weldon
11/16/2018 - 7:23 PM

a script that will generate a CA, Import the CA into keychain, then it will create a certificate and sign it with the CA, then import it int

a script that will generate a CA, Import the CA into keychain, then it will create a certificate and sign it with the CA, then import it into keychain. This is an expect script and will answer all the questions.

CreateCA.sh
content_copyfile_download
#!/usr/bin/expect

cd /private/tmp

#This will create the CA for PretendCo

spawn /usr/bin/openssl genrsa -des3 -out PretendCoCA.key 2048
expect "Enter pass phrase for PretendCoCA.key:" 
send "Apple321!\r"
expect "Verifying - Enter pass phrase for PretendCoCA.key:" 
send "Apple321!\r"
interact

#This will create turn the key file into a pem file


spawn /usr/bin/openssl req -x509 -new -nodes -key PretendCoCA.key -sha256 -days 1825 -out PretendCoCA.pem

expect "Enter pass phrase for PretendCoCA.key:" 
send "Apple321!\r"
expect "Country Name (2 letter code) []:"
send "US\r"
expect "State or Province Name (full name) []:"
send "CA\r"
expect "Locality Name (eg, city) []:"
send "Cupertino\r"
expect "Organization Name (eg, company) []:"
send "PretendCo\r"
expect "Organizational Unit Name (eg, section) []:"
send "\r"
expect "Common Name (eg, fully qualified host name) []:"
send "PretendCo CA\r"
expect "Email Address []:"
send "admin@pretendco.com\r"
interact

#This will import the pem file into the Keychain
set prompt {\$ $}
spawn /bin/bash
expect -re $prompt
send "/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/PretendCoCA.pem"
send "\r"
expect eof

#This will create a certificate for intranet.pretendo.com

spawn /usr/bin/openssl genrsa -out intranet.pretendco.com.key 2048
expect eof

spawn /usr/bin/openssl req -new -key intranet.pretendco.com.key -out intranet.pretendco.com.csr
expect "Country Name (2 letter code) []:"
send "US\r"
expect "State or Province Name (full name) []:"
send "CA\r"
expect "Locality Name (eg, city) []:"
send "Cupertino\r"
expect "Organization Name (eg, company) []:"
send "PretendCo\r"
expect "Organizational Unit Name (eg, section) []:"
send "\r"
expect "Common Name (eg, fully qualified host name) []:"
send "intranet.pretendco.com\r"
expect "Email Address []:"
send "admin@pretendco.com\r"
expect "Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []"
send "Apple321!\r"
interact

#This will create the attributes file
set prompt {\$ $}
set altNames {[alt_names]}
spawn /bin/bash
expect -re $prompt
send "cat <<EOF >intranet.pretendo.com.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

$altNames
DNS.1 = intranet.pretendco.com
EOF"
send "\r"
expect eof

#This will sign the certifiate request

spawn /usr/bin/openssl x509 -req -in intranet.pretendco.com.csr -CA PretendCoCA.pem -CAkey PretendCoCA.key -CAcreateserial -out intranet.pretendco.com.crt -days 1825 -sha256 -extfile intranet.pretendo.com.ext
expect "Enter pass phrase for PretendCoCA.key:"
send "Apple321!\r"
interact

#This will import the pem file into the Keychain
set prompt {\$ $}
spawn /bin/bash
expect -re $prompt
send "/usr/bin/security import intranet.pretendco.com.crt -k /Library/Keychains/System.keychain"
send "\r"
expect eof