Skip to content

Commit 0219c79

Browse files
remingtoncremingtonc
committed
Don't regenerate rootCA/client if exist
1 parent 30c97bd commit 0219c79

File tree

1 file changed

+19
-11
lines changed

1 file changed

+19
-11
lines changed

scripts/gen_certs.sh

Lines changed: 19 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -19,31 +19,39 @@ function print_red () {
1919
}
2020

2121
# Setting up a CA
22-
print_red "Generating rootCA"
23-
openssl genrsa -out $CERT_BASE/rootCA.key 2048
24-
openssl req -subj /C=/ST=/L=/O=/CN=rootCA -x509 -new -nodes -key $CERT_BASE/rootCA.key -sha256 -days 1095 -out $CERT_BASE/rootCA.pem
22+
if [ -f "$CERT_BASE/rootCA.key" ] && [ -f "$CERT_BASE/rootCA.pem" ]; then
23+
print_red "SKIPPING rootCA generation, already exist"
24+
else
25+
print_red "GENERATING rootCA"
26+
openssl genrsa -out $CERT_BASE/rootCA.key 2048
27+
openssl req -subj /C=/ST=/L=/O=/CN=rootCA -x509 -new -nodes -key $CERT_BASE/rootCA.key -sha256 -days 1095 -out $CERT_BASE/rootCA.pem
28+
fi
2529

2630
# Setting up device cert and key
27-
print_red "Generating device certificates with CN $server_hostname and IP $ip"
31+
print_red "GENERATING device certificates with CN $server_hostname and IP $ip"
2832
openssl genrsa -out $CERT_BASE/device.key 2048
2933
openssl req -subj /C=/ST=/L=/O=/CN=$server_hostname -new -key $CERT_BASE/device.key -out $CERT_BASE/device.csr
3034
openssl x509 -req -in $CERT_BASE/device.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/device.crt -days 1095 -sha256 -extfile <(printf "%s" "subjectAltName=DNS:$server_hostname,IP:$ip")
3135

3236
# Encrypt device key
3337
if [ ! -z $password ]; then
34-
print_red "Encrypting device certificates and bundling with password"
38+
print_red "ENCRYPTING device certificates and bundling with password"
3539
# DES 3 for device, needed for input to IOS XE
3640
openssl rsa -des3 -in $CERT_BASE/device.key -out $CERT_BASE/device.des3.key -passout pass:$password
3741
# PKCS #12 for device, needed for NX-OS
3842
# Uncertain if this is correct
3943
openssl pkcs12 -export -out $CERT_BASE/device.pfx -inkey $CERT_BASE/device.key -in $CERT_BASE/device.crt -certfile $CERT_BASE/device.crt -password pass:$password
4044
else
41-
print_red "Skipping device key encryption"
45+
print_red "SKIPPING device key encryption"
4246
fi
4347

4448
# Setting up client cert and key
45-
hostname=$(hostname)
46-
print_red "Generating client certificates with CN $hostname"
47-
openssl genrsa -out $CERT_BASE/client.key 2048
48-
openssl req -subj /C=/ST=/L=/O=/CN=$hostname -new -key $CERT_BASE/client.key -out $CERT_BASE/client.csr
49-
openssl x509 -req -in $CERT_BASE/client.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/client.crt -days 1095 -sha256
49+
if [ -f "$CERT_BASE/client.key" ] && [ -f "$CERT_BASE/client.crt" ]; then
50+
print_red "SKIPPING client certificates generation, already exist"
51+
else
52+
hostname=$(hostname)
53+
print_red "GENERATING client certificates with CN $hostname"
54+
openssl genrsa -out $CERT_BASE/client.key 2048
55+
openssl req -subj /C=/ST=/L=/O=/CN=$hostname -new -key $CERT_BASE/client.key -out $CERT_BASE/client.csr
56+
openssl x509 -req -in $CERT_BASE/client.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/client.crt -days 1095 -sha256
57+
fi

0 commit comments

Comments
 (0)