scripts/own-pki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dev #20260426

Browse Source
This commit is contained in:
Gilles Mouchet 2026-04-26 20:44:39 +02:00
parent 8ad708c93e
commit 7c4cacc6bb
17 changed files with 1237 additions and 366 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
bin/create-ca.sh
View File

@ -32,12 +32,12 @@ usage() {
Usage: ./$(basename "$0") -n <commonName>
Template script
Options:
-n, --common-name <cn> - CA common name [mandatory]
-n, --cn <cn> - CA common name [mandatory]
-h, --help - show this help
-v, --version - show script version
Examples:
Show this help
Create CA called "GMOLab CA"
./$(basename "$0") -n "GMOLab CA"
EOF
}
@ -90,7 +90,7 @@ $(basename "$0") $version Copyright (C) 2003 - $(date +%Y) Gilles Mouchet
EOF
exit
;;
*|help|-h|--help)
*|-h|--help)
usage
exit
;;
@ -123,6 +123,8 @@ and KEEP IT SECURE.
You will be asked for it when creating certificates.
For automation, save the password in /root/.cred (KEY_CA_PASS=password).
" "${KEY_CA_PATH}/${CA_NAME}" "${CRT_CA_PATH}/${CA_NAME}" \
"$COUNTRY_NAME" "$STATE_OR_PROVINCE_NAME" "$LOCALITY_NAME" \
"$ORGANIZATION_NAME" "$ORGANIZATIONAL_UNIT_NAME" "$COMMON_NAME" "$EMAIL_ADDRESS"
@ -131,7 +133,6 @@ You will be asked for it when creating certificates.
# check if CA files exist
if [ -f "$KEY_CA_PATH/$CA_NAME.key" ]; then
#echo -e "${RED}\n$KEY_CA_PATH/$CA_NAME.key already exists!\n"
msg_warn "\n$KEY_CA_PATH/$CA_NAME.key already exists!\n"
yes_no "Are you sure you want to delete it"
fi

225
bin/generate-cert.sh
View File

@ -37,7 +37,7 @@ Usage: $0 -c <ca_cert> -k <ca_key> -n <common_name> [-d <dns1,dns2>] [-i <ip1,ip
Template script
Options:
-c, --ca-name <ca_name> - ca name (./info-cert.sh -c get list of CA name)
-n, --commonName <cn> - common name (server.domain.ext)
-n, --commonName <cn> - common name fqdn format (server.domain.ext)
-d, --dns <dns1,dns2,dnsx> - subject alternative name (multiple SAN separated by commas)
-i, --ip <ip1,ipx> - ip address to add to the certificate (multiple IPs separated by commas)
-t, --days <days> - validity period of the certificate in days (defaults $days days)
@ -52,8 +52,6 @@ Examples:
Generate a certifciate for myweb.gmolab.net with dns alias and ip
./$(basename "$0") -c gmolab_ca -n myweb.gmolab.net -i 92.168.1.10,10.0.0.5,10.10.34.25 --dns www.gmolab.net,qual-myweb.gmolab.net -t 49
Show this help
./$(basename "$0") -h
EOF
}
@ -88,7 +86,7 @@ fi
set_color
# parse cli parameters
while [[ "$#" -gt 0 ]]; do
while [[ "$#" -gt 0 ]]; do
case "$1" in
-c|--ca-name)
if [[ -z "$2" || "$2" == -* ]]; then
@ -101,22 +99,18 @@ while [[ "$#" -gt 0 ]]; do
fi
shift 2
;;
-n|--common-name)
-n|--cn)
if [[ -z "$2" || "$2" == -* ]]; then
msg_error "\nError: Argument missing for option -n or --common-name.\n"
usage
exit 1
else
if [[ ! $2 =~ ^([a-z0-9]+(-[a-z0-9]+)*\.){2,}[a-z]{2,}$ ]]; then
msg_error "\n$2 is not a commonName valid.\n"
msg_error "\nError: Argument missing for option -n or --cn.\n"
usage
exit 1
else
check_format_fqdn "$2"
COMMON_NAME=$2
# record for db if no option -d or --dns exist.
# some browser needed the commName in Subject Alternative Name
DNS_LINE=$2 # record for db if no option -d or --dns exist. Some browser needed the commName in Subject Alternative Name
fi
fi
shift 2
;;
@ -135,10 +129,7 @@ while [[ "$#" -gt 0 ]]; do
# check dns format
for SAN_DNS in "${DNS[@]}"; do
if [[ ! $SAN_DNS =~ ^([a-z0-9]+(-[a-z0-9]+)*\.){2,}[a-z]{2,}$ ]]; then
msg_error "\n$SAN_DNS is not a commonName valid.\n"
exit 1
fi
check_format_fqdn $SAN_DNS
done
fi
shift 2
@ -156,10 +147,7 @@ while [[ "$#" -gt 0 ]]; do
# check ip format
for SAN_IP in "${IP_ADDRS[@]}"; do
if [[ ! $SAN_IP =~ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ ]]; then
msg_error "\n$SAN_IP is not an address IP valid.\n"
exit 1
fi
check_format_ip $SAN_IP
done
fi
shift 2
@ -184,67 +172,65 @@ $(basename "$0") $version Copyright (C) 2003 - $(date +%Y) Gilles Mouchet
EOF
exit
;;
-h|--help)
*|-h|--help)
usage
exit
;;
esac
done
done
# if array dns is empty we add commonName
if [ "${#DNS[@]}" -eq 0 ]; then
# check if file doesn't exists
if [ -f "$CERTS_PATH/$COMMON_NAME.key" ]; then
echo -e "The ${ORANGE}$CERTS_PATH/$COMMON_NAME.key${NC} file exists!"
yes_no "Are you sure you want to continue"
fi
# if array dns is empty we add commonName
if [ "${#DNS[@]}" -eq 0 ]; then
DNS+="$COMMON_NAME"
fi
fi
# check if mandatory variables exists
if [[ -z "$CA_CRT" || -z "$CA_KEY" || -z "$COMMON_NAME" ]]; then
# check if mandatory variables exists
if [[ -z "$CA_CRT" || -z "$CA_KEY" || -z "$COMMON_NAME" ]]; then
usage
exit 1
fi
fi
# check if ca key and ca crt file exist
if [[ ! -f "$CRT_CA_PATH/$CA_CRT" || ! -f "$KEY_CA_PATH/$CA_KEY" ]]; then
# check if ca key and ca crt file exist
if [[ ! -f "$CRT_CA_PATH/$CA_CRT" || ! -f "$KEY_CA_PATH/$CA_KEY" ]]; then
msg_error "One or both of the following files are missing:"
msg_warn " - $CRT_CA_PATH/$CA_CRT"
msg_warn " - $KEY_CA_PATH/$CA_KEY"
exit 1
fi
# summary
printf "
fi
# summary
printf "
${CYAN}Summary
---------------------------------------------------------------------${NC}
Certifcate authority: ${GREEN}%s${NC}
Common name: ${GREEN}%s${NC}
" "$CRT_CA_PATH/$CA_CRT" "$COMMON_NAME"
echo -e "SAN List:"
for SAN_DNS in "${DNS[@]}"; do
echo -e "SAN List:"
for SAN_DNS in "${DNS[@]}"; do
msg_ok " - $SAN_DNS"
done
done
echo -e "IP List:"
for SAN_IP in "${IP_ADDRS[@]}"; do
echo -e "IP List:"
for SAN_IP in "${IP_ADDRS[@]}"; do
msg_ok " - $SAN_IP"
done
done
echo -e "Validity:"
echo -e " Not before: ${GREEN}$(date +"%b %d %H:%M:%S %Y GMT")${NC}"
echo -e " Not After : ${GREEN}$(date -u -d "+$DAYS days" +"%b %d %H:%M:%S %Y GMT")${NC}"
echo -e "Validity:"
echo -e " Not before: ${GREEN}$(date +"%b %d %H:%M:%S %Y GMT")${NC}"
echo -e " Not After : ${GREEN}$(date -u -d "+$DAYS days" +"%b %d %H:%M:%S %Y GMT")${NC}"
if [ "$ASSUME_YES" == "0" ]; then
if [ "$ASSUME_YES" == "0" ]; then
yes_no "Is it ok"
fi
fi
# create destination path
if [ ! -d "$CERTS_TMP_PATH" ]; then
echo "create $CERTS_TMP_PATH"
mkdir -p $CERTS_TMP_PATH
fi
echo -e "\nPrepare the openSSL configuration file"
cat > "$CERTS_TMP_PATH/${COMMON_NAME}_openssl.cnf" << EOF
echo -e "\nPrepare the openSSL configuration file"
cat > "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
@ -260,83 +246,86 @@ subjectAltName = @alt_names
[ alt_names ]
EOF
echo -e " Add SAN"
echo -e " Add SAN"
# add dns
i=1
#echo "DNS.$i = ${COMMON_NAME}" >> "$CERTS_TMP_PATH/${COMMON_NAME}_openssl.cnf"
#((i++))
for SAN_DNS in "${DNS[@]}"; do
echo "DNS.$i = $AN_DNS" >> "$CERTS_TMP_PATH/${COMMON_NAME}_openssl.cnf"
i=1
for SAN_DNS in "${DNS[@]}"; do
echo "DNS.$i = $SAN_DNS" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((i++))
done
done
echo -e " Add IP"
# add ip
i=1
for SAN_IP in "${IP_ADDRS[@]}"; do
echo "IP.$i = $SAN_IP" >> "$CERTS_TMP_PATH/${COMMON_NAME}_openssl.cnf"
echo -e " Add IP"
# add ip
i=1
for SAN_IP in "${IP_ADDRS[@]}"; do
echo "IP.$i = $SAN_IP" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((i++))
done
done
# create certificate
echo -e "Generating the private key..."
openssl genrsa -out "${CERTS_TMP_PATH}/${COMMON_NAME}.key" 4096
# create certificate
echo -e "Generating the private key..."
openssl genrsa -out "${CERTS_PATH}/${COMMON_NAME}.key" 4096
echo -e "Generating csr file..."
openssl req -new -key "${CERTS_TMP_PATH}/${COMMON_NAME}.key" -out "${CERTS_TMP_PATH}/${COMMON_NAME}.csr" -config "$CERTS_TMP_PATH/${COMMON_NAME}_openssl.cnf"
echo -e "Generating csr file..."
openssl req -new -key "${CERTS_PATH}/${COMMON_NAME}.key" -out "${CERTS_PATH}/${COMMON_NAME}.csr" -config "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
echo -e "Signing the certificate with the CA..."
openssl x509 -req -in "${CERTS_TMP_PATH}/${COMMON_NAME}.csr" \
echo -e "Signing the certificate with the CA..."
openssl x509 -req -in "${CERTS_PATH}/${COMMON_NAME}.csr" \
-CA "$CRT_CA_PATH/$CA_CRT" -CAkey "$KEY_CA_PATH/$CA_KEY" -CAcreateserial \
-out "${CERTS_TMP_PATH}/${COMMON_NAME}.crt" -days "$DAYS" \
-extensions req_ext -extfile "$CERTS_TMP_PATH/${COMMON_NAME}_openssl.cnf" \
> /dev/null 2>&1 #-passin pass:pa55w0rd > /dev/null 2>&1
echo -n "Result of certificate signing: "
check_rc $?
#echo -e "\nVerify certifcate"
#echo -e "\nValidity"
#openssl x509 -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -noout -dates
#echo -e "\nSubject Alternative Name"
#openssl x509 -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -noout -ext subjectAltName
echo -e -n "\nVerify the validity of ${GREEN}$CERTS_TMP_PATH/${COMMON_NAME}.crt${NC} using the trust chain: "
openssl verify -CAfile $CRT_CA_PATH/$CA_CRT $CERTS_TMP_PATH/$COMMON_NAME.crt > /dev/null 2>&1
check_rc $?
-out "${CERTS_PATH}/${COMMON_NAME}.crt" -days "$DAYS" \
-extensions req_ext -extfile "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" \
#-passin pass:$KEY_CA_PASS \
> /dev/null 2>&1
rc=$?
echo -n "Result of certificate signing: "
check_rc $rc
#echo -e "\nVerify certifcate"
#echo -e "\nValidity"
#openssl x509 -in $CERTS_PATH/${COMMON_NAME}.crt -noout -dates
#echo -e "\nSubject Alternative Name"
#openssl x509 -in $CERTS_PATH/${COMMON_NAME}.crt -noout -ext subjectAltName
echo -e -n "\nVerify the validity of ${GREEN}$CERTS_PATH/${COMMON_NAME}.crt${NC} using the trust chain: "
openssl verify -CAfile $CRT_CA_PATH/$CA_CRT $CERTS_PATH/$COMMON_NAME.crt > /dev/null 2>&1
check_rc $?
# get validity date
NOT_BEFORE=$(openssl x509 -noout -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -startdate | cut -d'=' -f2)
NOT_AFTER=$(openssl x509 -noout -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -enddate | cut -d'=' -f2)
#NOT_BEFORE=$(openssl x509 -noout -in $CERTS_PATH/${COMMON_NAME}.crt -startdate | cut -d'=' -f2)
#NOT_AFTER=$(openssl x509 -noout -in $CERTS_PATH/${COMMON_NAME}.crt -enddate | cut -d'=' -f2)
# check if commonName already exist on db
echo -e -n "\nCheck if ${GREEN}${COMMON_NAME}${NC} exist in DB: "
recordExist=$(sqlite3 $DB_PATH "SELECT EXISTS(SELECT 1 FROM certs WHERE common_name='${COMMON_NAME}');")
check_rc $?
#echo -e -n "\nCheck if ${GREEN}${COMMON_NAME}${NC} exist in DB: "
#recordExist=$(sqlite3 $DB_PATH "SELECT EXISTS(SELECT 1 FROM certs WHERE common_name='${COMMON_NAME}');")
#check_rc $?
if [ "$recordExist" == "1" ]; then
echo -e -n "Update ${ORANGE}${COMMON_NAME}${NC} in DB: "
sqlite3 $DB_PATH <<EOF
UPDATE certs SET san_dns = '$DNS_LINE',
san_ip = '$IP_LINE',
cert_key = readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.key'),
cert_csr = readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.csr'),
cert_crt = readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.crt'),
not_valid_before = '$NOT_BEFORE',
not_valid_after = '$NOT_AFTER'
WHERE common_name = '${COMMON_NAME}';
EOF
check_rc $?
else
echo -e -n "Add ${ORANGE}${COMMON_NAME}${NC} in DB: "
sqlite3 $DB_PATH <<EOF
INSERT INTO certs (common_name,san_dns,san_ip,cert_key,cert_csr,cert_crt,not_valid_before,not_valid_after)
VALUES ('${COMMON_NAME}', '$DNS_LINE','$IP_LINE',
readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.key'),
readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.csr'),
readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.crt'),
'$NOT_BEFORE',
'$NOT_AFTER')
EOF
check_rc $?
fi
#if [ "$recordExist" == "1" ]; then
# echo -e -n "Update ${ORANGE}${COMMON_NAME}${NC} in DB: "
## cert_crt_64=$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.crt)
## echo $cert_crt_64
# sqlite3 $DB_PATH <<EOF
#UPDATE certs SET san_dns = '$DNS_LINE',
# san_ip = '$IP_LINE',
# cert_key = '$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.key)',
# cert_csr = '$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.csr)',
# cert_crt = '$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.crt)',
# not_valid_before = '$NOT_BEFORE',
# not_valid_after = '$NOT_AFTER'
#WHERE common_name = '${COMMON_NAME}';
#EOF
## check_rc $?
#else
# echo -e -n "Add ${ORANGE}${COMMON_NAME}${NC} in DB: "
# sqlite3 $DB_PATH <<EOF
#INSERT INTO certs (common_name,san_dns,san_ip,cert_key,cert_csr,cert_crt,not_valid_before,not_valid_after)
#VALUES ('${COMMON_NAME}', '$DNS_LINE','$IP_LINE',
# '$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.key)',
# '$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.csr)',
# '$(base64 -w0 ${CERTS_TMP_PATH}/${COMMON_NAME}.crt)',
# '$NOT_BEFORE',
# '$NOT_AFTER')
#EOF
# check_rc $?
#fi
}
main "$@"

258
bin/info-cert.sh Executable file
View File

@ -0,0 +1,258 @@
#!/bin/bash
#############################################################
# Script name: template.sh
# Author: Gilles Mouchet (gilles.mouchet@gmail.com
# Version: v1beta 2026-04-05
# Description: Script template linux
# License: CC BY-NC 4.0 (https://creativecommons.org/licenses/by-nc/4.0/)
#
# This script is provided "as is", WITHOUT ANY WARRANTY OF ANY KIND.
# Commercial use is strictly prohibited without prior authorization.
#
# Changelog
# [1.0.0] - 2026-04-05
# Added:
# - show certificate info
# - show ca list
# - show expiration date
# Project initialization
# - initialization by gilles.mouchet@gmail.com
#
############################################################
#
version=1.0.0
############################################################
# FUNCTIONS
############################################################
#-----------------------------------------------------------
# Display usage
usage() {
cat << EOF
Usage: ./$(basename "$0") options
Template script
Options:
-a, --all
Show all cert information
-c, --ca
List all CA name
-d, --expire-day <days>
List the certificates expiring in the next <days> days
-i, --info <ca_name_pattern>
Display certificate info. You can use wirdcard * in pattern
-n, --cn
List all cn
-h, --help
Show this help
-v, --version
Show script version
Examples:
List all CA name
./$(basename "$0") --list-ca
List all certs cn
./$(basename "$0") --cn
Show infos for certificates whose CN begins with 'doe'
./$(basename "$0") -i "doe*"
Show infos for certificates whose CN ends with 'doe'
./$(basename "$0") -i "*doe"
Show infos for certificates where CN contains 'doe'
./$(basename "$0") -i "*doe*"
Show infos for certificates where CN is 'www.gmolab.net'
./$(basename "$0") -i www.gmolab.net
List the certificates expiring in the next 10 days
./$(basename "$0") -d 10
EOF
}
#-----------------------------------------------------------
# Certificates info
cert_info() {
echo -e "Number of certificates : ${CYAN}${#certList[@]}${NC}"
for certFile in "${certList[@]}"; do
# extract informations from certificates
cname=$(openssl x509 -noout -subject -in $certFile | cut -d"=" -f3)
issuer=$(openssl x509 -noout -issuer -in $certFile | sed 's/^issuer=//')
notAfter=$(openssl x509 -noout -enddate -in $certFile | cut -d"=" -f2)
notBefore=$(openssl x509 -noout -startdate -in $certFile | cut -d"=" -f2)
# extract Subject Alternative Name
san=$(openssl x509 -text -noout -in $certFile | \
grep -A 1 "Subject Alternative Name" | tail -n 1 | \
sed 's/,/\n/g' | \
sed -E 's/^\s*(DNS:|IP:|IPAddress:|IP Address:)//g' | \
sed 's/ //g')
# extract SAN dns
dnsList=$(echo "$san" | grep -v '^[0-9.]*$')
dnsArray=()
while IFS= read -r line; do
[[ -n "$line" ]] && dnsArray+=("$line")
done <<< "$dnsList"
# extract SAN ip
ipList=$(echo "$san" | grep -E '^[0-9.]+$')
ipArray=()
while IFS= read -r line; do
[[ -n "$line" ]] && ipArray+=("$line")
done <<< "$ipList"
echo -e "\n******************************************************"
echo -e "CA name: ${CYAN}$cname${NC}"
echo -e "******************************************************"
echo "Subject Alternative Name"
echo -e " DNS:"
for san_dns in "${dnsArray[@]}"; do
echo -e " ${CYAN} - $san_dns${NC}"
done
echo -e " IP:"
for san_ip in "${ipArray[@]}"; do
echo -e " ${CYAN} - $san_ip${NC}"
done
echo -e "Not valid before: ${CYAN}$notBefore${NC}"
echo -e "Not valid after : ${CYAN}$notAfter${NC}"
echo -e "Issuer: ${CYAN}$issuer${NC}"
done
}
############################################################
# MAIN
############################################################
main(){
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# init config
init_default
init_env
# set color
set_color
# check if script is run with sudo
check_sudo
# check if param exist
if [ -z "$1" ]; then
usage
exit 1
fi
# set color
set_color
# read cli parameters
while [[ "$#" -gt 0 ]]; do
case "$1" in
-a|--all)
certList=($CERTS_PATH/*.crt)
cert_info
shift
;;
-c|--ca)
files=( $CRT_CA_PATH/*.crt )
for f in "${files[@]}"; do
filename=$(basename "$f" .crt)
if [ "$filename" == "ca-bundle" ] || [ "$filename" == "ca-bundle.trust" ]; then
continue
else
echo "CA name: $filename"
fi
done
shift
;;
-d|--expire-day)
if [[ -z "$2" || "$2" == -* ]]; then
echo -e "\n${RED}Error: Argument missing for option -d or --validity-date. See ./$(basename "$0") --help${NC}\n"
exit 1
# check if nbr days is numeric and > 1 and < $DAYS
elif [[ "$2" =~ ^[0-9]+$ ]] && [ "$2" -ge 1 ] && [ "$2" -le "$DAYS" ]; then
expired_date $2
for certData in "${expireDate[@]}"; do
daysLeft=$(echo $certData | cut -d"|" -f1 )
cn=$(echo $certData | cut -d"|" -f2 )
expDate=$(echo $certData | cut -d"|" -f3 )
if [ "$daysLeft" -le 0 ]; then
color="$RED!! EXPIRED CERTIFICATE ---> "
elif [ "$daysLeft" -le 5 ]; then
color="$RED"
elif [ "$daysLeft" -le 10 ]; then
color="$ORANGE"
else
color="$GREEN"
fi
echo -e "${color}$cn expires in $daysLeft days ($expDate)${NC}"
done
else
echo -e "\n${RED}The number of days must be between 1 and $days. See ./$(basename "$0") --help${NC}\n"
fi
shift 2
;;
-i|--info)
if [[ -z "$2" || "$2" == -* ]]; then
msg_error "\nError: Argument missing for option -i or --info.\n"
usage
exit 1
else
# check if $2 is not a glob ("*tto*")
if [[ ! "$2" == *[*?\[]* ]]; then
# it's not a glob, we test if file existe
if [ -f "$CERTS_PATH/$2.crt" ]; then
certList=("$CERTS_PATH/$2.crt")
cert_info
else
certList=()
cert_info
fi
else
# it's a glob
# set - if no .crt → files=() (empty)
shopt -s nullglob
certList=("$CERTS_PATH"/$2.crt)
shopt -u nullglob
cert_info
fi
fi
shift 2
;;
-n|--cn)
i=0
files=( $CERTS_PATH/*.crt )
for f in "${files[@]}"; do
cn=$(basename "$f" .crt)
echo $cn
((i++))
done
echo -e "\nThere are ${ORANGE}$i${NC} certificates."
shift
;;
-v|--version)
cat << EOF
$(basename "$0") $version (c) 1990 - $(date +%Y) by Gilles Mouchet
This script is provided "as is", WITHOUT ANY WARRANTY OF ANY KIND.
Non-Commercial Use License See LICENSE for details
EOF
exit
;;
*|-h|--help)
usage
exit
;;
esac
done
}
main "$@"

177
bin/install.sh
View File

@ -15,107 +15,65 @@
# [1.0.0] - 2026-04-12
# - Added
# - create environment for cert
# - create DB
# - Project initialization
# - initialization by gilles.mouchet@gmail.com
#
############################################################
#
set -Eeuo pipefail
VERSION=1.0.0
############################################################
# FUNCTIONS
############################################################
#-----------------------------------------------------------
# init db
init_db(){
mkdir -p "$(dirname "$DB_PATH")"
sqlite3 $DB_PATH <<EOF
CREATE TABLE IF NOT EXISTS certs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
common_name TEXT UNIQUE,
san_dns TEXT,
san_ip TEXT,
cert_key TEXT,
cert_csr TEXT,
cert_crt TEXT,
not_valid_before TEXT,
not_valid_after TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE TRIGGER IF NOT EXISTS update_certs_updated_at
AFTER UPDATE ON certs
FOR EACH ROW
BEGIN
UPDATE certs
SET updated_at = CURRENT_TIMESTAMP
WHERE id = OLD.id;
END;
EOF
}
############################################################
# Main
############################################################
#main (){
# path resolution
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
CONF_PATH="/etc/own-pki"
ENABLE_COLOR=true
BIN_PATH="/opt/own-pki"
DB_PATH="/var/lib/own-pki/certificates.db"
ASSUME_YES=0
# read stdlib.sh
source "$ROOT_DIR/lib/set-color.sh"
source "$ROOT_DIR/lib/message.sh"
source "$ROOT_DIR/lib/check-rc.sh"
source "$ROOT_DIR/lib/yes-no.sh"
set_color
#SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
#ROOT_DIR="$(dirname "$SCRIPT_DIR")"
#CONF_PATH="/etc/own-pki"
#ENABLE_COLOR=true
#BIN_PATH="/opt/own-pki"
#ASSUME_YES=0
main(){
# check if user has sudo rigth
if sudo ! -n true 2>/dev/null; then
msg_error "Access denied: user $USER does not have sudo privileges or a password is required.."
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
COPY_CONF=true
# check if the effective user ID is 0 (root)
if [[ $EUID -ne 0 ]]; then
msg_error "\nThis script must be run as root or with sudo.\n"
exit 1
fi
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# install sqlite
echo -n -e "Install ${ORANGE}sqlite${NC}. Please wait...: "
dnf install sqlite -y > /dev/null 2>&1
check_rc $?
# init config
init_default
# create paths
echo -n -e "Create path $BIN_PATH: "
if [ ! -d "$BIN_PATH" ]; then
# set color
set_color
# check if script is run with sudo
check_sudo
# read cli parameters
while [[ "$#" -gt 0 ]]; do
case "$1" in
--reload-conf)
init_env
COPY_CONF=false
shift
;;
esac
done
# create paths for environment own-pki
echo -n -e "Create path $BIN_PATH/lib: "
if [ ! -d "$BIN_PATH/lib" ]; then
mkdir -p "$BIN_PATH" 2>/dev/null
check_rc $?
else
msg_warn "$BIN_PATH already exists!"
fi
echo -n -e "Create path $BIN_PATH/lib: "
if [ ! -d "$BIN_PATH/lib" ]; then
mkdir -p "$BIN_PATH/lib" 2>/dev/null
check_rc $?
else
msg_warn "$BIN_PATH/lib already exists!"
fi
echo -e -n "Create $BIN_PATH/bin: "
echo -n -e "Create path $BIN_PATH/bin: "
if [ ! -d "$BIN_PATH/bin" ]; then
mkdir -p $BIN_PATH/bin 2>/dev/null
mkdir -p "$BIN_PATH/bin" 2>/dev/null
check_rc $?
else
msg_warn "$BIN_PATH/bin already exists!"
@ -137,33 +95,48 @@ main(){
msg_warn "$CONF_PATH already exists!"
fi
# copy config file
# create paths for certs repository
echo -e -n "Create $CERTS_PATH: "
if [ ! -d "$CERTS_PATH" ]; then
mkdir -p $CERTS_PATH 2>/dev/null
check_rc $?
else
msg_warn "$CERTS_PATH already exists!"
fi
echo -e -n "Create $KEY_CA_PATH: "
if [ ! -d "$KEY_CA_PATH" ]; then
mkdir -p $KEY_CA_PATH 2>/dev/null
check_rc $?
else
msg_warn "$KEY_CA_PATH already exists!"
fi
echo -e -n "Create $CRT_CA_PATH: "
if [ ! -d "$CRT_CA_PATH" ]; then
mkdir -p $CRT_CA_PATH 2>/dev/null
check_rc $?
else
msg_warn "$CRT_CA_PATH already exists!"
fi
# copy config default file
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/default.conf${NC} to $BIN_PATH/config: "
cp "$ROOT_DIR/config/default.conf" "$BIN_PATH/config/."
check_rc $?
# copy config file
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/default.conf${NC} to $BIN_PATH/config: "
cp "$ROOT_DIR/config/default.conf" "$BIN_PATH/config/."
# copy config own-pki.conf file
if [[ "$COPY_CONF" == "true" ]]; then
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/own-pki.conf${NC} to $CONF_PATH: "
cp "$ROOT_DIR/config/own-pki.conf" "$CONF_PATH/."
check_rc $?
fi
# copy config file
# copy ca config file
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/ca-config.tmpl${NC} to ${BIN_PATH}/config: "
cp "$ROOT_DIR/config/ca-config.tmpl" "${BIN_PATH}/config/."
check_rc $?
# create DB
echo -n -e "Create DB $DB_PATH: "
if [ -f "$DB_PATH" ]; then
msg_warn "$DB_PATH already exists!"
yes_no "Are you sure you want to recreate a database"
rm -rf "$DB_PATH"
init_db
check_rc $?
else
init_db
check_rc $?
fi
# copy script file to opt
msg_info "Copy librairie scripts files"
@ -185,18 +158,12 @@ main(){
fi
done
msg_info "Create link"
files=( $ROOT_DIR/bin/* )
for f in "${files[@]}"; do
# exclude install.sh
if [ "$f" != "$ROOT_DIR/bin/install.sh" ]; then
SCRIPT_FILE=$(basename "$f")
echo -e -n " create link ${ORANGE}$BIN_PATH/bin/$SCRIPT_FILE${NC} to /usr/local/bin/: "
ln -f -s $BIN_PATH/bin/$SCRIPT_FILE /usr/local/bin/ #>"$out_tmp" 2>"$err_tmp"
check_rc $?
echo "******************************************************"
echo " Installation completed !!"
echo -e " Adapt the file ${ORANGE}$CONF_PATH/own-pki.conf${NC} as you need"
echo "******************************************************"
fi
done
}
main "$@"

161
bin/random-cert.sh Executable file
View File

@ -0,0 +1,161 @@
#/bin/bash
generate_cert() {
local CA_CRT=""
local CA_KEY=""
local COMMON_NAME=""
local DAYS="$DAYS"
local DNS=()
local IP_ADDRS=()
# parsing arguments
while [[ $# -gt 0 ]]; do
case "$1" in
-c) CA_CRT=$2.crt; CA_KEY=$2.key ;shift 2 ;;
-n) COMMON_NAME="$2"; shift 2 ;;
-d) DNS_LINE="$COMMON_NAME,$2"; shift 2 ;;
-i) IP_ADDRS_LINE=("$2"); shift 2 ;;
-t) DAYS="$2"; shift 2 ;;
*) echo "Option inconnue: $1"; return 1 ;;
esac
done
IFS=',' read -r -a IP_ADDRS <<< "$IP_ADDRS_LINE"
IFS=',' read -r -a DNS <<< "$DNS_LINE"
if [ "${#DNS[@]}" -eq 0 ]; then
DNS+="$COMMON_NAME"
fi
cat > "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
CN = $COMMON_NAME
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
EOF
# Add san dns"
idns=1
for SAN_DNS in "${DNS[@]}"; do
echo "DNS.$idns = $SAN_DNS" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((idns++))
done
# add san ip
iip=1
for SAN_IP in "${IP_ADDRS[@]}"; do
echo "IP.$iip = $SAN_IP" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((iip++))
done
# create certificate
echo -e "Generating the private key..."
openssl genrsa -out "${CERTS_PATH}/${COMMON_NAME}.key" 4096
echo -e "Generating csr file..."
openssl req -new -key "${CERTS_PATH}/${COMMON_NAME}.key" -out "${CERTS_PATH}/${COMMON_NAME}.csr" -config "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
echo -e "Signing the certificate with the CA..."
openssl x509 -req -in "${CERTS_PATH}/${COMMON_NAME}.csr" \
-CA "$CRT_CA_PATH/$CA_CRT" -CAkey "$KEY_CA_PATH/$CA_KEY" -CAcreateserial \
-out "${CERTS_PATH}/${COMMON_NAME}.crt" -days "$DAYS" \
-extensions req_ext -extfile "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" \
-passin pass:pa55w0rd \
> /dev/null 2>&1
rc=$?
echo -n "Result of certificate signing: "
check_rc $rc
}
# Fonction pour générer un FQDN
gen_fqdn() {
local sub_len=$((RANDOM % 8 + 3))
local name_len=$((RANDOM % 13 + 3))
local sub=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$sub_len" | head -n 1)
local name=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$name_len" | head -n 1)
local tld=("com" "net" "org" "io" "ch" "fr")
echo "${sub}.${name}.${tld[$((RANDOM % ${#tld[@]}))]}"
}
# Fonction IP
gen_ip() {
echo "$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))"
}
# Liste (fqdn ou ip)
gen_list() {
local type=$1
local count=$((RANDOM % 3 + 3))
local list=""
for ((i=0; i<count; i++)); do
local item
[[ "$type" == "fqdn" ]] && item=$(gen_fqdn) || item=$(gen_ip)
list+="$item"
[[ $i -lt $((count-1)) ]] && list+=","
done
echo "$list"
}
############################################################
# MAIN
############################################################
main(){
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# init config
init_default
init_env
# set color
set_color
# check if script is run with sudo
check_sudo
echo "Début de la génération..."
for ((i=1; i<=10; i++)); do
args=()
fqdn=$(gen_fqdn)
# -d (50%)
if (( RANDOM % 2 )); then
args+=("-d" "$(gen_list fqdn)")
fi
# -i (50%)
if (( RANDOM % 2 )); then
args+=("-i" "$(gen_list ip)")
fi
# -t (50%)
if (( RANDOM % 2 )); then
args+=("-t" "$((RANDOM % $DAYS + 1))")
fi
echo "[$i/5] generate_cert -c gmolab_ca -n $fqdn ${args[*]}"
# Appel direct
generate_cert -c "gmolab_ca" -n "$fqdn" "${args[@]}"
# generate_cert -c gmolab_ca -n vwiy3rv1ui.6zghdqm1p8cj.io -d u0ba3i5rt.asfsdvrmf8iiltd.org,0sit366.w47txhyg.io,4ulkpy6.v39762sriaiy.com,zvw3o0ovee.gqv50o6ge6.io,a57v0x.rs8.net -i 161.21.147.75,81.67.128.79,81.54.192.190,95.116.177.195,13.111.172.161
done
echo "Génération terminée avec succès."
}
main "$@"

110
bin/remove-cert.sh Executable file
View File

@ -0,0 +1,110 @@
#!/bin/bash
#############################################################
# Script name: remove-cert.sh
# Author: Gilles Mouchet (gilles.mouchet@gmail.com
# Version: 1.0.0
# Description: Removes certificate from the database
# License: GNU GPL v3
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Changelog
# [1.0.0] - 2026-04-05
# Added:
# - new features
# Project initialization:
# - initialization by gilles.mouchet@gmail.com
#
############################################################
version=1.0.0
############################################################
# FUNCTIONS
############################################################
#-----------------------------------------------------------
# Display usage
usage() {
cat << EOF
Usage: ./$(basename "$0") options
Template script
Options:
-n, --cn
Delete the certificates from DB
To find the commonName, use the script ./info-cert.sh -h
-h, --help
Show this help
-v, --version
Show script version
Examples:
Show this help
./$(basename "$0") -h
Delete
EOF
}
############################################################
# MAIN
############################################################
main(){
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# init config
init_default
init_env
# set color
set_color
# check if script is run with sudo
check_sudo
# check if param exist
if [ -z "$1" ]; then
usage
exit 1
fi
# read cli parameters
while [[ "$#" -gt 0 ]]; do
case "$1" in
-n|--cn)
if [[ -z "$2" || "$2" == -* ]]; then
echo -e "\n${RED}Error: Argument missing for option -n or --cn. See ./$(basename "$0") --help${NC}\n"
exit 1
else
# check if file exit
if [ ! -f "$CERTS_PATH/$2.crt" ] || [ ! -f "$CERTS_PATH/$2.key" ]; then
msg_error "$2.crt does not exist !"
else
echo -e "${ORANGE}$2${NC} will be deleted"
yes_no "Are you sure"
echo -e -n "$2 deleted: "
# * must be outside "..."
rm -f "$CERTS_PATH/${2}"*
check_rc $?
fi
fi
shift 2
;;
-v|--version)
cat << EOF
$(basename "$0") $version Copyright (C) 2003 - $(date +%Y) Gilles Mouchet
EOF
exit
;;
*|-h|--help)
usage
exit
;;
esac
done
}
main "$@"

136
bin/renew-cert.sh Executable file
View File

@ -0,0 +1,136 @@
#!/bin/bash
#############################################################
# Script name: renew-cert.sh
# Author: Gilles Mouchet (gilles.mouchet@gmail.com
# Version: 1.0.0
# Description: Renews certificates that are about to expire
# License: GNU GPL v3
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Changelog
# [1.0.0] - 2026-04-05
# Added:
# - resign cert
# Project initialization:
# - initialization by gilles.mouchet@gmail.com
#
############################################################
version=1.0.0
############################################################
# FUNCTIONS
############################################################
#-----------------------------------------------------------
# Display usage
usage() {
cat << EOF
Usage: ./$(basename "$0") options
Template script
Options:
-n, --cn
Delete the certificates from DB
To find the commonName, use the script ./info-cert.sh -h
-h, --help
Show this help
-v, --version
Show script version
Examples:
Show this help
./$(basename "$0") -h
Delete
EOF
}
############################################################
# MAIN
############################################################
main(){
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# init config
init_default
init_env
init_cred
# set color
set_color
# check if script is run with sudo
check_sudo
# check if param exist
if [ -z "$1" ]; then
usage
exit 1
fi
# read cli parameters
while [[ "$#" -gt 0 ]]; do
case "$1" in
-c|--ca-name)
if [[ -z "$2" || "$2" == -* ]]; then
msg_error "\nError: Argument missing for option -c or --ca-name.\n"
usage
exit 1
else
CA_CRT=$2.crt
CA_KEY=$2.key
fi
shift 2
;;
-d|--expire-date)
if [[ -z "$2" || "$2" == -* ]]; then
echo -e "\n${RED}Error: Argument missing for option -d or --expire-date. See ./$(basename "$0") --help${NC}\n"
exit 1
elif [[ "$2" =~ ^[0-9]+$ ]] && [ "$2" -ge 1 ] && [ "$2" -le "$DAYS" ]; then
if [[ ! -f "$CRT_CA_PATH/$CA_CRT" || ! -f "$KEY_CA_PATH/$CA_KEY" ]]; then
msg_error "One or both of the following files are missing:"
msg_warn " - $CRT_CA_PATH/$CA_CRT"
msg_warn " - $KEY_CA_PATH/$CA_KEY"
exit 1
fi
expired_date $2
for certData in "${expireDate[@]}"; do
COMMON_NAME=$(echo $certData | cut -d"|" -f2 )
echo -e "Signing the certificate with the CA..."
openssl x509 -req -in "${CERTS_PATH}/${COMMON_NAME}.csr" \
-CA "$CRT_CA_PATH/$CA_CRT" \
-CAkey "$KEY_CA_PATH/$CA_KEY" \
-CAcreateserial \
-out "${CERTS_PATH}/${COMMON_NAME}.crt" \
-days "$DAYS" \
-extensions req_ext \
-extfile "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" \
-passin pass:$KEY_CA_PASS > /dev/null 2>&1
rc=$?
echo -n -e "Result of signing the ${ORANGE}$COMMON_NAME${NC} certificate: "
check_rc $rc
echo -e ""
done
fi
shift 2
;;
-v|--version)
cat << EOF
$(basename "$0") $version Copyright (C) 2003 - $(date +%Y) Gilles Mouchet
EOF
exit
;;
*|-h|--help)
usage
exit
;;
esac
done
}
main "$@"

102
config/ca-config Normal file
View File

@ -0,0 +1,102 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/dbca/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CH
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Vaud
localityName = Locality Name (eg, city)
localityName_default = Nyon
0.organizationName = Organization Name (eg, company)
0.organizationName_default = GMO Lab (gmolab)
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = ITCS (Information Technology and Communications Service)
commonName = Common Name (eg, YOUR name)
commonName_default =
commonName_max = 64
emailAddress = Email Address
emailAddress_default = example@example.com
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

25
config/default.conf
View File

@ -1,16 +1,25 @@
# Enables colorization (true) or disables it (false)
ENABLE_COLOR=true
# Path to config file
CONF_PATH=/etc/own-pki
# Path to certificate files
CERTS_PATH=/var/lib/own-pki/certs
# Path to the certificate authority's private key file
KEY_CA_PATH=/etc/pki/tls/private
KEY_CA_PATH=/var/lib/own-pki/ca/key
# Path to the certificate authority's public key file
CRT_CA_PATH=/etc/pki/tls/certs
CRT_CA_PATH=/var/lib/own-pki/ca/crt
# Path to pki scripts
BIN_PATH=/opt/own-pki
# Enables colorization (true) or disables it (false)
ENABLE_COLOR=true
# Default number of days for the certificate's validity
# This can be overridden with the `-t or --days` option
# when running the script.
DAYS=365
DAYS=375
# Variables to use for create ca-config file
# Country Name (2 letter code)
@ -44,9 +53,3 @@ DEBUG=false
# 0 = Ask confirmation
# 1 = does not ask confirmation
ASSUME_YES=0
# Temp path for certificates files
CERTS_TMP_PATH=/tmp/ca
# Databse
DB_PATH=/var/lib/own-pki/certificates.db

30
config/own-pki.conf
View File

@ -1,12 +1,6 @@
# Enables colorization (true) or disables it (false)
#ENABLE_COLOR=true
# Path to the certificate authority's private key file
#KEY_CA_PATH=/etc/pki/tls/private
# Path to the certificate authority's public key file
#CRT_CA_PATH=/etc/pki/tls/certs
# Default number of days for the certificate's validity
# This can be overridden with the `-t or --days` option
# when running the script.
@ -35,5 +29,25 @@
# Email address
#EMAIL_ADDRESS=example@example.com
# Temp path for certificates files
#CERTS_TMP_PATH=/tmp/ca
# Debug
# false = debug inactive
# true = debug active
#DEBUG=false
# Automatically answers yes to the questions
# 0 = Ask confirmation
# 1 = does not ask confirmation
#ASSUME_YES=0
# If you change a path below, you must run 'sudo ./install.sh --reload-conf'.
# Path to certificate files
#CERTS_PATH=/var/lib/own-pki/certs
# Path to the certificate authority's private key file
#KEY_CA_PATH=/var/lib/ca/key
# Path to the certificate authority's public key file
#CRT_CA_PATH=/var/lib/ca/crt
# Path to pki scripts
#BIN_PATH=/opt/own-pki

0
lib/.gitkeep
View File

2
lib/check-rc.sh → lib/check-rc.sh-old
View File

@ -1,6 +1,6 @@
# check if run from script
[[ "${BASH_SOURCE[0]}" == "${0}" ]] && exit 1
#------------------------------------------------------------------------------
check_rc(){
if [ "$1" != "0" ]; then
msg_error "Error (RC:$rc)"

86
lib/core.sh
View File

@ -1,13 +1,14 @@
# check if run from script
[[ "${BASH_SOURCE[0]}" == "${0}" ]] && exit 1
#------------------------------------------------------------------------------
# read default param
init_default(){
# read default conf file
DEFAULT_CONF="${ROOT_DIR}/config/default.conf"
[[ -f "$DEFAULT_CONF" ]] && source "$DEFAULT_CONF"
}
#------------------------------------------------------------------------------
# read param from config file
init_env() {
# read config file
CONFIG_FILE="/etc/own-pki/own-pki.conf"
@ -20,7 +21,16 @@ init_env() {
out_tmp=$(mktemp)
err_tmp=$(mktemp)
}
#------------------------------------------------------------------------------
# read credential from /root/.cred file
init_cred(){
CRED_FILE=/root/.cred
[[ -f "$CRED_FILE" ]] && source "$CRED_FILE"|| msg_error "File ${ORANGE}$CRED_FILE${RED} missing.${NC}"
}
#------------------------------------------------------------------------------
# clean string
# input: string to clean
# output: string cleaned
clean_string() {
echo "$1" | \
# translate special chars to closest ASCII (e.g., 'é' -> 'e')
@ -34,7 +44,26 @@ clean_string() {
# remove underscores at the beginning or end
sed -E 's/^_|_$//g'
}
#------------------------------------------------------------------------------
# check format fqdn
# input: fqdn to check
check_format_fqdn(){
if [[ ! "$1" =~ ^([a-z0-9]+(-[a-z0-9]+)*\.){2,}[a-z]{2,}$ ]]; then
msg_error "\n$1 is not a fqdn valid.\n"
exit 1
fi
}
#------------------------------------------------------------------------------
# check format ip address
# input: ip address to check
check_format_ip(){
if [[ ! "$1" =~ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ ]]; then
msg_error "\n$1 is not an address IP valid.\n"
exit 1
fi
}
#------------------------------------------------------------------------------
# check if the user has sudo privileges and ensure that the script runs with sudo.
check_sudo(){
# check if user has sudo rigth
if sudo ! -n true 2>/dev/null; then
@ -47,5 +76,50 @@ check_sudo(){
msg_error "\nThis script must be run as root or with sudo.\n"
exit 1
fi
}
#------------------------------------------------------------------------------
# check the return code
check_rc(){
if [ "$1" != "0" ]; then
msg_error "Error (RC:$rc)"
exit 1
else
msg_ok "OK"
fi
}
#-----------------------------------------------------------
# set colors
# RED Error
# ORANGE Attention or color for parameters when
# confirmation
# CYAN Ask to user or display a data
# GREEN OK
set_color(){
if [[ "$ENABLE_COLOR" == "true" ]]; then
RED='\e[0;31m'
ORANGE='\e[0;33m'
CYAN='\e[0;36m'
GREEN='\e[0;32m'
NC='\e[0m'
else
RED=''
ORANGE=''
CYAN=''
GREEN=''
NC=''
fi
}
#-----------------------------------------------------------
# ask question yes or no
# input: prompt
yes_no(){
if [ "$ASSUME_YES" == "0" ]; then
echo -n -e "${CYAN}$1 [y/N]? ${NC}"
unset answer
read answer
if [ "${answer}" != "y" ]; then
echo -e "${ORANGE}Canceled!${NC}"
exit 1
fi
fi
}

55
lib/expired-date.sh Normal file
View File

@ -0,0 +1,55 @@
# check if run from script
[[ "${BASH_SOURCE[0]}" == "${0}" ]] && exit 1
#------------------------------------------------------------------------------
# this funtcion return the expireDate array with
# data daysLeft|cn|exp
expired_date(){
nbrDays=$1
# set tmp file
tmpFile=$(mktemp)
# set date now in timestamp Unix
# timesatmp Unix = number of seconds elapsed
# since January 1, 1970 at 00:00:00 UTC (called epoch)
now=$(date -u +%s)
# test expired cert
#today=$(date +%s)
#now=$((today + 7*24*60*60)) # today +7 days
# read file list
certList=()
# set - if no .crt → files=() (empty)
shopt -s nullglob
certList=($CERTS_PATH/*.crt)
shopt -u nullglob
if [ "${#certList[@]}" -gt "0" ]; then
for crtFile in "${certList[@]}"; do
# set data from certfificate
cn=$(openssl x509 -noout -subject -in $crtFile | cut -d"=" -f3)
expiration=$(openssl x509 -noout -in $crtFile -enddate | cut -d"=" -f2)
# convert in timestamp Unix
exp=$(date -u -d "$expiration" +%s)
diffSec=$((exp - now))
daysLeft=$(( (diffSec + 86399) / 86400 ))
# write in tmpfile valide cert
if [ "$exp" -ge "$now" ] && [ "$daysLeft" -le "$nbrDays" ]; then
echo "$daysLeft|$cn|$expiration" >> "$tmpFile"
fi
# write in tmpfile expired cert
if [ "$exp" -lt "$now" ]; then
echo "$daysLeft|$cn|$expiration" >> "$tmpFile"
fi
done
fi
# put the content tmpfile in sorted array
expireDate=()
while IFS='|' read -r daysLeft cn exp; do
expireDate+=("$daysLeft|$cn|$exp")
done < <(sort -n "$tmpFile")
# delete tmpfile
rm -rf tmpFile
}

2
lib/set-color.sh → lib/set-color.sh-old
View File

@ -6,7 +6,7 @@
# RED Error
# ORANGE Attention or color for parameters when
# confirmation
# CYAN Ask to useer
# CYAN Ask to user or display a data
# GREEN OK
set_color(){
if [[ "$ENABLE_COLOR" == "true" ]]; then

7
lib/stdlib.sh
View File

@ -5,7 +5,8 @@ ROOT_DIR="$(dirname "$SCRIPT_DIR")"
#source "$ROOT_DIR/lib/log.sh"
#source "$ROOT_DIR/lib/error.sh"
source "$ROOT_DIR/lib/core.sh"
source "$ROOT_DIR/lib/set-color.sh"
#source "$ROOT_DIR/lib/set-color.sh"
source "$ROOT_DIR/lib/message.sh"
source "$ROOT_DIR/lib/check-rc.sh"
source "$ROOT_DIR/lib/yes-no.sh"
#source "$ROOT_DIR/lib/check-rc.sh"
#source "$ROOT_DIR/lib/yes-no.sh"
source "$ROOT_DIR/lib/expired-date.sh"

0
lib/yes-no.sh → lib/yes-no.sh-old
View File