/root/db/crlnumber"
generate_random_hex >"$intermediate_dir/db/crlnumber"

Generate ECDSA Key

It generates an ECDSA key using the secp384r1 curve and saves it to the private directory for the server certificate.

print_section_header "Generate ECDSA key"
openssl ecparam -name secp384r1 -genkey -out "$certificates_dir/private/${file_name}.pem"

Generate Certificate Signing Request (CSR)

The script creates a CSR for the server certificate using the generated ECDSA key and a configuration file.

print_section_header "Generate Certificate Signing Request (CSR)"
openssl req -new -sha384 -config "$certificates_dir/cert.cnf" -key "$certificates_dir/private/${file_name}.pem" -out "$certificates_dir/csr/${file_name}.pem"

Create an Extfile with All the Alternative Names

It creates an extfile with alternative names for the certificate, including DNS and IP addresses.

print_section_header "Create an extfile with all the alternative names"
{
  echo "subjectAltName = DNS:${fqdn}, DNS:www.${fqdn}${ipv4}"
  echo "basicConstraints = critical, CA:FALSE"
  echo "keyUsage = critical, digitalSignature"
  echo "extendedKeyUsage = serverAuth"
  echo "nsCertType = server"
  echo "nsComment = OpenSSL Generated Server Certificate"
} >>"$certificates_dir/extfile/${file_name}.cnf"

Generate Certificate

The script issues the certificate based on the CSR and extfile, valid for a specific period.

print_section_header "Generate Certificate"
openssl ca -config "$certificates_dir/cert.cnf" -notext -batch -in "$certificates_dir/csr/${file_name}.pem" -out "$certificates_dir/certs/${file_name}.pem" -extfile "$certificates_dir/extfile/${file_name}.cnf"

Create Certificate Chain Bundle

It creates a certificate chain bundle by concatenating the server certificate and the intermediate CA chain bundle.

print_section_header "Create Certificate Chain Bundle"
cat "$certificates_dir/certs/${file_name}.pem" "$intermediate_dir/certs/ca_chain_bundle.pem" >"$certificates_dir/certs/${file_name}_chain_bundle.pem"

Create Certificate Chain Bundle for HAProxy

The script sets up a certificate bundle for HAProxy by concatenating the chain bundle and the private key.

print_section_header "Create Certificate Chain Bundle for HAProxy"
cat "$certificates_dir/certs/${file_name}_chain_bundle.pem" "$certificates_dir/private/${file_name}.pem" >"$certificates_dir/certs/${file_name}_haproxy.pem"
chmod 600 "$certificates_dir/certs/${file_name}_haproxy.pem"

Verification Steps

The script performs several verification steps to ensure the integrity and correctness of the certificates and keys.

  1. Verify Certificate against the Certificate Chain Bundle

    print_section_header "Verify Certificate against the Certificate chain Bundle"
openssl verify -CAfile "$certificates_dir/certs/${file_name}_chain_bundle.pem" "$certificates_dir/certs/${file_name}.pem"

  2. Verify Certificate against the Intermediate Certificate Authority Chain Bundle

    print_section_header "Verify Certificate against the Intermediate Certificate Authority Chain Bundle"
openssl verify -CAfile "$intermediate_dir/certs/ca_chain_bundle.pem" "$certificates_dir/certs/${file_name}.pem"

  3. Verify Certificate Chain Bundle against the Intermediate Certificate Authority Chain Bundle

    print_section_header "Verify Certificate Chain Bundle against the Intermediate Certificate Authority Chain Bundle"
openssl verify -CAfile "$intermediate_dir/certs/ca_chain_bundle.pem" "$certificates_dir/certs/${file_name}_chain_bundle.pem"

  1. Verify HAProxy Certificate Chain Bundle against the Intermediate Certificate Authority Chain Bundle

    print_section_header "Verify HAProxy Certificate Chain Bundle against the Intermediate Certificate Authority Chain Bundle"
openssl verify -CAfile "$intermediate_dir/certs/ca_chain_bundle.pem" "$certificates_dir/certs/${file_name}_haproxy.pem"

Check Generated Files

The script includes steps to check the private key, CSR, server certificate, and the chain bundle to verify their contents.

  1. Check Private Key

    print_section_header "Check Private Key"
openssl ecparam -in "$certificates_dir/private/${file_name}.pem" -text -noout

  2. Check CSR

    print_section_header "Check Certificate Signing Request (CSR)"
openssl req -text -noout -verify -in "$certificates_dir/csr/${file_name}.pem"

  3. Check Certificate

    print_section_header "Check Certificate"
openssl x509 -in "$certificates_dir/certs/${file_name}.pem" -text -noout

  4. Check Certificate Chain Bundle

    print_section_header "Check Certificate Chain Bundle"
openssl x509 -in "$certificates_dir/certs/${file_name}_chain_bundle.pem" -text -noout

Convert Certificate to Different Formats

The script converts the certificate from PEM to CRT and KEY formats for compatibility with various applications.

print_section_header "Convert Certificate from ${fqdn}.pem to"
cat "$certificates_dir/certs/${file_name}.pem" >"$certificates_dir/certs/${file_name}.crt"
cat "$certificates_dir/certs/${file_name}_chain_bundle.pem" >"$certificates_dir/certs/${file_name}_chain_bundle.crt"
cat "$certificates_dir/private/${file_name}.pem" >"$certificates_dir/private/${file_name}.key"
chmod 600 "$certificates_dir/private/${file_name}.key"
echo -e "$(print_cyan "--> ")""${fqdn}.crt"
echo -e "$(print_cyan "--> ")""${fqdn}_chain_bundle.crt"
echo -e "$(print_cyan "--> ")""${fqdn}.key"

Conclusion

This comprehensive script ensures that every step in generating and managing an ECDSA server certificate is performed correctly and securely, from key generation to certificate verification and format conversion.

Edit this page

Last updated 22 Sep 2024, 12:15 CEST . history