Subversion Repositories ALCASAR

Rev

Rev 2554 | Rev 2737 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2554 Rev 2703
1
#!/bin/sh
1
#!/bin/sh
2
# $Id: alcasar-CA.sh 2554 2018-05-20 11:02:46Z lucas.echard $
2
# $Id: alcasar-CA.sh 2703 2019-03-05 21:59:02Z tom.houdayer $
3
 
3
 
4
# alcasar-CA.sh
4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#
7
#
8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
9
# and Michel Arboi <arboi@alussinan.org>
9
# and Michel Arboi <arboi@alussinan.org>
10
#
10
#
11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
17
SRVREQ=$DIR_CERT/alcasar.req
17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
18
SRVKEY=$DIR_CERT/private/alcasar.key
19
SRVCERT=$DIR_CERT/certs/alcasar.crt
19
SRVCERT=$DIR_CERT/certs/alcasar.crt
20
SRVPEM=$DIR_CERT/private/alcasar.pem
20
SRVPEM=$DIR_CERT/private/alcasar.pem
21
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
21
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
22
 
22
 
23
CACERT_LIFETIME="1460"
23
CACERT_LIFETIME="1460"
24
SRVCERT_LIFETIME="1460"
24
SRVCERT_LIFETIME="1460"
25
COUNTRY="FR"
25
COUNTRY="FR"
26
PROVINCE="none"
26
PROVINCE="none"
27
LOCATION="Paris"
27
LOCATION="Paris"
28
ORGANIZATION="ALCASAR-Team"
28
ORGANIZATION="ALCASAR-Team"
29
 
29
 
30
mkdir $DIR_TMP || exit 1
30
mkdir $DIR_TMP || exit 1
31
# dynamic conf file for openssl
31
# dynamic conf file for openssl
32
cat <<EOF >$DIR_TMP/ssl.conf
32
cat <<EOF >$DIR_TMP/ssl.conf
33
RANDFILE		= $HOME/.rnd
33
RANDFILE		= $HOME/.rnd
34
#
34
#
35
[ ca ]
35
[ ca ]
36
default_ca = AlcasarCA
36
default_ca = AlcasarCA
37
 
37
 
38
[ AlcasarCA ]
38
[ AlcasarCA ]
39
dir		= $DIR_TMP		# Where everything is kept
39
dir		= $DIR_TMP		# Where everything is kept
40
certs		= \$dir			# Where the issued certs are kept
40
certs		= \$dir			# Where the issued certs are kept
41
crl_dir		= \$dir			# Where the issued crl are kept
41
crl_dir		= \$dir			# Where the issued crl are kept
42
database	= \$dir/index.txt	# database index file.
42
database	= \$dir/index.txt	# database index file.
43
new_certs_dir	= \$dir			# default place for new certs.
43
new_certs_dir	= \$dir			# default place for new certs.
44
 
44
 
45
certificate	= $CACERT	 	# The CA certificate
45
certificate	= $CACERT	 	# The CA certificate
46
serial		= \$dir/serial 		# The current serial number
46
serial		= \$dir/serial 		# The current serial number
47
crl		= \$dir/crl.pem 	# The current CRL
47
crl		= \$dir/crl.pem 	# The current CRL
48
private_key	= $CAKEY		# The private key
48
private_key	= $CAKEY		# The private key
49
 
49
 
50
x509_extensions	= usr_cert		# The extentions to add to the cert
50
x509_extensions	= usr_cert		# The extentions to add to the cert
51
crl_extensions	= crl_ext
51
crl_extensions	= crl_ext
52
 
52
 
53
default_days	= 365			# how long to certify for
53
default_days	= 365			# how long to certify for
54
default_crl_days= 30			# how long before next CRL
54
default_crl_days= 30			# how long before next CRL
55
default_md	= sha256		# which message digest to use.
55
default_md	= sha256		# which message digest to use.
56
preserve	= no			# keep passed DN ordering
56
preserve	= no			# keep passed DN ordering
57
 
57
 
58
policy		= policy_anything
58
policy		= policy_anything
59
 
59
 
60
[ policy_anything ]
60
[ policy_anything ]
61
countryName             = optional
61
countryName             = optional
62
stateOrProvinceName     = optional
62
stateOrProvinceName     = optional
63
localityName            = optional
63
localityName            = optional
64
organizationName        = optional
64
organizationName        = optional
65
organizationalUnitName  = optional
65
organizationalUnitName  = optional
66
commonName              = supplied
66
commonName              = supplied
67
emailAddress            = optional
67
emailAddress            = optional
68
 
68
 
69
[ req ]
69
[ req ]
70
default_bits		= 2048
70
default_bits		= 2048
71
distinguished_name	= req_distinguished_name
71
distinguished_name	= req_distinguished_name
72
# attributes		= req_attributes
72
# attributes		= req_attributes
73
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
73
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
74
 
74
 
75
[ req_distinguished_name ]
75
[ req_distinguished_name ]
76
countryName			= Country Name (2 letter code)
76
countryName			= Country Name (2 letter code)
77
countryName_default		= FR
77
countryName_default		= FR
78
countryName_min			= 2
78
countryName_min			= 2
79
countryName_max			= 2
79
countryName_max			= 2
80
 
80
 
81
stateOrProvinceName		= State or Province Name (full name)
81
stateOrProvinceName		= State or Province Name (full name)
82
stateOrProvinceName_default	= Some-State
82
stateOrProvinceName_default	= Some-State
83
 
83
 
84
localityName			= Locality Name (eg, city)
84
localityName			= Locality Name (eg, city)
85
localityName_default		= Lyon
85
localityName_default		= Lyon
86
 
86
 
87
0.organizationName		= Organization Name (eg, company)
87
0.organizationName		= Organization Name (eg, company)
88
0.organizationName_default	= your organization name
88
0.organizationName_default	= your organization name
89
 
89
 
90
# we can do this but it is not needed normally :-)
90
# we can do this but it is not needed normally :-)
91
#1.organizationName		= Second Organization Name (eg, company)
91
#1.organizationName		= Second Organization Name (eg, company)
92
#1.organizationName_default	= World Wide Web Pty Ltd
92
#1.organizationName_default	= World Wide Web Pty Ltd
93
 
93
 
94
organizationalUnitName		= Organizational Unit Name (eg, section)
94
organizationalUnitName		= Organizational Unit Name (eg, section)
95
#organizationalUnitName_default	=
95
#organizationalUnitName_default	=
96
 
96
 
97
commonName			= Common Name (eg, your name or your server\'s hostname)
97
commonName			= Common Name (eg, your name or your server\'s hostname)
98
commonName_max			= 255
98
commonName_max			= 255
99
 
99
 
100
emailAddress			= Email Address
100
emailAddress			= Email Address
101
emailAddress_max		= 255
101
emailAddress_max		= 255
102
 
102
 
103
# SET-ex3			= SET extension number 3
103
# SET-ex3			= SET extension number 3
104
 
104
 
105
[ usr_cert ]
105
[ usr_cert ]
106
# These extensions are added when 'ca' signs a request.
106
# These extensions are added when 'ca' signs a request.
107
# This goes against PKIX guidelines but some CAs do it and some software
107
# This goes against PKIX guidelines but some CAs do it and some software
108
# requires this to avoid interpreting an end user certificate as a CA.
108
# requires this to avoid interpreting an end user certificate as a CA.
109
#basicConstraints=CA:FALSE
109
#basicConstraints=CA:FALSE
110
 
110
 
111
# Here are some examples of the usage of nsCertType. If it is omitted
111
# Here are some examples of the usage of nsCertType. If it is omitted
112
# the certificate can be used for anything *except* object signing.
112
# the certificate can be used for anything *except* object signing.
113
 
113
 
114
# This is OK for an SSL server.
114
# This is OK for an SSL server.
115
# nsCertType			= nsCertType
115
# nsCertType			= nsCertType
116
# For normal client use this is typical
116
# For normal client use this is typical
117
# nsCertType = client, email
117
# nsCertType = client, email
118
nsCertType			= server
118
nsCertType			= server
119
 
119
 
120
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
120
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
121
 
121
 
122
# This will be displayed in Netscape's comment listbox.
122
# This will be displayed in Netscape's comment listbox.
123
nsComment			= "OpenSSL Generated Certificate"
123
nsComment			= "OpenSSL Generated Certificate"
124
 
124
 
125
# PKIX recommendations harmless if included in all certificates.
125
# PKIX recommendations harmless if included in all certificates.
126
subjectKeyIdentifier=hash
126
subjectKeyIdentifier=hash
127
authorityKeyIdentifier=keyid,issuer:always
127
authorityKeyIdentifier=keyid,issuer:always
128
 
128
 
129
# This stuff is for subjectAltName and issuerAltname.
129
# This stuff is for subjectAltName and issuerAltname.
130
# Import the email address.
130
# Import the email address.
131
subjectAltName=email:copy
131
subjectAltName=email:copy
132
 
132
 
133
# Copy subject details
133
# Copy subject details
134
issuerAltName=issuer:copy
134
issuerAltName=issuer:copy
135
 
135
 
136
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
136
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
137
#nsBaseUrl
137
#nsBaseUrl
138
#nsRevocationUrl
138
#nsRevocationUrl
139
#nsRenewalUrl
139
#nsRenewalUrl
140
#nsCaPolicyUrl
140
#nsCaPolicyUrl
141
#nsSslServerName
141
#nsSslServerName
142
 
142
 
143
[ v3_ca ]
143
[ v3_ca ]
144
# PKIX recommendation.
144
# PKIX recommendation.
145
subjectKeyIdentifier=hash
145
subjectKeyIdentifier=hash
146
authorityKeyIdentifier=keyid:always,issuer:always
146
authorityKeyIdentifier=keyid:always,issuer:always
147
 
147
 
148
# This is what PKIX recommends but some broken software chokes on critical
148
# This is what PKIX recommends but some broken software chokes on critical
149
# extensions.
149
# extensions.
150
basicConstraints = critical,CA:true
150
basicConstraints = critical,CA:true
151
# So we do this instead.
151
# So we do this instead.
152
#basicConstraints = CA:true
152
#basicConstraints = CA:true
153
 
153
 
154
# Key usage: this is typical for a CA certificate. However since it will
154
# Key usage: this is typical for a CA certificate. However since it will
155
# prevent it being used as an test self-signed certificate it is best
155
# prevent it being used as an test self-signed certificate it is best
156
# left out by default.
156
# left out by default.
157
keyUsage = cRLSign, keyCertSign
157
keyUsage = cRLSign, keyCertSign
158
nsCertType = sslCA
158
nsCertType = sslCA
159
EOF
159
EOF
160
 
160
 
161
hostname=`hostname`
161
hostname=`hostname`
162
if [ -z "$hostname" ];
162
if [ -z "$hostname" ];
163
then
163
then
164
 echo "Impossible de déterminer le nom d'hôte !!!"
164
 echo "Impossible de déterminer le nom d'hôte !!!"
165
 exit 1
165
 exit 1
166
fi
166
fi
167
 
167
 
168
# The value for organizationalUnitName must be 64 chars or less;
168
# The value for organizationalUnitName must be 64 chars or less;
169
#   thus, hostname must be 36 chars or less. If it's too big,
169
#   thus, hostname must be 36 chars or less. If it's too big,
170
#   try removing domain (merci REXY ;-) ).
170
#   try removing domain (merci REXY ;-) ).
171
hostname_len=`echo $hostname| wc -c`
171
hostname_len=`echo $hostname| wc -c`
172
if [ $hostname_len -gt 36 ];
172
if [ $hostname_len -gt 36 ];
173
then
173
then
174
	hostname=`echo $hostname | cut -d '.' -f 1`
174
	hostname=`echo $hostname | cut -d '.' -f 1`
175
fi
175
fi
176
 
176
 
177
CAMAIL=ca@$hostname
177
CAMAIL=ca@$hostname
178
SRVMAIL=apache@$hostname
178
SRVMAIL=apache@$hostname
179
 
179
 
180
echo 01 > $DIR_TMP/serial
180
echo 01 > $DIR_TMP/serial
181
touch $DIR_TMP/index.txt
181
touch $DIR_TMP/index.txt
182
 
182
 
183
# CA key
183
# CA key
184
rm -f $CAKEY
184
rm -f $CAKEY
185
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
185
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
186
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
186
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
187
 
187
 
188
# CA certificate
188
# CA certificate
189
rm -f $CACERT
189
rm -f $CACERT
190
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
190
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
191
echo "$COUNTRY
191
echo "$COUNTRY
192
$PROVINCE
192
$PROVINCE
193
$LOCATION
193
$LOCATION
194
$ORGANIZATION
194
$ORGANIZATION
195
Certification Authority for $hostname
195
Certification Authority for $hostname
196
ALCASAR-local-CA
196
ALCASAR-local-CA
197
$CAMAIL" | 
197
$CAMAIL" | 
198
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
198
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
199
 
199
 
200
# Server key
200
# Server key
201
rm -f $SRVKEY	
201
rm -f $SRVKEY	
202
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
202
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
203
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
203
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
204
 
204
 
205
# Server certificate "request"
205
# Server certificate "request"
206
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
206
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
207
echo "$COUNTRY
207
echo "$COUNTRY
208
$PROVINCE
208
$PROVINCE
209
$LOCATION
209
$LOCATION
210
$ORGANIZATION
210
$ORGANIZATION
211
Server certificate for $hostname
211
Server certificate for $hostname
212
$hostname
212
$hostname
213
$SRVMAIL" | 
213
$SRVMAIL" | 
214
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
214
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
215
 
215
 
216
# Sign the server certificate "request" to create server certificate
216
# Sign the server certificate "request" to create server certificate
217
rm -f $SRVCERT
217
rm -f $SRVCERT
218
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
218
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
219
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
219
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
220
rm -f $SRVREQ
220
rm -f $SRVREQ
221
cp -f $SRVCERT $SRVCHAIN  # in order to simplify the official intranet certificate import process
-
 
222
 
221
 
223
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
222
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
-
 
223
cp -f $CACERT $SRVCHAIN
224
 
224
 
225
chmod a+r $CACERT $SRVCERT $SRVCHAIN
225
chmod a+r $CACERT $SRVCERT $SRVCHAIN
226
 
226
 
227
# Link certs in ALCASAR Control Center
227
# Link certs in ALCASAR Control Center
228
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
228
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
229
	then
229
	then
230
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
230
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
231
	rm -f $DIR_WEB/certs/*
231
	rm -f $DIR_WEB/certs/*
232
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
232
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
233
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
233
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
234
	rm -rf $DIR_TMP
234
	rm -rf $DIR_TMP
235
	exit 0
235
	exit 0
236
else
236
else
237
	echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
237
	echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
238
	exit 1
238
	exit 1
239
fi
239
fi
240
 
240