WebSVN – ALCASAR – Diff – /scripts/alcasar-CA.sh


#!/bin/sh
# $Id: alcasar-CA.sh 518 2011-03-25 16:04:12Z stephane $
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> 
# and Michel Arboi <arboi@alussinan.org>
#
 
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVKEY=$DIR_CERT/private/alcasar.key
SRVREQ=$DIR_CERT/alcasar.req
FIC_PARAM="/root/ALCASAR-parameters.txt"
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE		= $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
 
[ AlcasarCA ]
dir		= $DIR_TMP		# Where everything is kept
certs		= \$dir			# Where the issued certs are kept
crl_dir		= \$dir			# Where the issued crl are kept
database	= \$dir/index.txt	# database index file.
new_certs_dir	= \$dir			# default place for new certs.
 
certificate	= $CACERT	 	# The CA certificate
serial		= \$dir/serial 		# The current serial number
crl		= \$dir/crl.pem 	# The current CRL
private_key	= $CAKEY		# The private key
 
x509_extensions	= usr_cert		# The extentions to add to the cert
crl_extensions	= crl_ext
 
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering
 
policy		= policy_anything
 
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits		= 1024
distinguished_name	= req_distinguished_name
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FR
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State
 
localityName			= Locality Name (eg, city)
localityName_default		= Lyon
 
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= your organization name
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 255
 
emailAddress			= Email Address
emailAddress_max		= 255
 
# SET-ex3			= SET extension number 3
 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType			= server
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
 
# Copy subject details
issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
 
hostname=`hostname`
if [ -z "$hostname" ];
then
 echo "Impossible de déterminer le nom d'hôte !!!"
 exit 1
fi
 
# The value for organizationalUnitName must be 64 chars or less;
#   thus, hostname must be 36 chars or less. If it's too big,
#   try removing domain (merci REXY ;-) ).
hostname_len=`echo $hostname| wc -c`
if [ $hostname_len -gt 36 ];
then
  hostname=`echo $hostname | cut -d '.' -f 1`
fi
 
CAMAIL=ca@$hostname
SRVMAIL=apache@$hostname
 
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
 
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY  1024 2>> $DIR_TMP/openssl-log
 
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
ALCASAR-local-CA
$CAMAIL" |
	openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 
# Server key
rm -f $SRVKEY	
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log
 
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$hostname
$SRVMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
chmod a+r $CACERT $SRVCERT 
 
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
 then
 echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM
 echo "   Certificat = $CACERT" >> $FIC_PARAM
 echo "   Clée privée = $CAKEY" >> $FIC_PARAM
 echo "- Certificat du serveur : " >> $FIC_PARAM
 echo "    Certificat = $SRVCERT" >> $FIC_PARAM
 echo "    Clée privée = $SRVKEY" >> $FIC_PARAM
 [ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
 rm -f $DIR_WEB/certs/*
 ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
 ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
 rm -rf $DIR_TMP
 exit 0
else
 echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
 exit 1
fi
 

Rev 510	Rev 518
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-CA.sh 510 2011-03-20 21:46:17Z richard $`	2	`# $Id: alcasar-CA.sh 518 2011-03-25 16:04:12Z stephane $`
3		3
4	`# alcasar-CA.sh`	4	`# alcasar-CA.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`#`	7	`#`
8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`	8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`
9	`# and Michel Arboi <arboi@alussinan.org>`	9	`# and Michel Arboi <arboi@alussinan.org>`
10	`#`	10	`#`
11		-
12	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`	11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`
13	`DIR_PKI=/etc/pki`	12	`DIR_PKI=/etc/pki`
14	`DIR_CERT=$DIR_PKI/tls`	13	`DIR_CERT=$DIR_PKI/tls`
15	`DIR_WEB=/var/www/html`	14	`DIR_WEB=/var/www/html`
16	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`	15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`
17	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`	16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`
18	`SRVCERT=$DIR_CERT/certs/alcasar.crt`	17	`SRVCERT=$DIR_CERT/certs/alcasar.crt`
19	`SRVKEY=$DIR_CERT/private/alcasar.key`	18	`SRVKEY=$DIR_CERT/private/alcasar.key`
20	`SRVREQ=$DIR_CERT/alcasar.req`	19	`SRVREQ=$DIR_CERT/alcasar.req`
21	`FIC_PARAM="/root/ALCASAR-parameters.txt"`	20	`FIC_PARAM="/root/ALCASAR-parameters.txt"`
22		21
23	`CACERT_LIFETIME="1460"`	22	`CACERT_LIFETIME="1460"`
24	`SRVCERT_LIFETIME="1460"`	23	`SRVCERT_LIFETIME="1460"`
25	`COUNTRY="FR"`	24	`COUNTRY="FR"`
26	`PROVINCE="none"`	25	`PROVINCE="none"`
27	`LOCATION="Paris"`	26	`LOCATION="Paris"`
28	`ORGANIZATION="ALCASAR-Team"`	27	`ORGANIZATION="ALCASAR-Team"`
29		28
30	`mkdir $DIR_TMP \|\| exit 1`	29	`mkdir $DIR_TMP \|\| exit 1`
31	`# dynamic conf file for openssl`	30	`# dynamic conf file for openssl`
32	`cat <<EOF >$DIR_TMP/ssl.conf`	31	`cat <<EOF >$DIR_TMP/ssl.conf`
33	`RANDFILE = $HOME/.rnd`	32	`RANDFILE = $HOME/.rnd`
34	`#`	33	`#`
35	`[ ca ]`	34	`[ ca ]`
36	`default_ca = AlcasarCA`	35	`default_ca = AlcasarCA`
37		36
38	`[ AlcasarCA ]`	37	`[ AlcasarCA ]`
39	`dir = $DIR_TMP # Where everything is kept`	38	`dir = $DIR_TMP # Where everything is kept`
40	`certs = \$dir # Where the issued certs are kept`	39	`certs = \$dir # Where the issued certs are kept`
41	`crl_dir = \$dir # Where the issued crl are kept`	40	`crl_dir = \$dir # Where the issued crl are kept`
42	`database = \$dir/index.txt # database index file.`	41	`database = \$dir/index.txt # database index file.`
43	`new_certs_dir = \$dir # default place for new certs.`	42	`new_certs_dir = \$dir # default place for new certs.`
44		43
45	`certificate = $CACERT # The CA certificate`	44	`certificate = $CACERT # The CA certificate`
46	`serial = \$dir/serial # The current serial number`	45	`serial = \$dir/serial # The current serial number`
47	`crl = \$dir/crl.pem # The current CRL`	46	`crl = \$dir/crl.pem # The current CRL`
48	`private_key = $CAKEY # The private key`	47	`private_key = $CAKEY # The private key`
49		48
50	`x509_extensions = usr_cert # The extentions to add to the cert`	49	`x509_extensions = usr_cert # The extentions to add to the cert`
51	`crl_extensions = crl_ext`	50	`crl_extensions = crl_ext`
52		51
53	`default_days = 365 # how long to certify for`	52	`default_days = 365 # how long to certify for`
54	`default_crl_days= 30 # how long before next CRL`	53	`default_crl_days= 30 # how long before next CRL`
55	`default_md = md5 # which md to use.`	54	`default_md = md5 # which md to use.`
56	`preserve = no # keep passed DN ordering`	55	`preserve = no # keep passed DN ordering`
57		56
58	`policy = policy_anything`	57	`policy = policy_anything`
59		58
60	`[ policy_anything ]`	59	`[ policy_anything ]`
61	`countryName = optional`	60	`countryName = optional`
62	`stateOrProvinceName = optional`	61	`stateOrProvinceName = optional`
63	`localityName = optional`	62	`localityName = optional`
64	`organizationName = optional`	63	`organizationName = optional`
65	`organizationalUnitName = optional`	64	`organizationalUnitName = optional`
66	`commonName = supplied`	65	`commonName = supplied`
67	`emailAddress = optional`	66	`emailAddress = optional`
68		67
69	`[ req ]`	68	`[ req ]`
70	`default_bits = 1024`	69	`default_bits = 1024`
71	`distinguished_name = req_distinguished_name`	70	`distinguished_name = req_distinguished_name`
72	`# attributes = req_attributes`	71	`# attributes = req_attributes`
73	`x509_extensions = v3_ca # The extentions to add to the self signed cert`	72	`x509_extensions = v3_ca # The extentions to add to the self signed cert`
74		73
75	`[ req_distinguished_name ]`	74	`[ req_distinguished_name ]`
76	`countryName = Country Name (2 letter code)`	75	`countryName = Country Name (2 letter code)`
77	`countryName_default = FR`	76	`countryName_default = FR`
78	`countryName_min = 2`	77	`countryName_min = 2`
79	`countryName_max = 2`	78	`countryName_max = 2`
80		79
81	`stateOrProvinceName = State or Province Name (full name)`	80	`stateOrProvinceName = State or Province Name (full name)`
82	`stateOrProvinceName_default = Some-State`	81	`stateOrProvinceName_default = Some-State`
83		82
84	`localityName = Locality Name (eg, city)`	83	`localityName = Locality Name (eg, city)`
85	`localityName_default = Lyon`	84	`localityName_default = Lyon`
86		85
87	`0.organizationName = Organization Name (eg, company)`	86	`0.organizationName = Organization Name (eg, company)`
88	`0.organizationName_default = your organization name`	87	`0.organizationName_default = your organization name`
89		88
90	`# we can do this but it is not needed normally :-)`	89	`# we can do this but it is not needed normally :-)`
91	`#1.organizationName = Second Organization Name (eg, company)`	90	`#1.organizationName = Second Organization Name (eg, company)`
92	`#1.organizationName_default = World Wide Web Pty Ltd`	91	`#1.organizationName_default = World Wide Web Pty Ltd`
93		92
94	`organizationalUnitName = Organizational Unit Name (eg, section)`	93	`organizationalUnitName = Organizational Unit Name (eg, section)`
95	`#organizationalUnitName_default =`	94	`#organizationalUnitName_default =`
96		95
97	`commonName = Common Name (eg, your name or your server\'s hostname)`	96	`commonName = Common Name (eg, your name or your server\'s hostname)`
98	`commonName_max = 255`	97	`commonName_max = 255`
99		98
100	`emailAddress = Email Address`	99	`emailAddress = Email Address`
101	`emailAddress_max = 255`	100	`emailAddress_max = 255`
102		101
103	`# SET-ex3 = SET extension number 3`	102	`# SET-ex3 = SET extension number 3`
104		103
105	`[ usr_cert ]`	104	`[ usr_cert ]`
106	`# These extensions are added when 'ca' signs a request.`	105	`# These extensions are added when 'ca' signs a request.`
107	`# This goes against PKIX guidelines but some CAs do it and some software`	106	`# This goes against PKIX guidelines but some CAs do it and some software`
108	`# requires this to avoid interpreting an end user certificate as a CA.`	107	`# requires this to avoid interpreting an end user certificate as a CA.`
109	`#basicConstraints=CA:FALSE`	108	`#basicConstraints=CA:FALSE`
110		109
111	`# Here are some examples of the usage of nsCertType. If it is omitted`	110	`# Here are some examples of the usage of nsCertType. If it is omitted`
112	`# the certificate can be used for anything except object signing.`	111	`# the certificate can be used for anything except object signing.`
113		112
114	`# This is OK for an SSL server.`	113	`# This is OK for an SSL server.`
115	`# nsCertType = nsCertType`	114	`# nsCertType = nsCertType`
116	`# For normal client use this is typical`	115	`# For normal client use this is typical`
117	`# nsCertType = client, email`	116	`# nsCertType = client, email`
118	`nsCertType = server`	117	`nsCertType = server`
119		118
120	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`	119	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
121		120
122	`# This will be displayed in Netscape's comment listbox.`	121	`# This will be displayed in Netscape's comment listbox.`
123	`nsComment = "OpenSSL Generated Certificate"`	122	`nsComment = "OpenSSL Generated Certificate"`
124		123
125	`# PKIX recommendations harmless if included in all certificates.`	124	`# PKIX recommendations harmless if included in all certificates.`
126	`subjectKeyIdentifier=hash`	125	`subjectKeyIdentifier=hash`
127	`authorityKeyIdentifier=keyid,issuer:always`	126	`authorityKeyIdentifier=keyid,issuer:always`
128		127
129	`# This stuff is for subjectAltName and issuerAltname.`	128	`# This stuff is for subjectAltName and issuerAltname.`
130	`# Import the email address.`	129	`# Import the email address.`
131	`subjectAltName=email:copy`	130	`subjectAltName=email:copy`
132		131
133	`# Copy subject details`	132	`# Copy subject details`
134	`issuerAltName=issuer:copy`	133	`issuerAltName=issuer:copy`
135		134
136	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`	135	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`
137	`#nsBaseUrl`	136	`#nsBaseUrl`
138	`#nsRevocationUrl`	137	`#nsRevocationUrl`
139	`#nsRenewalUrl`	138	`#nsRenewalUrl`
140	`#nsCaPolicyUrl`	139	`#nsCaPolicyUrl`
141	`#nsSslServerName`	140	`#nsSslServerName`
142		141
143	`[ v3_ca ]`	142	`[ v3_ca ]`
144	`# PKIX recommendation.`	143	`# PKIX recommendation.`
145	`subjectKeyIdentifier=hash`	144	`subjectKeyIdentifier=hash`
146	`authorityKeyIdentifier=keyid:always,issuer:always`	145	`authorityKeyIdentifier=keyid:always,issuer:always`
147		146
148	`# This is what PKIX recommends but some broken software chokes on critical`	147	`# This is what PKIX recommends but some broken software chokes on critical`
149	`# extensions.`	148	`# extensions.`
150	`basicConstraints = critical,CA:true`	149	`basicConstraints = critical,CA:true`
151	`# So we do this instead.`	150	`# So we do this instead.`
152	`#basicConstraints = CA:true`	151	`#basicConstraints = CA:true`
153		152
154	`# Key usage: this is typical for a CA certificate. However since it will`	153	`# Key usage: this is typical for a CA certificate. However since it will`
155	`# prevent it being used as an test self-signed certificate it is best`	154	`# prevent it being used as an test self-signed certificate it is best`
156	`# left out by default.`	155	`# left out by default.`
157	`keyUsage = cRLSign, keyCertSign`	156	`keyUsage = cRLSign, keyCertSign`
158	`nsCertType = sslCA`	157	`nsCertType = sslCA`
159	`EOF`	158	`EOF`
160		159
161	hostname=`hostname`	160	hostname=`hostname`
162	`if [ -z "$hostname" ];`	161	`if [ -z "$hostname" ];`
163	`then`	162	`then`
164	`echo "Impossible de déterminer le nom d'hôte !!!"`	163	`echo "Impossible de déterminer le nom d'hôte !!!"`
165	`exit 1`	164	`exit 1`
166	`fi`	165	`fi`
167		166
168	`# The value for organizationalUnitName must be 64 chars or less;`	167	`# The value for organizationalUnitName must be 64 chars or less;`
169	`# thus, hostname must be 36 chars or less. If it's too big,`	168	`# thus, hostname must be 36 chars or less. If it's too big,`
170	`# try removing domain (merci REXY ;-) ).`	169	`# try removing domain (merci REXY ;-) ).`
171	hostname_len=`echo $hostname\| wc -c`	170	hostname_len=`echo $hostname\| wc -c`
172	`if [ $hostname_len -gt 36 ];`	171	`if [ $hostname_len -gt 36 ];`
173	`then`	172	`then`
174	hostname=`echo $hostname \| cut -d '.' -f 1`	173	hostname=`echo $hostname \| cut -d '.' -f 1`
175	`fi`	174	`fi`
176		175
177	`CAMAIL=ca@$hostname`	176	`CAMAIL=ca@$hostname`
178	`SRVMAIL=apache@$hostname`	177	`SRVMAIL=apache@$hostname`
179		178
180	`echo 01 > $DIR_TMP/serial`	179	`echo 01 > $DIR_TMP/serial`
181	`touch $DIR_TMP/index.txt`	180	`touch $DIR_TMP/index.txt`
182		181
183	`# CA key`	182	`# CA key`
184	`rm -f $CAKEY`	183	`rm -f $CAKEY`
185	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`	184	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`
186	`openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log`	185	`openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log`
187		186
188	`# CA certificate`	187	`# CA certificate`
189	`rm -f $CACERT`	188	`rm -f $CACERT`
190	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`	189	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`
191	`echo "$COUNTRY`	190	`echo "$COUNTRY`
192	`$PROVINCE`	191	`$PROVINCE`
193	`$LOCATION`	192	`$LOCATION`
194	`$ORGANIZATION`	193	`$ORGANIZATION`
195	`Certification Authority for $hostname`	194	`Certification Authority for $hostname`
196	`ALCASAR-local-CA`	195	`ALCASAR-local-CA`
197	`$CAMAIL" \|`	196	`$CAMAIL" \|`
198	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`	197	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`
199		198
200	`# Server key`	199	`# Server key`
201	`rm -f $SRVKEY`	200	`rm -f $SRVKEY`
202	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`	201	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`
203	`openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log`	202	`openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log`
204		203
205	`# Server certificate "request"`	204	`# Server certificate "request"`
206	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`	205	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`
207	`echo "$COUNTRY`	206	`echo "$COUNTRY`
208	`$PROVINCE`	207	`$PROVINCE`
209	`$LOCATION`	208	`$LOCATION`
210	`$ORGANIZATION`	209	`$ORGANIZATION`
211	`Server certificate for $hostname`	210	`Server certificate for $hostname`
212	`$hostname`	211	`$hostname`
213	`$SRVMAIL" \|`	212	`$SRVMAIL" \|`
214	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`	213	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`
215		214
216	`# Sign the server certificate "request" to create server certificate`	215	`# Sign the server certificate "request" to create server certificate`
217	`rm -f $SRVCERT`	216	`rm -f $SRVCERT`
218	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`	217	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`
219	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`	218	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`
220	`rm -f $SRVREQ`	219	`rm -f $SRVREQ`
221	`chmod a+r $CACERT $SRVCERT`	220	`chmod a+r $CACERT $SRVCERT`
222		221
223	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`	222	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`
224	`then`	223	`then`
225	`echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM`	224	`echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM`
226	`echo " Certificat = $CACERT" >> $FIC_PARAM`	225	`echo " Certificat = $CACERT" >> $FIC_PARAM`
227	`echo " Clée privée = $CAKEY" >> $FIC_PARAM`	226	`echo " Clée privée = $CAKEY" >> $FIC_PARAM`
228	`echo "- Certificat du serveur : " >> $FIC_PARAM`	227	`echo "- Certificat du serveur : " >> $FIC_PARAM`
229	`echo " Certificat = $SRVCERT" >> $FIC_PARAM`	228	`echo " Certificat = $SRVCERT" >> $FIC_PARAM`
230	`echo " Clée privée = $SRVKEY" >> $FIC_PARAM`	229	`echo " Clée privée = $SRVKEY" >> $FIC_PARAM`
231	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`	230	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`
232	`rm -f $DIR_WEB/certs/*`	231	`rm -f $DIR_WEB/certs/*`
233	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`	232	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`
234	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`	233	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`
235	`rm -rf $DIR_TMP`	234	`rm -rf $DIR_TMP`
236	`exit 0`	235	`exit 0`
237	`else`	236	`else`
238	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`	237	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`
239	`exit 1`	238	`exit 1`
240	`fi`	239	`fi`
241		240

Subversion Repositories ALCASAR

(root)/scripts/alcasar-CA.sh – Rev 510 → 518