Subversion Repositories ALCASAR

Rev

Rev 2922 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
675 richard 1
#!/bin/sh
64 franck 2
# $Id: alcasar-CA.sh 2924 2021-02-23 21:42:48Z rexy $
3
 
1 root 4
# alcasar-CA.sh
2924 rexy 5
# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
1 root 6
# This script is distributed under the Gnu General Public License (GPL)
675 richard 7
#
2454 tom.houday 8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
675 richard 9
# and Michel Arboi <arboi@alussinan.org>
10
#
1 root 11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
675 richard 17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
1 root 19
SRVCERT=$DIR_CERT/certs/alcasar.crt
2488 lucas.echa 20
SRVPEM=$DIR_CERT/private/alcasar.pem
2813 rexy 21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
2924 rexy 22
CONF_FILE="/usr/local/etc/alcasar.conf"
23
hostname=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
24
domain=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
25
domain=${domain:=localdomain}
26
fqdn_hostname="$hostname.$domain"
27
# The value for organizationalUnitName must be 64 chars or less;
28
#   thus, hostname must be 36 chars or less. If it's too big,
29
#   try removing domain (merci REXY ;-) ).
30
hostname_len=`echo $fqdn_hostname| wc -c`
31
if [ $hostname_len -gt 36 ];
32
then
33
	fqdn_hostname=$hostname
34
fi
35
private_ip=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
1 root 36
 
37
CACERT_LIFETIME="1460"
38
SRVCERT_LIFETIME="1460"
39
COUNTRY="FR"
40
PROVINCE="none"
41
LOCATION="Paris"
5 franck 42
ORGANIZATION="ALCASAR-Team"
1 root 43
 
44
mkdir $DIR_TMP || exit 1
2801 rexy 45
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
1 root 46
# dynamic conf file for openssl
47
cat <<EOF >$DIR_TMP/ssl.conf
48
RANDFILE		= $HOME/.rnd
49
#
2924 rexy 50
[ca]
1 root 51
default_ca = AlcasarCA
52
 
2924 rexy 53
[AlcasarCA]
54
dir		= $DIR_TMP		# Where everything is kept
55
certs		= \$dir			# Where the issued certs are kept
56
crl_dir		= \$dir			# Where the issued crl are kept
57
database	= \$dir/index.txt	# database index file.
58
new_certs_dir	= \$dir			# default place for new certs.
59
certificate	= $CACERT	 	# The CA certificate
60
serial		= \$dir/serial 		# The current serial number
61
crl		= \$dir/crl.pem 	# The current CRL
62
private_key	= $CAKEY		# The private key
63
x509_extensions	= usr_cert		# The extentions to add to the cert
64
crl_extensions	= crl_ext
65
default_days	= 365			# how long to certify for
66
default_crl_days= 30			# how long before next CRL
67
default_md	= sha256		# which message digest to use.
68
preserve	= no			# keep passed DN ordering
69
policy		= policy_anything
1 root 70
 
2924 rexy 71
[policy_anything]
1 root 72
countryName             = optional
73
stateOrProvinceName     = optional
74
localityName            = optional
75
organizationName        = optional
76
organizationalUnitName  = optional
77
commonName              = supplied
78
emailAddress            = optional
79
 
2924 rexy 80
[req]
1702 richard 81
default_bits		= 2048
1 root 82
distinguished_name	= req_distinguished_name
83
# attributes		= req_attributes
2924 rexy 84
x509_extensions		= v3_ca		# The extentions to add to the self signed cert
1 root 85
 
2924 rexy 86
[ v3_ca ]
87
subjectKeyIdentifier	= hash
88
authorityKeyIdentifier	= keyid:always,issuer:always
89
basicConstraints	= critical,CA:true
90
keyUsage		= cRLSign, keyCertSign
91
nsCertType		= sslCA
1 root 92
 
2924 rexy 93
[req_distinguished_name]
94
countryName			= Country Name (2 letter code)
95
countryName_default		= FR
96
countryName_min			= 2
97
countryName_max			= 2
98
stateOrProvinceName		= State or Province Name (full name)
99
stateOrProvinceName_default	= Some-State
100
localityName			= Locality Name (eg, city)
101
localityName_default		= Lyon
102
0.organizationName		= Organization Name (eg, company)
103
0.organizationName_default	= your organization name
104
organizationalUnitName		= Organizational Unit Name (eg, section)
105
commonName			= Common Name (eg, your name or your server\'s hostname)
106
commonName_max			= 255
107
emailAddress			= Email Address
108
emailAddress_max		= 255
1 root 109
 
2924 rexy 110
[usr_cert]
111
nsCertType			= server
112
subjectKeyIdentifier		= hash
113
authorityKeyIdentifier		= keyid,issuer
114
basicConstraints		= CA:FALSE
115
keyUsage			= digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
116
issuerAltName			= issuer:copy
117
subjectAltName			= @alt_names
1 root 118
 
2922 rexy 119
[alt_names]
2924 rexy 120
DNS.1				= $fqdn_hostname
121
IP.1				= $private_ip
1 root 122
EOF
123
 
2814 rexy 124
CAMAIL=
125
SRVMAIL=
1 root 126
echo 01 > $DIR_TMP/serial
127
touch $DIR_TMP/index.txt
128
 
5 franck 129
# CA key
130
rm -f $CAKEY
131
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
2924 rexy 132
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
5 franck 133
 
134
# CA certificate
135
rm -f $CACERT
2924 rexy 136
echo >> $DIR_TMP/openssl-log
5 franck 137
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
138
echo "$COUNTRY
1 root 139
$PROVINCE
140
$LOCATION
141
$ORGANIZATION
2924 rexy 142
Certification Authority for $fqdn_hostname
143
$fqdn_hostname-local-CA
1705 richard 144
$CAMAIL" | 
145
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
5 franck 146
 
1 root 147
# Server key
148
rm -f $SRVKEY	
2924 rexy 149
echo >> $DIR_TMP/openssl-log
1 root 150
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
1705 richard 151
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
1 root 152
 
153
# Server certificate "request"
2924 rexy 154
echo >> $DIR_TMP/openssl-log
1 root 155
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
156
echo "$COUNTRY
157
$PROVINCE
158
$LOCATION
159
$ORGANIZATION
2924 rexy 160
Server certificate for $fqdn_hostname
161
$fqdn_hostname
1 root 162
$SRVMAIL" | 
163
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
164
 
165
# Sign the server certificate "request" to create server certificate
166
rm -f $SRVCERT
2924 rexy 167
echo >> $DIR_TMP/openssl-log
1 root 168
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
2924 rexy 169
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
1 root 170
rm -f $SRVREQ
2554 lucas.echa 171
 
172
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
2703 tom.houday 173
cp -f $CACERT $SRVCHAIN
2554 lucas.echa 174
 
2775 rexy 175
# Limit rights
176
chown -R root:root $SRVKEY $CAKEY
177
chmod -R 0600 $SRVKEY $CAKEY
1 root 178
 
675 richard 179
# Link certs in ALCASAR Control Center
1 root 180
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
2293 tom.houday 181
	then
182
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
183
	rm -f $DIR_WEB/certs/*
184
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
185
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
186
	rm -rf $DIR_TMP
187
	exit 0
1 root 188
else
2758 rexy 189
	echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)" 
2293 tom.houday 190
	exit 1
1 root 191
fi