diff options
| author | B. Stack <bgstack15@gmail.com> | 2024-09-20 11:05:59 -0400 |
|---|---|---|
| committer | B. Stack <bgstack15@gmail.com> | 2024-09-20 11:05:59 -0400 |
| commit | b6e76312314011caea71b76db54732ead2c260f7 (patch) | |
| tree | b34e08b625c4b3854df4ec7fa204436e1f99f4a6 | |
| parent | initial commit (diff) | |
| download | cepceslib-b6e76312314011caea71b76db54732ead2c260f7.tar.gz cepceslib-b6e76312314011caea71b76db54732ead2c260f7.tar.bz2 cepceslib-b6e76312314011caea71b76db54732ead2c260f7.zip | |
| -rw-r--r-- | README.md | 2 | ||||
| -rwxr-xr-x | cepceslib.sh | 19 |
2 files changed, 13 insertions, 8 deletions
@@ -26,7 +26,7 @@ The purpose of Certificate Enrollment Service is to enroll certificates. ### Example CES input Save a WebServer certificate down to example.key and example.pem. Note that by default the CERTFILE will contain the entire certificate chain, with the root first and leaf last. - CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" ./cepceslib.sh use_ces + CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" CN="example1.example.com" SANS="san1.example.com,san2.example.com" ./cepceslib.sh use_ces ### Example CES output None. The certificate chain is stored in `CERTFILE`, and the key is stored in `KEYFILE`. diff --git a/cepceslib.sh b/cepceslib.sh index b461c1a..4a10b71 100755 --- a/cepceslib.sh +++ b/cepceslib.sh @@ -18,14 +18,17 @@ # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/3642fda9-8de2-417a-adad-9d368ffe8fc2 # https://medium.com/@fmcalbuquerque/python-elementtree-xml-api-with-dynamic-namespaces-171d9c9f391e # Improve: -# use env vars for CN and SANs +# Use IP.1 if a SAN is an ip address # Dependencies: # openssl, python3 # Documentation: README.md gen_csr() { - # input env vars: KEYFILE, CSRFILE, TEMPLATE + # input env vars: KEYFILE, CSRFILE, TEMPLATE, CN, SANS _cnf="$( mktemp )" + _cn="${CN:-$( hostname -f )}" + _san="${SANS:-$( hostname -s )}" + _san_list="$( echo "${_san}" | tr ',' '\n' | grep -E '.' | awk '{gsub("^","DNS."NR+1" = ",$0);print;}' )" cat >"${_cnf}" <<EOFCONF oid_section = new_oids [ req ] @@ -45,7 +48,7 @@ ST = New York L = New York O = Example Organization # Important value -CN = $( hostname -f ) +CN = ${_cn} #emailAddress = noreply@example.com [ req_ext ] @@ -56,8 +59,8 @@ certificateTemplateName = ASN1:UTF8STRING:${TEMPLATE} [ alt_names ] # Important value -DNS.1 = $( hostname -f ) -DNS.2 = $( hostname -s ) +DNS.1 = ${_cn} +${_san_list} EOFCONF # generate the csr openssl req -config "${_cnf}" -new -key "${KEYFILE}" -out "${CSRFILE}" @@ -104,7 +107,8 @@ EOFCES submit_ces_request() { # input env vars: CESURL, CESFILE # -k for irony - curl --silent \ + curl ${VERBOSE:+--verbose} \ + --silent \ "${CESURL}" \ -H "Content-Type: application/soap+xml" \ -X POST \ @@ -200,7 +204,8 @@ EOFCEP submit_cep_request() { # input env vars: CEPURL, CEPFILE - curl --silent \ + curl ${VERBOSE:+--verbose} \ + --silent \ "${CEPURL}" \ -H "Content-Type: application/soap+xml; charset=utf-8" \ -X POST \ |