123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 |
- #!/bin/bash
- echo "Zammad S/MIME test certificate generation"
- if [[ ! -e "$CERT_DIR/RootCA.key" ]] || [[ ! -e "$CERT_DIR/RootCA.crt" ]]
- then
- echo "Generating RootCA.key and RootCA.csr"
- openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/RootCA.csr -keyout $CERT_DIR/RootCA.key -extensions v3_ca -subj "/emailAddress=RootCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating RootCA.crt"
- openssl x509 -signkey $CERT_DIR/RootCA.key -days 73000 -req -in $CERT_DIR/RootCA.csr -set_serial 01 -out $CERT_DIR/RootCA.crt
- echo "Generating RootCA.secret"
- cp pass.secret $CERT_DIR/RootCA.secret
- fi
- if [[ ! -e "$CERT_DIR/IntermediateCA.key" ]] || [[ ! -e "$CERT_DIR/IntermediateCA.crt" ]]
- then
- echo "Generating IntermediateCA.key and IntermediateCA.csr"
- openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/IntermediateCA.csr -keyout $CERT_DIR/IntermediateCA.key -subj "/emailAddress=IntermediateCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating IntermediateCA.crt"
- openssl x509 -CA $CERT_DIR/RootCA.crt -CAkey $CERT_DIR/RootCA.key -passin file:pass.secret -days 73000 -req -in $CERT_DIR/IntermediateCA.csr -set_serial 02 -out $CERT_DIR/IntermediateCA.crt
- echo "Generating IntermediateCA.secret"
- cp pass.secret $CERT_DIR/IntermediateCA.secret
- fi
- if [[ ! -e "$CERT_DIR/ChainCA.key" ]] || [[ ! -e "$CERT_DIR/ChainCA.crt" ]]
- then
- echo "Generating ChainCA.key and ChainCA.csr"
- openssl req -new -newkey rsa:4096 -nodes -out $CERT_DIR/ChainCA.csr -keyout $CERT_DIR/ChainCA.key -subj "/emailAddress=ChainCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating ChainCA.crt"
- openssl x509 -CA $CERT_DIR/IntermediateCA.crt -CAkey $CERT_DIR/IntermediateCA.key -passin file:pass.secret -days 73000 -req -in $CERT_DIR/ChainCA.csr -set_serial 03 -out $CERT_DIR/ChainCA.crt
- echo "Generating ChainCA.secret"
- cp pass.secret $CERT_DIR/ChainCA.secret
- fi
- for EMAIL_ADDRESS in smime1@example.com smime2@example.com smime3@example.com smimedouble@example.com CaseInsenstive@eXample.COM
- do
- if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
- then
- echo "Generating $EMAIL_ADDRESS.key"
- openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
- echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
- openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating $EMAIL_ADDRESS.crt (certificate)"
- if [ "$EMAIL_ADDRESS" != "smimedouble@example.com" ]
- then
- extfile="config.cnf"
- else
- # special config that contains two email addresses in one certificate
- extfile="double.cnf"
- fi
- openssl x509 -req \
- -days 73000 \
- -in $CERT_DIR/$EMAIL_ADDRESS.csr \
- -CA $CERT_DIR/RootCA.crt \
- -CAkey $CERT_DIR/RootCA.key \
- -out $CERT_DIR/$EMAIL_ADDRESS.crt \
- -addtrust emailProtection \
- -addreject clientAuth \
- -addreject serverAuth \
- -trustout \
- -CAcreateserial -CAserial /tmp/RootCA.seq \
- -extensions smime \
- -extfile "$extfile" \
- -passin file:pass.secret
- echo "Generating $EMAIL_ADDRESS.secret"
- cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
- fi
- done
- echo "Generating from CA chain"
- # shellcheck disable=SC2043
- for EMAIL_ADDRESS in chain@example.com
- do
- if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
- then
- echo "Generating $EMAIL_ADDRESS.key"
- openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
- echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
- openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating $EMAIL_ADDRESS.crt (certificate)"
- openssl x509 -req \
- -days 73000 \
- -in $CERT_DIR/$EMAIL_ADDRESS.csr \
- -CA $CERT_DIR/ChainCA.crt \
- -CAkey $CERT_DIR/ChainCA.key \
- -out $CERT_DIR/$EMAIL_ADDRESS.crt \
- -addtrust emailProtection \
- -addreject clientAuth \
- -addreject serverAuth \
- -trustout \
- -CAcreateserial -CAserial /tmp/ChainCA.seq \
- -extensions smime \
- -extfile "config.cnf" \
- -passin file:pass.secret
- echo "Generating $EMAIL_ADDRESS.secret"
- cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
- fi
- done
- echo "Generating expired"
- FAKETIME=-10y date
- if [[ ! -e "$CERT_DIR/ExpiredCA.key" ]] || [[ ! -e "$CERT_DIR/ExpiredCA.crt" ]]
- then
- echo "Generating ExpiredCA.key"
- FAKETIME=-10y openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/ExpiredCA.key 4096
- echo "Generating ExpiredCA.crt"
- FAKETIME=-10y openssl req -new -x509 -days 1 -key $CERT_DIR/ExpiredCA.key -passin file:pass.secret -out $CERT_DIR/ExpiredCA.crt -subj "/emailAddress=ExpiredCA@example.com/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating ExpiredCA.secret"
- cp pass.secret $CERT_DIR/ExpiredCA.secret
- fi
- for EMAIL_ADDRESS in expiredsmime1@example.com expiredsmime2@example.com
- do
- if [[ ! -e "$CERT_DIR/$EMAIL_ADDRESS.crt" ]]
- then
- echo "Generating $EMAIL_ADDRESS.key"
- FAKETIME=-10y openssl genrsa -aes256 -passout file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.key 4096
- echo "Generating $EMAIL_ADDRESS.csr (certificate signing request)"
- FAKETIME=-10y openssl req -new -key $CERT_DIR/$EMAIL_ADDRESS.key -passin file:pass.secret -out $CERT_DIR/$EMAIL_ADDRESS.csr -subj "/emailAddress=$EMAIL_ADDRESS/C=DE/ST=Berlin/L=Berlin/O=Example Security/OU=IT Department/CN=example.com"
- echo "Generating $EMAIL_ADDRESS.crt (certificate)"
- FAKETIME=-10y openssl x509 -req \
- -days 1 \
- -in $CERT_DIR/$EMAIL_ADDRESS.csr \
- -CA $CERT_DIR/ExpiredCA.crt \
- -CAkey $CERT_DIR/ExpiredCA.key \
- -out $CERT_DIR/$EMAIL_ADDRESS.crt \
- -addtrust emailProtection \
- -addreject clientAuth \
- -addreject serverAuth \
- -trustout \
- -CAcreateserial -CAserial /tmp/ExpiredCA.seq \
- -extensions smime \
- -extfile config.cnf \
- -passin file:pass.secret
- echo "Generating $EMAIL_ADDRESS.secret"
- cp pass.secret $CERT_DIR/$EMAIL_ADDRESS.secret
- fi
- done
- # run command passed to docker run
- exec "$@"
|