From b6e76312314011caea71b76db54732ead2c260f7 Mon Sep 17 00:00:00 2001
From: "B. Stack" <bgstack15@gmail.com>
Date: Fri, 20 Sep 2024 11:05:59 -0400
Subject: use env vars for CN and SANs

---
 README.md    |  2 +-
 cepceslib.sh | 19 ++++++++++++-------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index dc2ebf5..e8168b8 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ The purpose of Certificate Enrollment Service is to enroll certificates.
 ### Example CES input
 Save a WebServer certificate down to example.key and example.pem. Note that by default the CERTFILE will contain the entire certificate chain, with the root first and leaf last.
 
-    CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" ./cepceslib.sh use_ces
+    CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" CN="example1.example.com" SANS="san1.example.com,san2.example.com" ./cepceslib.sh use_ces
 
 ### Example CES output
 None. The certificate chain is stored in `CERTFILE`, and the key is stored in `KEYFILE`.
diff --git a/cepceslib.sh b/cepceslib.sh
index b461c1a..4a10b71 100755
--- a/cepceslib.sh
+++ b/cepceslib.sh
@@ -18,14 +18,17 @@
 #    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/3642fda9-8de2-417a-adad-9d368ffe8fc2
 #    https://medium.com/@fmcalbuquerque/python-elementtree-xml-api-with-dynamic-namespaces-171d9c9f391e
 # Improve:
-#    use env vars for CN and SANs
+#    Use IP.1 if a SAN is an ip address
 # Dependencies:
 #    openssl, python3
 # Documentation: README.md
 
 gen_csr() {
-    # input env vars: KEYFILE, CSRFILE, TEMPLATE
+    # input env vars: KEYFILE, CSRFILE, TEMPLATE, CN, SANS
     _cnf="$( mktemp )"
+	_cn="${CN:-$( hostname -f )}"
+	_san="${SANS:-$( hostname -s )}"
+	_san_list="$( echo "${_san}" | tr ',' '\n' | grep -E '.' | awk '{gsub("^","DNS."NR+1" = ",$0);print;}' )"
     cat >"${_cnf}" <<EOFCONF
 oid_section = new_oids
 [ req ]
@@ -45,7 +48,7 @@ ST = New York
 L = New York
 O = Example Organization
 # Important value
-CN = $( hostname -f )
+CN = ${_cn}
 #emailAddress = noreply@example.com
 
 [ req_ext ]
@@ -56,8 +59,8 @@ certificateTemplateName = ASN1:UTF8STRING:${TEMPLATE}
 
 [ alt_names ]
 # Important value
-DNS.1 = $( hostname -f )
-DNS.2 = $( hostname -s )
+DNS.1 = ${_cn}
+${_san_list}
 EOFCONF
     # generate the csr
     openssl req -config "${_cnf}" -new -key "${KEYFILE}" -out "${CSRFILE}"
@@ -104,7 +107,8 @@ EOFCES
 submit_ces_request() {
     # input env vars: CESURL, CESFILE
     # -k for irony
-    curl --silent \
+    curl ${VERBOSE:+--verbose} \
+		--silent \
         "${CESURL}" \
         -H "Content-Type: application/soap+xml" \
         -X POST \
@@ -200,7 +204,8 @@ EOFCEP
 
 submit_cep_request() {
     # input env vars: CEPURL, CEPFILE
-    curl --silent \
+    curl ${VERBOSE:+--verbose} \
+		--silent \
         "${CEPURL}" \
         -H "Content-Type: application/soap+xml; charset=utf-8" \
         -X POST \
-- 
cgit