adding intermediate CA signing capability.

2024-10-08 05:49:05 +00:00
parent 5c89e73128
commit 42b40660ce
4 changed files with 34 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 *.key
 *.crt
 *.pem
+*.csr
+*.srl
--- a/issue-root.sh
+++ b/issue-root.sh
@@ -1,7 +1,5 @@
 #!/bin/sh

-ECDSA_OPTS="-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -sha384"
-

 while getopts ":ht:d:n:s:" opt; do
  case $opt in
--- a/pki.cnf
+++ b/pki.cnf
@@ -0,0 +1,5 @@
+[v3_intermediate_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
--- a/sign-inter.sh
+++ b/sign-inter.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+
+while getopts ":hn:a:d:" opt; do
+  case $opt in
+    h)
+      echo "Usage:  -n <name> -a <CA authority> -d <days>"
+      exit 0
+      ;;
+    n)
+      NAME_OPT=(-in "$OPTARG".csr -out "$OPTARG".crt)
+      ;;
+    a)
+      AUTHORITY_OPT=(-CA $OPTARG.crt -CAkey $OPTARG.key)
+      ;;
+    d)
+      DAYS_OPT="-days $OPTARG"
+      ;;
+    \?)
+      echo "Invalid option: -$OPTARG" >&2
+      exit 1
+      ;;
+  esac
+done
+
+openssl x509 -req -sha256 $DAYS_OPT "${NAME_OPT[@]}" "${AUTHORITY_OPT[@]}" -extfile pki.cnf -extensions v3_intermediate_ca