-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcreate-provisioning-certificate.sh
More file actions
executable file
·97 lines (86 loc) · 2.29 KB
/
create-provisioning-certificate.sh
File metadata and controls
executable file
·97 lines (86 loc) · 2.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/bin/bash
set -euo pipefail
amt_domain='amt.test'
amt_domain_pfx_password='HeyH0Password!'
amt_device_current_password='admin'
amt_device_new_password='HeyH0Password!'
install -d -m 700 amt-ca
pushd amt-ca >/dev/null
# Create AMT domain certificate signing request.
cat >"$amt_domain-crt.conf" <<EOF
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, 2.16.840.1.113741.1.2.3
subjectAltName = @alt_names
[alt_names]
DNS.1 = $amt_domain
EOF
cat >"$amt_domain-csr.conf" <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
CN = $amt_domain
EOF
openssl genrsa \
-out "$amt_domain-key.pem" \
2048
openssl req \
-new \
-config "$amt_domain-csr.conf" \
-key "$amt_domain-key.pem" \
-out "$amt_domain-csr.pem"
# Create the private AMT CA and use it to sign the AMT domain CSR.
if [ ! -f amt-ca-crt.pem ]; then
openssl req \
-x509 \
-sha256 \
-days 3560 \
-nodes \
-newkey rsa:2048 \
-subj "/CN=AMT CA" \
-keyout amt-ca-key.pem \
-out amt-ca-crt.pem
fi
openssl x509 \
-req \
-sha256 \
-days 3650 \
-in "$amt_domain-csr.pem" \
-CA amt-ca-crt.pem \
-CAkey amt-ca-key.pem \
-CAcreateserial \
-extfile "$amt_domain-crt.conf" \
-out "$amt_domain-crt.pem"
# Bundle the AMT domain private key and certificate into a PFX file.
openssl pkcs12 \
-inkey "$amt_domain-key.pem" \
-in "$amt_domain-crt.pem" \
-certfile amt-ca-crt.pem \
-export \
-passout "pass:$amt_domain_pfx_password" \
-out "$amt_domain.pfx"
# get the amt ca certificate hash.
amt_ca_certificate_hash="$(
openssl x509 -noout -fingerprint -sha256 -in amt-ca-crt.pem \
| perl -lne '/sha256 Fingerprint=([0-9A-Fa-f:]+)/ && print lc($1) =~ s/://rg')"
# go back to the original directory.
popd >/dev/null
# build the binaries.
docker build -t amt-setupbin .
# Create the Setup.bin AMT configuration file and the Setup.bin.img disk image.
docker run --rm \
-i \
-u "$(id -u):$(id -g)" \
-v "$PWD/amt-ca:/host:rw" \
-w /host \
amt-setupbin \
--debug \
--current-password "$amt_device_current_password" \
--new-password "$amt_device_new_password" \
--pki-dns-suffix "$amt_domain" \
--certificate "$amt_ca_certificate_hash AMT CA"