#!/bin/bash if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then . '#ETCDIR#/simple-pki/ca.conf' fi cd "${0%/*}" tmp_dir=$(mktemp -d) trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT while read -r csr; do csr_local="${tmp_dir}/${csr##*/}" curl -Ss --insecure "${csr}" -o "${csr_local}" if ! content=$( openssl req -text -noout -verify -in "${csr_local}" 2>/dev/null ); then >&2 echo 'verify failed - skipping' rm "${csr_local}" continue fi content=$( printf '%s\n' "${content}" \ | sed -n ' /^Certificate Request:$/,/^\S/p ' \ | remove_leading_spaces 4 \ | sed -n ' /^Data:$/,/^\S/p ' \ | remove_leading_spaces 4 ) cn=$( printf '%s\n' "${content}" \ | sed ' s/^Subject: // t d ' \ | tr -d ' ' \ | tr ',' '/' \ | sed 's@^.*/CN=@@' ) sans=$( printf '%s\n' "${content}" \ | sed -n ' /^Requested Extensions:$/,/^\S/ p ' \ | remove_leading_spaces 4 \ | sed -n ' /^X\S\+ Subject Alternative Name:\s*$/,/^\S/ p ' \ | remove_leading_spaces 4 \ | sed ' s/, /\n/g ' ) if printf '%s\n' "${sans}" | grep -vq '^\(DNS\|IP\):'; then >&2 echo 'invalid sans - skipping' rm "${csr_local}" continue fi sans=$( printf '%s\n' "${sans}" \ | sed ' s/^\(DNS\|IP\):// ' ) ok_sans=$( printf '%s\n' "${cn}" "${sans}" \ | while read -r san; do if ! curl -Ss --insecure 'https://'"${san}/${csr#*//*/}" \ | diff -q - "${csr_local}"; then >&2 printf 'invalid san "%s" - skipping\n' "${san}" rm "${csr_local}" break fi printf '%s\n' "${san}" done ) if [ ! -f "${csr_local}" ]; then continue fi if [ "$(printf '%s\n' "${cn}" "${sans}")" != "${ok_sans}" ]; then >&2 echo 'some san was invalid - skipping' rm "${csr_local}" continue fi if ! CA=signing-ca openssl ca -batch -name signing_ca \ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ -in "${csr_local}" \ -out "${csr_local%.csr}.crt" \ -extensions server_ext; then >&2 echo 'signing failed - skipping' rm -f "${csr_local}" "${csr_local%.csr}.crt" continue fi cat "${csr_local%.csr}.crt" '#ETCDIR#/simple-pki/ca/signing-ca.crt' '#ETCDIR#/simple-pki/ca/root-ca.crt' \ > "${csr_local%.csr}.chain" rm "${csr_local}" done cd "${tmp_dir}" tar -czf - *.crt *.chain