scripts/own-pki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dev #20260427

Browse Source
This commit is contained in:
Gilles Mouchet 2026-04-27 20:13:34 +02:00
parent ecdd05c0d1
commit 8cc4035fa7
4 changed files with 248 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +0,0 @@
tests

2
bin/info-cert.sh
View File

@ -202,7 +202,7 @@ main(){
echo -e "${color}$cn expires in $daysLeft days ($expDate)${NC}" echo -e "${color}$cn expires in $daysLeft days ($expDate)${NC}"
done done
else else
echo -e "\n${RED}The number of days must be between 1 and $days. See ./$(basename "$0") --help${NC}\n" echo -e "\n${RED}The number of days must be between 1 and $DAYS. See ./$(basename "$0") --help${NC}\n"
fi fi
shift 2 shift 2
;; ;;

161
bin/random-cert.sh
View File

@ -1,161 +0,0 @@
#/bin/bash
generate_cert() {
local CA_CRT=""
local CA_KEY=""
local COMMON_NAME=""
local DAYS="$DAYS"
local DNS=()
local IP_ADDRS=()
# parsing arguments
while [[ $# -gt 0 ]]; do
case "$1" in
-c) CA_CRT=$2.crt; CA_KEY=$2.key ;shift 2 ;;
-n) COMMON_NAME="$2"; shift 2 ;;
-d) DNS_LINE="$COMMON_NAME,$2"; shift 2 ;;
-i) IP_ADDRS_LINE=("$2"); shift 2 ;;
-t) DAYS="$2"; shift 2 ;;
*) echo "Option inconnue: $1"; return 1 ;;
esac
done
IFS=',' read -r -a IP_ADDRS <<< "$IP_ADDRS_LINE"
IFS=',' read -r -a DNS <<< "$DNS_LINE"
if [ "${#DNS[@]}" -eq 0 ]; then
DNS+="$COMMON_NAME"
fi
cat > "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
CN = $COMMON_NAME
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
EOF
# Add san dns"
idns=1
for SAN_DNS in "${DNS[@]}"; do
echo "DNS.$idns = $SAN_DNS" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((idns++))
done
# add san ip
iip=1
for SAN_IP in "${IP_ADDRS[@]}"; do
echo "IP.$iip = $SAN_IP" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((iip++))
done
# create certificate
echo -e "Generating the private key..."
openssl genrsa -out "${CERTS_PATH}/${COMMON_NAME}.key" 4096
echo -e "Generating csr file..."
openssl req -new -key "${CERTS_PATH}/${COMMON_NAME}.key" -out "${CERTS_PATH}/${COMMON_NAME}.csr" -config "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
echo -e "Signing the certificate with the CA..."
openssl x509 -req -in "${CERTS_PATH}/${COMMON_NAME}.csr" \
-CA "$CRT_CA_PATH/$CA_CRT" -CAkey "$KEY_CA_PATH/$CA_KEY" -CAcreateserial \
-out "${CERTS_PATH}/${COMMON_NAME}.crt" -days "$DAYS" \
-extensions req_ext -extfile "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" \
-passin pass:pa55w0rd \
> /dev/null 2>&1
rc=$?
echo -n "Result of certificate signing: "
check_rc $rc
}
# Fonction pour générer un FQDN
gen_fqdn() {
local sub_len=$((RANDOM % 8 + 3))
local name_len=$((RANDOM % 13 + 3))
local sub=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$sub_len" | head -n 1)
local name=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$name_len" | head -n 1)
local tld=("com" "net" "org" "io" "ch" "fr")
echo "${sub}.${name}.${tld[$((RANDOM % ${#tld[@]}))]}"
}
# Fonction IP
gen_ip() {
echo "$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))"
}
# Liste (fqdn ou ip)
gen_list() {
local type=$1
local count=$((RANDOM % 3 + 3))
local list=""
for ((i=0; i<count; i++)); do
local item
[[ "$type" == "fqdn" ]] && item=$(gen_fqdn) || item=$(gen_ip)
list+="$item"
[[ $i -lt $((count-1)) ]] && list+=","
done
echo "$list"
}
############################################################
# MAIN
############################################################
main(){
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# init config
init_default
init_env
# set color
set_color
# check if script is run with sudo
check_sudo
echo "Début de la génération..."
for ((i=1; i<=10; i++)); do
args=()
fqdn=$(gen_fqdn)
# -d (50%)
if (( RANDOM % 2 )); then
args+=("-d" "$(gen_list fqdn)")
fi
# -i (50%)
if (( RANDOM % 2 )); then
args+=("-i" "$(gen_list ip)")
fi
# -t (50%)
if (( RANDOM % 2 )); then
args+=("-t" "$((RANDOM % $DAYS + 1))")
fi
echo "[$i/5] generate_cert -c gmolab_ca -n $fqdn ${args[*]}"
# Appel direct
generate_cert -c "gmolab_ca" -n "$fqdn" "${args[@]}"
# generate_cert -c gmolab_ca -n vwiy3rv1ui.6zghdqm1p8cj.io -d u0ba3i5rt.asfsdvrmf8iiltd.org,0sit366.w47txhyg.io,4ulkpy6.v39762sriaiy.com,zvw3o0ovee.gqv50o6ge6.io,a57v0x.rs8.net -i 161.21.147.75,81.67.128.79,81.54.192.190,95.116.177.195,13.111.172.161
done
echo "Génération terminée avec succès."
}
main "$@"

247
tests/random-cert.sh Executable file
View File

@ -0,0 +1,247 @@
#/bin/bash
version=1.0.0
usage() {
cat << EOF
Usage: sudo ./$(basename "$0") options
Template script
Options:
-g, --generate <number_of_iterations>
Generate certificat
-p, --purge
Remove all tests certificates
-h, --help
Show this help
-v, --version
Show script version
EOF
}
create_tempo_ca(){
if [ ! -f "${CRT_CA_PATH}/${CA_CRT}" ]; then
echo "Creation of a temporary CA"
SUBJ="/C=CH/ST=Vaud/L=Nyon/O=GMOLab/OU=IT/CN=TempoCA"
# generating the CA private key
openssl genrsa \
-aes256 \
-passout pass:pa55w0rd \
-out $KEY_CA_PATH/$CA_KEY \
4096
chmod 400 $KEY_CA_PATH/$CA_KEY
# generating the CA public key
openssl req -x509 \
-new \
-key $KEY_CA_PATH/$CA_KEY \
-passin pass:pa55w0rd \
-sha256 \
-days 3650 \
-out $CRT_CA_PATH/$CA_CRT \
-subj "$SUBJ"
chmod 444 $CRT_CA_PATH/$CA_CRT
fi
}
generate_cert() {
local CA_CRT=""
local CA_KEY=""
local COMMON_NAME=""
local DAYS="$DAYS"
local DNS=()
local IP_ADDRS=()
# parsing arguments
while [[ $# -gt 0 ]]; do
case "$1" in
-c) CA_CRT=$2.crt; CA_KEY=$2.key ;shift 2 ;;
-n) COMMON_NAME="$2"; shift 2 ;;
-d) DNS_LINE="$COMMON_NAME,$2"; shift 2 ;;
-i) IP_ADDRS_LINE=("$2"); shift 2 ;;
-t) DAYS="$2"; shift 2 ;;
*) echo "Option inconnue: $1"; return 1 ;;
esac
done
IFS=',' read -r -a IP_ADDRS <<< "$IP_ADDRS_LINE"
IFS=',' read -r -a DNS <<< "$DNS_LINE"
if [ "${#DNS[@]}" -eq 0 ]; then
DNS+="$COMMON_NAME"
fi
cat > "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
CN = $COMMON_NAME
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
EOF
# Add san dns"
idns=1
for SAN_DNS in "${DNS[@]}"; do
echo "DNS.$idns = $SAN_DNS" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((idns++))
done
# add san ip
iip=1
for SAN_IP in "${IP_ADDRS[@]}"; do
echo "IP.$iip = $SAN_IP" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
((iip++))
done
# create certificate
echo -e "Generating the private key..."
openssl genrsa -out "${CERTS_PATH}/${COMMON_NAME}.key" 4096
echo -e "Generating csr file..."
openssl req -new -key "${CERTS_PATH}/${COMMON_NAME}.key" -out "${CERTS_PATH}/${COMMON_NAME}.csr" -config "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
echo -e "Signing the certificate with the CA..."
openssl x509 -req -in "${CERTS_PATH}/${COMMON_NAME}.csr" \
-CA "$CRT_CA_PATH/$CA_CRT" -CAkey "$KEY_CA_PATH/$CA_KEY" -CAcreateserial \
-out "${CERTS_PATH}/${COMMON_NAME}.crt" -days "$DAYS" \
-extensions req_ext -extfile "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" \
-passin pass:pa55w0rd \
> /dev/null 2>&1
rc=$?
echo -n "Result of certificate signing: "
check_rc $rc
}
# Fonction pour générer un FQDN
gen_fqdn() {
local sub_len=$((RANDOM % 8 + 3))
local name_len=$((RANDOM % 13 + 3))
local sub=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$sub_len" | head -n 1)
local name=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$name_len" | head -n 1)
local tld=("com" "net" "org" "io" "ch" "fr")
echo "tempo-${sub}.${name}.${tld[$((RANDOM % ${#tld[@]}))]}"
}
# Fonction IP
gen_ip() {
echo "$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))"
}
# Liste (fqdn ou ip)
gen_list() {
local type=$1
local count=$((RANDOM % 3 + 3))
local list=""
for ((i=0; i<count; i++)); do
local item
[[ "$type" == "fqdn" ]] && item=$(gen_fqdn) || item=$(gen_ip)
list+="$item"
[[ $i -lt $((count-1)) ]] && list+=","
done
echo "$list"
}
############################################################
# MAIN
############################################################
main(){
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
NAME_CA="tempo_ca"
CA_CRT="${NAME_CA}.crt"
CA_KEY="${NAME_CA}.key"
# read library
source "$ROOT_DIR/lib/stdlib.sh"
# check if param exist
if [ -z "$1" ]; then
usage
exit 1
fi
# init config
init_default
init_env
# set color
set_color
# check if script is run with sudo
check_sudo
while [[ "$#" -gt 0 ]]; do
case "$1" in
-g|--generate )
# check if param $2 exist
if [ -z "$2" ]; then
echo -e "\n${RED}Error: Argument missing for option -g or --generate${NC}\n"
usage
exit 1
elif [[ "$2" =~ ^[0-9]+$ ]] && [ "$2" -ge 1 ] && [ "$2" -le "500" ]; then
create_tempo_ca
for ((i=1; i<=$2; i++)); do
args=()
fqdn=$(gen_fqdn)
# -d (50%)
if (( RANDOM % 2 )); then
args+=("-d" "$(gen_list fqdn)")
fi
# -i (50%)
if (( RANDOM % 2 )); then
args+=("-i" "$(gen_list ip)")
fi
# -t (50%)
if (( RANDOM % 2 )); then
args+=("-t" "$((RANDOM % $DAYS + 1))")
fi
echo "[$i/$2] generate_cert -c tempo_ca -n $fqdn ${args[*]}"
# Appel direct
generate_cert -c "tempo_ca" -n "$fqdn" "${args[@]}"
# generate_cert -c gmolab_ca -n vwiy3rv1ui.6zghdqm1p8cj.io -d u0ba3i5rt.asfsdvrmf8iiltd.org,0sit366.w47txhyg.io,4ulkpy6.v39762sriaiy.com,zvw3o0ovee.gqv50o6ge6.io,a57v0x.rs8.net -i 161.21.147.75,81.67.128.79,81.54.192.190,95.116.177.195,13.111.172.161
done
fi
shift 2
;;
-p|purge)
yes_no "Are you sure to delete all tempo certificates"
rm -rf "${CERTS_PATH}/tempo-"*
rm -rf "${CRT_CA_PATH}/${CA_CRT}"
rm -rf "${CRT_CA_PATH}/${NAME_CA}.srl"
rm -rf "${KEY_CA_PATH}/${CA_KEY}"
shift
;;
-v|--version)
cat << EOF
$(basename "$0") $version Copyright (C) 2003 - $(date +%Y) Gilles Mouchet
EOF
exit
;;
*|-h|--help)
usage
exit
;;
esac
done
}
main "$@"