atst/script/make-test-cac

43 lines
1.1 KiB
Bash
Executable File

#!/bin/bash
# script/make-test-cac: Set up a test CAC card.
# Usage:
# ./script/make-test-cac [DOD identifier string] [user email] [output name]
# i.e.:
# ./script/make-test-cac JONES.ANDY.1234567890 andy@example.com andy
# The script will output 3 files:
# 1. The certificate (crt) file (for reference)
# 2. The certificate key (key) file (also for reference)
# 3. The PFX file, which is the package file that needs to be loaded on the PIVKey brand card
set -e
SAN="subjectAltName=email:$2"
openssl genrsa -out $3.key 2048
CSR=$(openssl req \
-new \
-nodes \
-subj "/CN=$1" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo $SAN) \
-key $3.key )
openssl x509 \
-req \
-in <(echo "$CSR") \
-days 365 \
-CA "ssl/client-certs/client-ca.crt" \
-CAkey "ssl/client-certs/client-ca.key" \
-CAcreateserial \
-extensions SAN \
-extfile <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo $SAN) \
-out $3.crt
openssl pkcs12 -passout pass: -export -out $3.pfx -inkey $3.key -in $3.crt
echo "Generated files:"
echo " CERT: $3.crt"
echo " KEY: $3.key"
echo " PFX: $3.pfx"