#!/bin/sh # certs/create-client.sh — Generate Client Certificate for Sawa Control Panel # Exit on error set -e if [ -z "$1" ]; then echo "Usage: $0 " echo "Example: $0 my-phone" exit 1 fi DEVICE_NAME=$1 CERT_DIR=$(dirname "$0") CA_KEY="$CERT_DIR/ca.key" CA_CRT="$CERT_DIR/ca.crt" CLIENT_KEY="$CERT_DIR/$DEVICE_NAME.key" CLIENT_CSR="$CERT_DIR/$DEVICE_NAME.csr" CLIENT_CRT="$CERT_DIR/$DEVICE_NAME.crt" CLIENT_P12="$CERT_DIR/$DEVICE_NAME.p12" # Validation if [ ! -f "$CA_KEY" ] || [ ! -f "$CA_CRT" ]; then echo "Error: Root CA not found. Please run create-ca.sh first." exit 1 fi echo "Step 1: Generating 2048-bit RSA private key for $DEVICE_NAME..." openssl genrsa -out "$CLIENT_KEY" 2048 echo "Step 2: Generating Certificate Signing Request (CSR)..." openssl req -new -key "$CLIENT_KEY" -out "$CLIENT_CSR" -subj "/CN=$DEVICE_NAME/O=Sawa/C=XX" echo "Step 3: Signing the client certificate with Root CA (valid for 2 years)..." printf "extendedKeyUsage=clientAuth\nkeyUsage=digitalSignature" > "$CERT_DIR/client_ext.cnf" openssl x509 -req -in "$CLIENT_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" \ -CAcreateserial -out "$CLIENT_CRT" -days 730 -sha256 \ -extfile "$CERT_DIR/client_ext.cnf" rm "$CERT_DIR/client_ext.cnf" echo "Step 4: Exporting to PKCS12 (.p12) for mobile/browser installation..." echo "IMPORTANT: iOS requires a non-empty password. You will be prompted for one now:" openssl pkcs12 -export -out "$CLIENT_P12" -inkey "$CLIENT_KEY" -in "$CLIENT_CRT" -certfile "$CA_CRT" # Cleanup temporary CSR rm "$CLIENT_CSR" echo "" echo "--------------------------------------------------------" echo "CLIENT CERTIFICATE SUCCESSFUL for: $DEVICE_NAME" echo "--------------------------------------------------------" echo "PEM Key: $CLIENT_KEY" echo "PEM Cert: $CLIENT_CRT" echo "PKCS12: $CLIENT_P12 (Use this for phone/browser)" echo "--------------------------------------------------------"