unable to bulk create client keys certificates

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
nickp
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 18, 2018 11:00 am

unable to bulk create client keys certificates

Post by nickp » Mon Jul 30, 2018 11:20 am

Hi,

I'm working on a automation script to be able to create multiple certificates at once. I do use the easy-rsa scripts which are located in de easy-rsa folder.

Building one certificate isn't a problem but after creating that certificate, the rest of the script isn't executed.
Creation of one certificate with this script isn't a problem.

This is the script i have until now

Code: Select all

#!/usr/bin/env bash

#--------------------------------
# Author:       
# Date:         
# Titel:        Create Certificates
#--------------------------------

#-------Define help function-------
usage="$(basename $0) -- bash script that automaticly generates certifactes where:

        -h|-?|--help                    show this help text
        -s|--server-key                 create certificate and key for a server. requires to have a ca.crt present
        -c|--client-key                 create certificate and key for a client. requires to have a ca.crt present
        -C|--certificate-autority       create master certificate
        -d|--diffe-hellman              create diffe-hellman parameters with a 2048 prime number
        -t|--openvpn-ta-key             create openvpn public key, used by openvpn to verify that the connected device is autorized to connect"

#-------Define Default parameters-------

clients=()
servers=()
serverset=false
clientset=false
caset=false
dhset=false
taset=false
ta=""
yesset=false
pwd="$PWD"

#-------Define funtions-------

isEmpty() {
        if [ -z "$2" ]; then
                echo "$1 cannot be empty"
                echo "$usage"
                exit 1
        fi
}

checkSet() {
        if [ $2 = true  ]; then
                echo "$1 cannot be created twice"
                echo "$usage"
                exit 1
        fi
}

#-------Obtain arguments-------

while :; do
        case $1 in
                -h|-\?|--help)
                        echo "$usage"
                        exit 1;;
                -s|--server-key)
                        isEmpty $1 $2
                        servers+=( "$2"  )
                        serverset=true
                        shift;;
                -c|--client-key)
                        isEmpty $1 $2
                        clients+=( "$2"  )
                        clientset=true
                        shift;;
                -C|--certificate-autority)
                        caset=true
                        if [ $2 = -y  ]; then
                                yesset=true
                        fi
                        shift;;
                -d|--diffe-hellman)
                        dhset=true
                        shift;;
                -t|--openvpn-ta-key)
                        isEmpty $1 $2
                        taset=true
                        ta=$2
                        shift;;
                -?*)
                        echo "$1 unkown option";;
                *)
                        break
        esac
        shift
done

#-------Actual script-------

cd "$pwd/easy-rsa/"
source ./vars


if [ $caset = true ]; then
        if [ ! $yesset = true ]; then
                read -p 'by doing this the currect keys and certificates wille be deleted, do you still want to proceed? [Y/N]' -n 1 -r
                if [[ $REPLY =~ ^[Yy]$ ]]; then
                        yesset=true
                fi
        fi
        if [ $yesset = true ]; then
                ./clean-all
                ./build-ca --batch
        else
                echo 'CA certificate is not created. further commands wil use the older ca key if present'
        fi
fi

if [ $serverset = true ]; then
        if [ ! -f keys/ca.crt ];then
                echo 'ca.crt does not exist. unable to create server keys'
        else
                for server in $servers
                do
                        ./build-key-server --batch $server
                        echo "          finshed building $server"
                done
                echo "no other server keys to be created"
        fi
fi

if [ $clientset = true ]; then
        if [ ! -f keys/ca.crt ];then
                echo 'ca.crt does not exist. unable to create client keys'
        else
                echo "test"
                export EASY_RSA="${EASY_RSA:-.}"
                for client in $clients
                do
                        echo "test within"
                        "$EASY_RSA/pkitool" $client
                #        ./build-key-server --batch $client
                done
        fi
fi

if [ $dhset = true ]; then
        ./build-dh
fi

if [ $taset = true ]; then
        openvpn --genkey --secret keys/$ta.key
        echo "openvpn public key created"
fi

cd "$pwd"

Post Reply