script to create cliet TLS cert

termux-shortcuts/.shortcuts/create-client-cert.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+set -euo pipefail
+set -x
+signing_server="${1}"
+user="${2}"
+signing_cert="${3:-/etc/private-ca/server-cert.pem}"
+output="${HOME}/storage/downloads/${user}.pfx"
+
+# FILL OUT INFO
+country=.
+state=.
+loc=.
+org=.
+unit=.
+user="${user}"
+email=.
+#
+
+WD=$(mktemp -d)
+cleanup (){
+	rm -rf "$WD"
+}
+trap 'cleanup' EXIT
+
+cd "$WD"
+
+# create CA (if lost/expired)
+#openssl req -x509 -newkey rsa:4096 -keyout server-key.pem -out server-cert.pem -sha256 -days 365 -nodes -addext "subjectAltName=DNS:auth"
+#openssl req -x509 -newkey ec:/proc/self/fd/4 -keyout server-key.pem -out server-cert.pem -sha256 -days 365 -nodes -addext "subjectAltName=DNS:auth" 4< <(openssl ecparam -name secp521r1) -subj "$(tr -d '\n' < ca.opts)"
+
+# create user key
+openssl genrsa -out "${user}.key" 4096
+
+# download server cert
+[ -f server-cert.pem ] || scp "$signing_server:$signing_cert" .
+
+# create extensions file
+ssh $signing_server "cat - > ~/${user}.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${user}
+EOF
+
+# sign csr
+ssh "$signing_server" "sudo openssl x509 -req -CA "$signing_cert" -CAkey "${signing_cert%cert.pem}key.pem" -CAcreateserial -days 90 -sha256 -extfile ~/${user}.ext" < <(openssl req \
+	-new \
+	-key "${user}.key" \
+	-out - \
+	-subj "$(tr -d '\n' <<EOF
+/C=${country}
+/ST=${state}
+/L=${loc}
+/O=${org}
+/OU=${unit}
+/CN=${user}
+/emailAddress=${email}
+EOF
+)" </dev/null) > "${user}.crt"
+
+# create pfx
+openssl pkcs12 -export -inkey "${user}.key" -in "${user}.crt" -certfile server-cert.pem -name "${user} $(date +%Y-%m-%d)" -out - > "$output"