slawek/simple-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance CA functions and testing script with improved error handling and verification steps

Browse Source
This commit is contained in:
Sławek Koszewski
2026-03-04 08:01:06 +01:00
parent 75b0e26e63
commit 79ac590ba6
2 changed files with 207 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
cert-functions.sh Normal file → Executable file
View File

@@ -1,29 +1,107 @@
function make_ca() {
# Use the provided directory argument or default to AZURITE_DIR if not provided
local CERT_DIR="$1"
local CA_NAME="$2"
local CA_DAYS=3650 # Default validity period for CA certificates
if [[ -z "$CERT_DIR" || -z "$CA_NAME" || ! -d "$CERT_DIR" ]]; then
echo "ERROR: Certificate directory $CERT_DIR does not exist."
# CA defaults to the main CA if not specified, but can be overridden with --issuing-ca
local CA_FILE_PREFIX="ca"
local PATHLEN=0
while [[ $# -gt 0 ]]; do
case "$1" in
--days)
if [[ -z "$2" || ! "$2" =~ ^[0-9]+$ ]]; then
echo "ERROR: Invalid value for --days. Must be a positive integer." >&2
return 1
fi
CA_DAYS="$2"
shift 2
;;
--issuing-ca)
if [[ -z "$2" ]]; then
echo "ERROR: Missing value for --issuing-ca." >&2
return 1
fi
if [[ "$2" == "ca" ]]; then
echo "ERROR: --issuing-ca cannot be 'ca' as it is reserved for the root CA." >&2
return 1
fi
CA_FILE_PREFIX="$2"
shift 2
;;
--path-len)
if [[ -z "$2" || ! "$2" =~ ^[0-9]+$ ]]; then
echo "ERROR: Invalid value for --path-len. Must be a non-negative integer." >&2
return 1
fi
PATHLEN="$2"
shift 2
;;
*)
break
;;
esac
done
# Use the provided directory argument
local CA_DIR="$1"
local CA_NAME="$2"
shift 2
if [[ -z "$CA_DIR" || -z "$CA_NAME" || ! -d "$CA_DIR" ]]; then
echo "ERROR: Certificate directory $CA_DIR does not exist."
return 1
fi
local ROOT_CA_CERT="ca_cert.pem"
local ROOT_CA_KEY="ca_key.pem"
local CA_CERT="${CA_FILE_PREFIX}_cert.pem"
local CA_KEY="${CA_FILE_PREFIX}_key.pem"
# Generate CA certificate and key if they don't exist
if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
if [[ ! -f "$CA_DIR/$ROOT_CA_CERT" || ! -f "$CA_DIR/$ROOT_CA_KEY" ]]; then
# Check, if the user requested a non-root CA without an existing root CA, which is not possible.
if [[ "$ROOT_CA_CERT" != "$CA_CERT" ]]; then
echo "ERROR: Cannot create issuing CA '$CA_NAME' without existing root CA certificate and key. Please create the root CA first." >&2
return 1
fi
echo "Generating CA certificate '$CA_NAME' and key..."
if ! openssl req \
-quiet \
-x509 \
-newkey rsa:4096 \
-keyout "$CERT_DIR/ca_key.pem" \
-out "$CERT_DIR/ca_cert.pem" \
-days 3650 \
-nodes \
-keyout "$CA_DIR/$ROOT_CA_KEY" \
-out "$CA_DIR/$ROOT_CA_CERT" \
-days "$CA_DAYS" \
-noenc \
-subj "/CN=${CA_NAME}" \
-text \
-addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
-addext "basicConstraints=critical,CA:TRUE,pathlen:${PATHLEN}"; then
echo "ERROR: Failed to generate CA certificate and key." >&2
return 1
fi
return 0
fi
if [[ ! -f "$CA_DIR/$CA_CERT" || ! -f "$CA_DIR/$CA_KEY" ]]; then
echo "Generating issuing CA certificate '$CA_NAME' and key..."
if ! openssl req \
-quiet \
-newkey rsa:4096 \
-keyout "$CA_DIR/${CA_KEY}" \
-noenc \
-subj "/CN=${CA_NAME}" \
-addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
| openssl x509 \
-req \
-CA "$CA_DIR/$ROOT_CA_CERT" \
-CAkey "$CA_DIR/$ROOT_CA_KEY" \
-copy_extensions copyall \
-days "$CA_DAYS" \
-text \
-out "$CA_DIR/${CA_CERT}"; then
echo "ERROR: Failed to generate issuing CA certificate and key." >&2
return 1
fi
fi
return 0
@@ -46,10 +124,42 @@ function _is_dns() {
}
function make_server_cert() {
local CA_FILE_PREFIX="ca" # Default to CA if no issuing CA is used
local CERT_DAYS=365 # Default validity period for leaf certificates
while [[ $# -gt 0 ]]; do
case "$1" in
--issuing-ca)
if [[ -z "$2" ]]; then
echo "ERROR: Missing value for --issuing-ca." >&2
return 1
fi
if [[ "$2" == "ca" ]]; then
echo "ERROR: --issuing-ca cannot be 'ca' as it is reserved for the root CA." >&2
return 1
fi
CA_FILE_PREFIX="$2"
shift 2
;;
--days)
if [[ -z "$2" || ! "$2" =~ ^[0-9]+$ ]]; then
echo "ERROR: Invalid value for --days. Must be a positive integer." >&2
return 1
fi
CERT_DAYS="$2"
shift 2
;;
*) break ;;
esac
done
local CERT_DIR="$1"
local CERT_SUBJECT_NAME="$2"
shift 2
local CA_CERT="${CA_FILE_PREFIX}_cert.pem"
local CA_KEY="${CA_FILE_PREFIX}_key.pem"
if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then
echo "ERROR: Certificate directory $CERT_DIR does not exist."
return 1
@@ -65,8 +175,8 @@ function make_server_cert() {
return 1
fi
if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
echo "ERROR: CA certificate and key not found in $CERT_DIR. Please call make_ca first." >&2
if [[ ! -f "$CERT_DIR/$CA_CERT" || ! -f "$CERT_DIR/$CA_KEY" ]]; then
echo "ERROR: Signing CA certificate and key not found in $CERT_DIR. Please call setup a signing CA first." >&2
return 1
fi
@@ -101,9 +211,10 @@ function make_server_cert() {
if [[ ! -f "$CERT_DIR/${CERT_NAME}_cert.pem" || ! -f "$CERT_DIR/${CERT_NAME}_key.pem" ]]; then
echo "Generating server certificate and key..."
if ! openssl req \
-quiet \
-newkey rsa:4096 \
-keyout "$CERT_DIR/${CERT_NAME}_key.pem" \
-nodes \
-noenc \
-subj "/CN=${CERT_SUBJECT_NAME}" \
-addext "basicConstraints=critical,CA:FALSE" \
-addext "keyUsage=digitalSignature,keyEncipherment" \
@@ -111,11 +222,10 @@ function make_server_cert() {
-addext "$SANS_EXT" \
| openssl x509 \
-req \
-CA "$CERT_DIR/ca_cert.pem" \
-CAkey "$CERT_DIR/ca_key.pem" \
-set_serial "0x$(openssl rand -hex 16)" \
-CA "$CERT_DIR/$CA_CERT" \
-CAkey "$CERT_DIR/$CA_KEY" \
-copy_extensions copyall \
-days 365 \
-days $CERT_DAYS \
-text \
-out "$CERT_DIR/${CERT_NAME}_cert.pem"; then
echo "ERROR: Failed to generate server certificate and key." >&2