2,7 → 2,7 |
# $Id$ |
|
# alcasar-CA.sh |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
# This script is distributed under the Gnu General Public License (GPL) |
# |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
19,10 → 19,20 |
SRVCERT=$DIR_CERT/certs/alcasar.crt |
SRVPEM=$DIR_CERT/private/alcasar.pem |
SRVCHAIN=$DIR_CERT/certs/server-chain.pem |
CONF_FILE="/usr/local/ets/alcasar.conf" |
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2` |
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2` |
DOMAIN=${DOMAIN:=localdomain} |
CONF_FILE="/usr/local/etc/alcasar.conf" |
hostname=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2` |
domain=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2` |
domain=${domain:=localdomain} |
fqdn_hostname="$hostname.$domain" |
# The value for organizationalUnitName must be 64 chars or less; |
# thus, hostname must be 36 chars or less. If it's too big, |
# try removing domain (merci REXY ;-) ). |
hostname_len=`echo $fqdn_hostname| wc -c` |
if [ $hostname_len -gt 36 ]; |
then |
fqdn_hostname=$hostname |
fi |
private_ip=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1` |
|
CACERT_LIFETIME="1460" |
SRVCERT_LIFETIME="1460" |
71,29 → 81,27 |
default_bits = 2048 |
distinguished_name = req_distinguished_name |
# attributes = req_attributes |
x509_extensions = v3_ca # The extentions to add to the self signed cert |
|
[ v3_ca ] |
subjectKeyIdentifier = hash |
authorityKeyIdentifier = keyid:always,issuer:always |
basicConstraints = critical,CA:true |
keyUsage = cRLSign, keyCertSign |
nsCertType = sslCA |
|
[ req_distinguished_name ] |
countryName = Country Name (2 letter code) |
countryName_default = FR |
countryName_min = 2 |
countryName_max = 2 |
|
stateOrProvinceName = State or Province Name (full name) |
stateOrProvinceName_default = Some-State |
|
localityName = Locality Name (eg, city) |
localityName_default = Paris |
|
localityName_default = Lyon |
0.organizationName = Organization Name (eg, company) |
0.organizationName_default = your organization name |
|
# we can do this but it is not needed normally :-) |
#1.organizationName = Second Organization Name (eg, company) |
#1.organizationName_default = World Wide Web Pty Ltd |
|
organizationalUnitName = Organizational Unit Name (eg, section) |
#organizationalUnitName_default = |
|
commonName = Common Name (eg, your name or your server\'s hostname) |
commonName_max = 255 |
emailAddress = Email Address |
100,37 → 108,21 |
emailAddress_max = 255 |
|
[ usr_cert ] |
# These extensions are added when 'ca' signs a request. |
# This goes against PKIX guidelines but some CAs do it and some software |
# requires this to avoid interpreting an end user certificate as a CA. |
basicConstraints=CA:FALSE |
nsCertType = server |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment |
subjectKeyIdentifier = hash |
authorityKeyIdentifier = keyid,issuer |
|
# This stuff is for subjectAltName and issuerAltname. |
basicConstraints = CA:FALSE |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment |
issuerAltName = issuer:copy |
subjectAltName = @alt_names |
# Copy subject details |
issuerAltName = issuer:copy |
|
[alt_names] |
DNS.1 = $HOSTNAME.$DOMAIN |
|
DNS.1 = $fqdn_hostname |
IP.1 = $private_ip |
EOF |
|
# The value for organizationalUnitName must be 64 chars or less; |
# thus, hostname must be 36 chars or less. If it's too big, |
# try removing domain (merci REXY ;-) ). |
hostname_len=`echo $HOSTNAME| wc -c` |
if [ $hostname_len -gt 36 ]; |
then |
HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1` |
fi |
|
CAMAIL= |
SRVMAIL= |
|
echo 01 > $DIR_TMP/serial |
touch $DIR_TMP/index.txt |
|
141,36 → 133,40 |
|
# CA certificate |
rm -f $CACERT |
echo >> $DIR_TMP/openssl-log |
echo "*********CACERT*********" >> $DIR_TMP/openssl-log |
echo "$COUNTRY |
$PROVINCE |
$LOCATION |
$ORGANIZATION |
Certification Authority for $HOSTNAME.$DOMAIN |
$HOSTNAME-local-CA |
Certification Authority for $fqdn_hostname |
$fqdn_hostname-local-CA |
$CAMAIL" | |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log |
|
# Server key |
rm -f $SRVKEY |
echo >> $DIR_TMP/openssl-log |
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log |
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log |
|
# Server certificate "request" |
echo >> $DIR_TMP/openssl-log |
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log |
echo "$COUNTRY |
$PROVINCE |
$LOCATION |
$ORGANIZATION |
Server certificate for $HOSTNAME.$DOMAIN |
$HOSTNAME.$DOMAIN |
Server certificate for $fqdn_hostname |
$fqdn_hostname |
$SRVMAIL" | |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log |
|
# Sign the server certificate "request" to create server certificate |
rm -f $SRVCERT |
echo >> $DIR_TMP/openssl-log |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log |
openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log |
rm -f $SRVREQ |
|
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM |