aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rwxr-xr-xcepceslib.sh19
2 files changed, 13 insertions, 8 deletions
diff --git a/README.md b/README.md
index dc2ebf5..e8168b8 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ The purpose of Certificate Enrollment Service is to enroll certificates.
### Example CES input
Save a WebServer certificate down to example.key and example.pem. Note that by default the CERTFILE will contain the entire certificate chain, with the root first and leaf last.
- CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" ./cepceslib.sh use_ces
+ CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" CN="example1.example.com" SANS="san1.example.com,san2.example.com" ./cepceslib.sh use_ces
### Example CES output
None. The certificate chain is stored in `CERTFILE`, and the key is stored in `KEYFILE`.
diff --git a/cepceslib.sh b/cepceslib.sh
index b461c1a..4a10b71 100755
--- a/cepceslib.sh
+++ b/cepceslib.sh
@@ -18,14 +18,17 @@
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/3642fda9-8de2-417a-adad-9d368ffe8fc2
# https://medium.com/@fmcalbuquerque/python-elementtree-xml-api-with-dynamic-namespaces-171d9c9f391e
# Improve:
-# use env vars for CN and SANs
+# Use IP.1 if a SAN is an ip address
# Dependencies:
# openssl, python3
# Documentation: README.md
gen_csr() {
- # input env vars: KEYFILE, CSRFILE, TEMPLATE
+ # input env vars: KEYFILE, CSRFILE, TEMPLATE, CN, SANS
_cnf="$( mktemp )"
+ _cn="${CN:-$( hostname -f )}"
+ _san="${SANS:-$( hostname -s )}"
+ _san_list="$( echo "${_san}" | tr ',' '\n' | grep -E '.' | awk '{gsub("^","DNS."NR+1" = ",$0);print;}' )"
cat >"${_cnf}" <<EOFCONF
oid_section = new_oids
[ req ]
@@ -45,7 +48,7 @@ ST = New York
L = New York
O = Example Organization
# Important value
-CN = $( hostname -f )
+CN = ${_cn}
#emailAddress = noreply@example.com
[ req_ext ]
@@ -56,8 +59,8 @@ certificateTemplateName = ASN1:UTF8STRING:${TEMPLATE}
[ alt_names ]
# Important value
-DNS.1 = $( hostname -f )
-DNS.2 = $( hostname -s )
+DNS.1 = ${_cn}
+${_san_list}
EOFCONF
# generate the csr
openssl req -config "${_cnf}" -new -key "${KEYFILE}" -out "${CSRFILE}"
@@ -104,7 +107,8 @@ EOFCES
submit_ces_request() {
# input env vars: CESURL, CESFILE
# -k for irony
- curl --silent \
+ curl ${VERBOSE:+--verbose} \
+ --silent \
"${CESURL}" \
-H "Content-Type: application/soap+xml" \
-X POST \
@@ -200,7 +204,8 @@ EOFCEP
submit_cep_request() {
# input env vars: CEPURL, CEPFILE
- curl --silent \
+ curl ${VERBOSE:+--verbose} \
+ --silent \
"${CEPURL}" \
-H "Content-Type: application/soap+xml; charset=utf-8" \
-X POST \
bgstack15