#!/usr/bin/env nix-shell #! nix-shell -i dash --packages openssl gnutls dash #! nix-shell --impure # For a public or production server, purchase a cert from a known CA, and skip # the next step. # For development, testing and personal server management, create a CA key and # cert, and use that to generate a server key and cert. Creates: # ca.key.pem # ca.cert.pem # server.key.pem # server.cert.pem GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs" BASEDIR="$(dirname "$0")" cd "$BASEDIR" || { echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 exit 1 } ca=false crl=false clients=false for arg in "$@"; do case "$arg" in "--ca") ca=true ;; "--crl") crl=true ;; "--clients") clients=true ;; esac done # `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the # second-to last line set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem mkdir --parents "$GENERATION_LOCATION" cp "$@" ./ca.cert.pem "$GENERATION_LOCATION" cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 gpg --decrypt ca.key.pem.gpg >ca.key.pem [ "$ca" = true ] && ./generate.ca cat ./isrgrootx1.pem >>./ca.cert.pem # Generate a certificate revocation list (CRL). The initial CRL is empty, but # can grow over time. Creates: # server.crl.pem [ "$crl" = true ] && ./generate.crl # The above is sufficient to operate a server. You now need to run a client cert creation # process per client; Add the required client names and uncomment # ./generate.client # # # Creates: # .key.pem # .cert.pem # [ "$clients" = true ] && ./generate.client soispha [ "$clients" = true ] && ./generate.client android-mobile [ "$clients" = true ] && ./generate.client android-tab rm "$@" "./ca.key.pem" echo "(INFO) Look for the keys at: $GENERATION_LOCATION" # vim: ft=sh