#!/bin/bash # # Generate keypairs. # # This script is just a wrapper to easily generate keys for # automated systems. # # Generate a keypair, ssh version function genpair_ssh { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt # TODO: programatically enter blank passphrase twice ssh-keygen -t rsa -f "$TMPWORK/id_rsa" -C "root@$NODE" # Encrypt the result echo "Encrypting secret key into keyringer..." cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" echo "Encrypting public key into keyringer..." cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" # TODO: add outfiles into version control if [ ! -z "$OUTFILE" ]; then mkdir -p `dirname $OUTFILE` printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" cat "$TMPWORK/id_rsa" > "$OUTFILE" cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" fi echo "Done" } # Generate a keypair, gpg version function genpair_gpg { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -s -p "Enter password for the private key: " passphrase # TODO: insert 279 random bytes # TODO: custom Name-Comment and Name-Email # TODO: allow for empty passphrases gpg --homedir "$TMPWORK" --gen-key --batch < "$OUTFILE" gpg --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" fi echo "Done" } # Generate a keypair, ssl version function genpair_ssl { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt # Setup cd "$TMPWORK" # Generate certificate "$LIB/csr.sh" "$NODE" # Self-sign openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 chmod 600 "${NODE}_privatekey.pem" # Encrypt the result echo "Encrypting private key into keyringer..." cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" echo "Encrypting certificate request into keyringer..." cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" echo "Encrypting certificate into keyringer..." cat "$NODE.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" cd "$CWD" if [ ! -z "$OUTFILE" ]; then mkdir -p `dirname $OUTFILE` printf "Saving copies at %s.pem, %s.csr and %s.crt\n" "$OUTFILE" "$OUTFILE" "$OUTFILE" cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" cat "$TMPWORK/$NODE.crt" > "$OUTFILE.crt" fi # Show cert fingerprint openssl x509 -noout -in "$TMPWORK/$NODE.crt" -fingerprint echo "Done" } # Load functions LIB="`dirname $0`/../../lib/keyringer" source "$LIB/functions" || exit 1 # Aditional parameters KEYTYPE="$2" FILE="$3" NODE="$4" OUTFILE="$5" CWD="`pwd`" # Verify if [ -z "$NODE" ]; then echo -e "Usage: keyringer $BASENAME [outfile]" echo -e "Options:" echo -e "\t gpg|ssh|ssl: key type." echo -e "\t file : base file name for encrypted output (relative to keys folder)" echo -e "\t hostname : host for the key pair" echo -e "\t outfile : optional unencrypted output file, useful for deployment" exit 1 elif [ ! -e "$KEYDIR" ]; then echo "Folder not found: $KEYDIR, leaving" exit 1 fi # Set a tmp file keyringer_set_tmpfile genpair -d # Dispatch echo "Generating $KEYTYPE key for $NODE..." "genpair_$KEYTYPE" # Cleanup cd "$CWD" rm -rf "$TMPWORK" trap - EXIT