added script to verify cert, key and cert chain. Useful for generating haproxy cert bundle.

3459a0a7 · Xueshan Feng · e9907d97 · 3459a0a7
Commit 3459a0a7 authored May 02, 2017 by Xueshan Feng
--- a/verify-haproxy-pem.sh
+++ b/verify-haproxy-pem.sh
+#!/bin/bash
+
+# Script to verify 
+
+fqdn=$1
+[ -z "$fqdn" ] && echo "Usage: ./$(basename $0) <fqdn>" && exit 1
+
+echo Checking key file $fqdn
+[ ! -f $fqdn.key ] && echo "$fqdn.key doesn't exit." && exit 1
+keymd5=$(openssl  rsa -noout -modulus -in $fqdn.key | openssl md5)
+echo "md5 = $keymd5"
+
+echo Checking server cert $cert
+cert="$(echo $fqdn | tr '.' '_')_cert.cer"
+[ ! -f $cert ] && echo "$cert doesn't exit." && exit 1
+certmd5=$(openssl x509 -noout -modulus -in $cert  | openssl md5)
+echo "md5 = $certmd5"
+
+if [ "$keymd5" != "$certmd5" ]
+then
+  echo "Certificate and private key doesn't match."
+  exit 1
+fi
+
+echo Checking CA chain
+interm="$(echo $fqdn | tr '.' '_')_interm.cer"
+[ ! -f $interm ] && echo "$interm doesn't exit." && exit 1
+if ! openssl verify -CAfile $interm  $cert |grep OK ;
+then
+  echo "CA chain verification failed."
+  exit 1
+fi
+
+echo Check CAfile. Should be in intermidate1, intermiate2,...rootca format.
+if ! openssl  x509 -noout -text -in words_stanford_edu_interm.cer  | grep CN=InCommon ;
+then
+  echo Haproxy needs CA bundle should be in this order: intermidate1, intermiate2,...rootca. 
+else
+  echo ""
+  echo "You can generate $fqdn.pem by cancadinating $cert $interm, and $fqdn.key together."
+fi
+