-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathgenerate_winrm_client_cert.sh
executable file
·123 lines (96 loc) · 2.67 KB
/
generate_winrm_client_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/bin/bash
set -e
USER_NAME=user$RANDOM
UPN=$USER_NAME@localhost
PFX_FILE=`pwd`/cert.pfx
PFX_PASSWORD=Passw0rd
PEM_FILE=`pwd`/cert.pem
PEM_CA_FILE=`pwd`/ca.pem
CA_DIR=`mktemp -d -t openssl`
pushd .
cd $CA_DIR
mkdir private
chmod 700 private
mkdir certs
mkdir crl
cat > ca.cnf << EOF
[ ca ]
default_ca = mypersonalca
[ mypersonalca ]
dir = $CA_DIR
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
new_certs_dir = \$dir/certs
certificate = \$dir/certs/ca.pem
serial = \$dir/serial
crl = \$dir/crl/crl.pem
private_key = \$dir/private/ca.key
RANDFILE = \$dir/private/.rand
x509_extensions = usr_cert
default_days = 3650
default_crl_days= 30
default_md = sha1
preserve = no
policy = mypolicy
x509_extensions = certificate_extensions
[ mypolicy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_keyfile = $CA_DIR/private/ca.key
default_md = sha1
prompt = no
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
string_mask = utf8only
basicConstraints = CA:true
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = WinRM CA
stateOrProvinceName = Timis
countryName = RO
emailAddress = [email protected]
organizationName = WinRM CA
[ root_ca_extensions ]
basicConstraints = CA:true
[v3_req_server]
extendedKeyUsage = serverAuth
EOF
cat > openssl.cnf << EOF
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_req_server]
extendedKeyUsage = serverAuth
[v3_ca]
EOF
touch index.txt
echo 01 > serial
export OPENSSL_CONF=ca.cnf
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out certs/ca.pem -outform PEM -keyout private/ca.key
export OPENSSL_CONF=openssl.cnf
openssl req -newkey rsa:2048 -nodes -sha1 -keyout private/cert.key -keyform PEM -out certs/cert.req -outform PEM -subj \
"/C=US/ST=Timis/L=Timisoara/[email protected]/organizationName=IT/CN=$USER_NAME"
EXT_CONF_FILE=`mktemp -t openssl`
cat > $EXT_CONF_FILE << EOF
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:$UPN
EOF
export OPENSSL_CONF=ca.cnf
openssl ca -batch -notext -in certs/cert.req -out certs/cert.pem -extensions v3_req_client -extfile $EXT_CONF_FILE
rm $EXT_CONF_FILE
# Export the certificate, including the CA chain, into cert.pfx
openssl pkcs12 -export -in certs/cert.pem -inkey private/cert.key -chain -CAfile certs/ca.pem -out $PFX_FILE -password pass:$PFX_PASSWORD
cp certs/cert.pem $PEM_FILE
cp certs/ca.pem $PEM_CA_FILE
popd
rm -rf $CA_DIR