#!/bin/sh # For a public or production server, purchase a cert from a known CA, and skip # the next step. # For development, testing and personal server management, create a CA key and # cert, and use that to generate a server key and cert. Creates: # ca.key.pem # ca.cert.pem # server.key.pem # server.cert.pem GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"; BASEDIR="$(dirname "$0")" cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem mkdir -p "$GENERATION_LOCATION" cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION" cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 gpg --decrypt ca.key.pem.gpg > ca.key.pem cat ./isrgrootx1.pem >> ./ca.cert.pem [ -f ./ca.key.pem ] || ./generate.ca # Generate a certificate revocation list (CRL). The initial CRL is empty, but # can grow over time. Creates: # server.crl.pem ./generate.crl # The above is sufficient to operate a server. You now need to run a client cert creation # process per client; Add the required client names and uncomment # ./generate.client <client_name> # # # Creates: # <client_name>.key.pem # <client_name>.cert.pem # ./generate.client soispha ./generate.client android-mobile ./generate.client android-tab rm "$@" "./ca.key.pem" echo "(INFO) Look for the keys at: $GENERATION_LOCATION"