macos-export-certificate-and-key/regenerate-certificates.sh at main · mongodb-js/macos-export-certificate-and-key · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env bash
set -euo pipefail

OUT="testkeys"
DAYS=99999 # Hopefully enough time so regenerating the certs is not a PITA
PASS="pass"

mkdir -p "$OUT"

# -------------------------
# 1) CA: Banana Corp
# -------------------------
openssl genrsa -out "$OUT/privateKey.key" 2048

openssl req -x509 -new -nodes \
  -key "$OUT/privateKey.key" \
  -sha256 -days "$DAYS" \
  -subj "/CN=Banana Corp" \
  -out "$OUT/certificate.pem"

cp "$OUT/certificate.pem" "$OUT/certificate.crt"

# -------------------------
# 2) TLS server cert (localhost), signed by CA
# -------------------------
openssl genrsa -out "$OUT/testserver-privkey.pem" 2048

openssl req -new \
  -key "$OUT/testserver-privkey.pem" \
  -subj "/CN=localhost" \
  -out "$OUT/testserver.csr"

cat > "$OUT/testserver.ext" <<'EOF'
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=DNS:localhost,IP:127.0.0.1
EOF

openssl x509 -req \
  -in "$OUT/testserver.csr" \
  -CA "$OUT/certificate.pem" \
  -CAkey "$OUT/privateKey.key" \
  -CAcreateserial \
  -days "$DAYS" \
  -sha256 \
  -extfile "$OUT/testserver.ext" \
  -out "$OUT/testserver-certificate.pem"

rm -f "$OUT/testserver.csr" "$OUT/testserver.ext" "$OUT/certificate.srl"

# -------------------------
# 3) Client cert (Internet Widgits Pty Ltd), PKCS#12
# -------------------------
openssl genrsa -out "$OUT/client-privkey.pem" 2048

openssl req -new \
  -key "$OUT/client-privkey.pem" \
  -subj "/CN=Internet Widgits Pty Ltd" \
  -out "$OUT/client.csr"

cat > "$OUT/client.ext" <<'EOF'
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
EOF

openssl x509 -req \
  -in "$OUT/client.csr" \
  -CA "$OUT/certificate.pem" \
  -CAkey "$OUT/privateKey.key" \
  -CAcreateserial \
  -days "$DAYS" \
  -sha256 \
  -extfile "$OUT/client.ext" \
  -out "$OUT/client-certificate.pem"

openssl pkcs12 -export \
  -inkey "$OUT/client-privkey.pem" \
  -in "$OUT/client-certificate.pem" \
  -out "$OUT/certificate.pfx" \
  -passout "pass:${PASS}" \
  -keypbe PBE-SHA1-RC2-40 \
  -certpbe PBE-SHA1-RC2-40 \
  -macalg sha1 \
  -iter 2048 \
  -provider default \
  -provider legacy

rm -f \
  "$OUT/client.csr" \
  "$OUT/client.ext" \
  "$OUT/client-privkey.pem" \
  "$OUT/client-certificate.pem" \
  "$OUT/certificate.srl"

echo "Thumbprint of the certificate for test.js:"
openssl pkcs12 -in testkeys/certificate.pfx -passin pass:pass -nodes -provider default -provider legacy \
  | openssl x509 -noout -fingerprint -sha1 \
  | sed 's/^.*=//; s/://g' | tr 'A-F' 'a-f'