From 99baed15169b837043fad34e981665a76b589fec Mon Sep 17 00:00:00 2001 From: dandds Date: Tue, 6 Nov 2018 10:05:35 -0500 Subject: [PATCH 1/3] script for generating user test certs for PIVKey cards --- .gitignore | 3 +++ script/make-test-cac | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100755 script/make-test-cac diff --git a/.gitignore b/.gitignore index 58193f90..e161f040 100644 --- a/.gitignore +++ b/.gitignore @@ -39,6 +39,9 @@ config/dev.ini /crl-tmp *.bk +# test CA config +ssl/client-certs/*.srl + # uploads /uploads diff --git a/script/make-test-cac b/script/make-test-cac new file mode 100755 index 00000000..0f8b3147 --- /dev/null +++ b/script/make-test-cac @@ -0,0 +1,42 @@ +#!/bin/bash + +# script/make-test-cac: Set up a test CAC card. +# Usage: +# ./script/make-test-cac [DOD identifier string] [user email] [certificate name] +# i.e.: +# ./script/make-text-cac JONES.ANDY.1234567890 andy@example.com andy +# The script will output 3 files: +# 1. The certificate (crt) file (for reference) +# 2. The certificate key (key) file (also for reference) +# 3. The PFX file, which is the package file that needs to be loaded on the PIVKey brand card +set -e + +SAN="subjectAltName=email:$2" + +CSR=$(openssl req \ + -new \ + -newkey rsa:4096 \ + -sha256 \ + -nodes \ + -days 365 \ + -subj "/CN=$1" \ + -reqexts SAN \ + -config <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo $SAN) \ + -keyout $3.key ) + +openssl x509 \ + -req \ + -in <(echo "$CSR") \ + -CA "ssl/client-certs/client-ca.crt" \ + -CAkey "ssl/client-certs/client-ca.key" \ + -CAcreateserial \ + -extensions SAN \ + -extfile <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo $SAN) \ + -out $3.crt + +openssl pkcs12 -passout pass: -export -out $3.pfx -inkey $3.key -in $3.crt + +echo "Generated files:" +echo " CERT: $3.crt" +echo " KEY: $3.key" +echo " PFX: $3.pfx" From fd83a01cf7afd1975af749d57f02fc4c565535f7 Mon Sep 17 00:00:00 2001 From: dandds Date: Tue, 6 Nov 2018 12:06:52 -0500 Subject: [PATCH 2/3] handle key generation differently --- script/make-test-cac | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/script/make-test-cac b/script/make-test-cac index 0f8b3147..53f302cb 100755 --- a/script/make-test-cac +++ b/script/make-test-cac @@ -13,20 +13,20 @@ set -e SAN="subjectAltName=email:$2" +openssl genrsa -out $3.key 2048 + CSR=$(openssl req \ -new \ - -newkey rsa:4096 \ - -sha256 \ -nodes \ - -days 365 \ -subj "/CN=$1" \ -reqexts SAN \ -config <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo $SAN) \ - -keyout $3.key ) + -key $3.key ) openssl x509 \ -req \ -in <(echo "$CSR") \ + -days 365 \ -CA "ssl/client-certs/client-ca.crt" \ -CAkey "ssl/client-certs/client-ca.key" \ -CAcreateserial \ From ad49b6606a3fe60696021950f3f592d878478513 Mon Sep 17 00:00:00 2001 From: dandds Date: Tue, 6 Nov 2018 13:59:12 -0500 Subject: [PATCH 3/3] fix typo and update make-test-cac script description --- script/make-test-cac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/make-test-cac b/script/make-test-cac index 53f302cb..73c512cd 100755 --- a/script/make-test-cac +++ b/script/make-test-cac @@ -2,9 +2,9 @@ # script/make-test-cac: Set up a test CAC card. # Usage: -# ./script/make-test-cac [DOD identifier string] [user email] [certificate name] +# ./script/make-test-cac [DOD identifier string] [user email] [output name] # i.e.: -# ./script/make-text-cac JONES.ANDY.1234567890 andy@example.com andy +# ./script/make-test-cac JONES.ANDY.1234567890 andy@example.com andy # The script will output 3 files: # 1. The certificate (crt) file (for reference) # 2. The certificate key (key) file (also for reference)