#!/bin/bash #------------------------------------------------------------------------------# # # hiermit können Multi-Domain-CSRs erstellt werden # #------------------------------------------------------------------------------# # # openssl req -noout -text -in w.galeria-mobil.de.csr # https://www.networking4all.com/en/ssl+certificates/csr+check/ # #------------------------------------------------------------------------------# VERSION="v2018111900" # Voreinstellungen #ZEITRAUM="365" # Gültigkeitszeitraum 1 Jahr ZEITRAUM="730" # Gültigkeitszeitraum 2 Jahre #ZEITRAUM="1095" # Gültigkeitszeitraum 3 Jahre nicht mehr möglich BITLANG="4096" # Schlüssellänge if [ -z "${1}" ] ; then echo "${0} -h" exit 1 fi while [ "${#}" -ne "0" ]; do case "${1}" in -a) ABTEILUNG=${2} # Marke shift ;; -b) BITLANG=${2} # Schlüssellänge: 4096 shift ;; -c) STADT=${2} # z.B.: Idstein shift ;; -d) DOMAIN=${2} # neuen oder vorhandenen Schlüssel verwenden shift ;; -e) EMAIL=${2} # z.B.: ssladmin@iq-optimize.de shift ;; -k) KEY=${2} # neuen oder vorhandenen Schlüssel verwenden shift ;; -l) LAND=${2} # z.B.: Hessen shift ;; -m) MULTI_DOMAIN=${2} # z.B.: ssladmin@iq-optimize.de shift ;; -o) ORGANISATION=${2} # Mandant shift ;; -s) STAAT=${2} # z.B.: DE shift ;; -z) ZEITRAUM=${2} # Gültigkeitszeitraum: 730 shift ;; -h) echo " zwingend erforderliche Parameter: -d Domain/FQDN -l Land -c City/Stadt -o Organisation/Mandant -a Abteilung/Marke optionale Parameter: -k Key-Datei der schon existiert -s Staat -m Mail -z Zeitraum der Gültigkeit -b Bit-Länge des Schlüssels Beispiele wild-card-Zertifikat mit neuem Schlüssel: # ${0} -d '*.telco.de' -l Hessen -c Maintal -o Drillisch -a telco Standard-Zertifikat mit vorhandenem Schlüssel: # ${0} -d www.telco.de -s DE -l Hessen -c Maintal -o Drillisch -a telco -k www.telco.de.key -m ssladmin@iq-optimize.de " exit 0 ;; *) if [ "$(echo "${1}"|egrep '^-')" ] ; then echo "Der Parameter '${1}' wird nicht unterstützt!" exit 1 fi shift ;; esac done ZNAME="$(echo "${DOMAIN}" | tr -s '[*]' 'w')" if [ -z "${STAAT}" -o -z "${DOMAIN}" -o -z "${LAND}" -o -z "${STADT}" -o -z "${ORGANISATION}" -o -z "${ABTEILUNG}" -o -z "${EMAIL}" ] ; then echo " Es werden alle Parameter benötigt! => ${0} -h " exit 1 fi #------------------------------------------------------------------------------# #rm -fr /tmp/Multi-Domain-CSR-Test/ #mkdir /tmp/Multi-Domain-CSR-Test/ || exit 2 #cd /tmp/Multi-Domain-CSR-Test/ || exit 3 #------------------------------------------------------------------------------# ZUFALLSWERT="$(head -c 100 /dev/urandom | base64 | tr -d '\n' | tr -cd '[:alnum:]' | cut -b-12)" CFG_DATEI="/tmp/openssl_csr_${ZUFALLSWERT}" MULTIDOMAIN="-config ${CFG_DATEI}" MD="$(NR=0 for MD in ${MULTI_DOMAIN} do NR="$(echo "${NR}" | awk '{print $1 + 1}')" echo "DNS.${NR}=${MD}" done | tr -s '\n' ',' | sed 's/[,]$//')" echo " MD=${MD} " M_DOMAINS="$(NR=0 for MD in ${MULTI_DOMAIN} do NR="$(echo "${NR}" | awk '{print $1 + 1}')" echo "DNS.${NR} = ${MD}" done)" echo " # /etc/ssl/openssl.cnf RANDFILE=/dev/urandom [ ca ] default_ca = CA_default [ CA_default ] default_days = ${ZEITRAUM} [ req ] distinguished_name = distinguished_name req_extensions = v3_req string_mask = utf8only [ distinguished_name ] emailAddress = ${EMAIL} C = ${STAAT} ST = ${LAND} L = ${STADT} O = ${ORGANISATION} OU = ${ABTEILUNG} CN = ${DOMAIN} [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @subject_alt_names [ subject_alt_names ] ${M_DOMAINS} " > ${CFG_DATEI} echo "-------------------------------------------------------------------------" cat ${CFG_DATEI} echo "-------------------------------------------------------------------------" #------------------------------------------------------------------------------# if [ -z "${KEY}" ] ; then echo "################################################################################" # neuer Schlüssel echo "openssl req -sha256 -newkey rsa:${BITLANG} -nodes -keyout ${ZNAME}.key -keyform PEM -out ${ZNAME}.csr -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${DOMAIN}/${MD}" -config ${CFG_DATEI}" openssl req -sha256 -newkey rsa:${BITLANG} -nodes -keyout ${ZNAME}.key -keyform PEM -out ${ZNAME}.csr -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${DOMAIN}/${MD}" -config ${CFG_DATEI} ls -lha ${CFG_DATEI} rm -f ${CFG_DATEI} else if [ -r "${KEY}" ] ; then # vorhandener Schlüssel echo "openssl req -new -key ${KEY} -keyform PEM -out ${ZNAME}.csr -outform PEM -subj \"/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${DOMAIN}\" -config ${CFG_DATEI}" openssl req -new -key ${KEY} -keyform PEM -out ${ZNAME}.csr -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${DOMAIN}" -config ${CFG_DATEI} ls -lha ${CFG_DATEI} rm -f ${CFG_DATEI} else echo "die Datei ${KEY} ist nicht lesbar..." exit 1 fi fi if [ -r "${ZNAME}.csr" ] ; then echo "${ZNAME}.csr $(openssl req -text -verify -in ${ZNAME}.csr)" fi if [ -r "${KEY}" ] ; then echo "${KEY} $(openssl rsa -noout -modulus -in ${KEY} | openssl md5)" fi if [ -r "${ZNAME}.csr" ] ; then echo "${ZNAME}.csr $(openssl req -noout -modulus -in ${ZNAME}.csr | openssl md5)" fi if [ -r "${ZNAME}.crt" ] ; then echo "${ZNAME}.crt $(openssl x509 -noout -modulus -in ${ZNAME}.crt | openssl md5)" fi