78 lines
2.3 KiB
Bash
78 lines
2.3 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Defaults
|
|
: "${CERT_PASSWORD:=changeit}"
|
|
: "${CN_SERVER:=localhost}"
|
|
: "${CN_CLIENT:=esp32-device}"
|
|
|
|
echo "==> Generating development CA, server, and client certificates (for mTLS)"
|
|
echo " Password for server.pfx: ${CERT_PASSWORD}"
|
|
|
|
# Clean previous
|
|
rm -f ca.key ca.crt server.key server.csr server.crt server.pfx client.key client.csr client.crt client.pfx \
|
|
client.pem client.key.pem server.pem server.key.pem server-chain.crt
|
|
|
|
# 1) CA (self-signed)
|
|
openssl genrsa -out ca.key 4096
|
|
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -subj "/CN=Dev CA" -out ca.crt
|
|
|
|
# 2) Server key + CSR with SANs (localhost + 127.0.0.1)
|
|
cat > server.cnf <<EOF
|
|
[req]
|
|
default_bits = 2048
|
|
prompt = no
|
|
default_md = sha256
|
|
req_extensions = req_ext
|
|
distinguished_name = dn
|
|
|
|
[dn]
|
|
CN = ${CN_SERVER}
|
|
|
|
[req_ext]
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = localhost
|
|
IP.1 = 127.0.0.1
|
|
EOF
|
|
|
|
openssl genrsa -out server.key 2048
|
|
openssl req -new -key server.key -out server.csr -config server.cnf
|
|
|
|
# 2b) Sign server CSR with CA
|
|
cat > ca.cnf <<EOF
|
|
[ca]
|
|
default_ca = CA_default
|
|
[CA_default]
|
|
copy_extensions = copy
|
|
EOF
|
|
|
|
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 825 -sha256 -extfile server.cnf -extensions req_ext
|
|
|
|
# Export server cert+key to PKCS#12 for Kestrel
|
|
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile ca.crt -passout pass:${CERT_PASSWORD}
|
|
|
|
# PEM variants (optional)
|
|
cp server.crt server.pem
|
|
cp server.key server.key.pem
|
|
cat server.crt ca.crt > server-chain.crt
|
|
|
|
# 3) Client key/cert for device testing
|
|
openssl genrsa -out client.key 2048
|
|
openssl req -new -key client.key -out client.csr -subj "/CN=${CN_CLIENT}"
|
|
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 825 -sha256
|
|
|
|
# PKCS#12 for client (optional)
|
|
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt -passout pass:${CERT_PASSWORD}
|
|
|
|
# Convenience PEM for ESP32 (paste into firmware or convert as needed)
|
|
cp client.crt client.pem
|
|
|
|
echo "==> Done."
|
|
echo "Artifacts created:"
|
|
echo " - ca.crt (CA certificate to trust on ESP32)"
|
|
echo " - server.pfx (for Kestrel, protected by CERT_PASSWORD)"
|
|
echo " - server.crt/server.key (PEM)"
|
|
echo " - client.crt/client.key (PEM) and client.pfx (optional)"
|