Subversion Repositories ALCASAR

Rev

Rev 2922 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2922 Rev 2924
Line 1... Line 1...
1
#!/bin/sh
1
#!/bin/sh
2
# $Id: alcasar-CA.sh 2922 2021-02-22 22:48:39Z rexy $
2
# $Id: alcasar-CA.sh 2924 2021-02-23 21:42:48Z rexy $
3
 
3
 
4
# alcasar-CA.sh
4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
5
# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#
7
#
8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
9
# and Michel Arboi <arboi@alussinan.org>
9
# and Michel Arboi <arboi@alussinan.org>
10
#
10
#
Line 17... Line 17...
17
SRVREQ=$DIR_CERT/alcasar.req
17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
18
SRVKEY=$DIR_CERT/private/alcasar.key
19
SRVCERT=$DIR_CERT/certs/alcasar.crt
19
SRVCERT=$DIR_CERT/certs/alcasar.crt
20
SRVPEM=$DIR_CERT/private/alcasar.pem
20
SRVPEM=$DIR_CERT/private/alcasar.pem
21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
22
CONF_FILE="/usr/local/ets/alcasar.conf"
22
CONF_FILE="/usr/local/etc/alcasar.conf"
23
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
23
hostname=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
24
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
24
domain=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
25
DOMAIN=${DOMAIN:=localdomain}
25
domain=${domain:=localdomain}
-
 
26
fqdn_hostname="$hostname.$domain"
-
 
27
# The value for organizationalUnitName must be 64 chars or less;
-
 
28
#   thus, hostname must be 36 chars or less. If it's too big,
-
 
29
#   try removing domain (merci REXY ;-) ).
-
 
30
hostname_len=`echo $fqdn_hostname| wc -c`
-
 
31
if [ $hostname_len -gt 36 ];
-
 
32
then
-
 
33
	fqdn_hostname=$hostname
-
 
34
fi
-
 
35
private_ip=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
26
 
36
 
27
CACERT_LIFETIME="1460"
37
CACERT_LIFETIME="1460"
28
SRVCERT_LIFETIME="1460"
38
SRVCERT_LIFETIME="1460"
29
COUNTRY="FR"
39
COUNTRY="FR"
30
PROVINCE="none"
40
PROVINCE="none"
Line 35... Line 45...
35
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
45
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
36
# dynamic conf file for openssl
46
# dynamic conf file for openssl
37
cat <<EOF >$DIR_TMP/ssl.conf
47
cat <<EOF >$DIR_TMP/ssl.conf
38
RANDFILE		= $HOME/.rnd
48
RANDFILE		= $HOME/.rnd
39
#
49
#
40
[ ca ]
50
[ca]
41
default_ca = AlcasarCA
51
default_ca = AlcasarCA
42
 
52
 
43
[ AlcasarCA ]
53
[AlcasarCA]
44
dir = $DIR_TMP				# Where everything is kept
54
dir		= $DIR_TMP		# Where everything is kept
45
certs = \$dir				# Where the issued certs are kept
55
certs		= \$dir			# Where the issued certs are kept
46
crl_dir	= \$dir				# Where the issued crl are kept
56
crl_dir		= \$dir			# Where the issued crl are kept
47
database = \$dir/index.txt	# database index file.
57
database	= \$dir/index.txt	# database index file.
48
new_certs_dir = \$dir		# default place for new certs.
58
new_certs_dir	= \$dir			# default place for new certs.
49
certificate = $CACERT	 	# The CA certificate
59
certificate	= $CACERT	 	# The CA certificate
50
serial = \$dir/serial		# The current serial number
60
serial		= \$dir/serial 		# The current serial number
51
crl = \$dir/crl.pem			# The current CRL
61
crl		= \$dir/crl.pem 	# The current CRL
52
private_key = $CAKEY		# The private key
62
private_key	= $CAKEY		# The private key
53
x509_extensions = usr_cert	# The extentions to add to the cert
63
x509_extensions	= usr_cert		# The extentions to add to the cert
54
crl_extensions = crl_ext
64
crl_extensions	= crl_ext
55
default_days = 365			# how long to certify for
65
default_days	= 365			# how long to certify for
56
default_crl_days = 30		# how long before next CRL
66
default_crl_days= 30			# how long before next CRL
57
default_md = sha256			# which message digest to use.
67
default_md	= sha256		# which message digest to use.
58
preserve = no				# keep passed DN ordering
68
preserve	= no			# keep passed DN ordering
59
policy = policy_anything
69
policy		= policy_anything
60
 
70
 
61
[ policy_anything ]
71
[policy_anything]
62
countryName             = optional
72
countryName             = optional
63
stateOrProvinceName     = optional
73
stateOrProvinceName     = optional
64
localityName            = optional
74
localityName            = optional
65
organizationName        = optional
75
organizationName        = optional
66
organizationalUnitName  = optional
76
organizationalUnitName  = optional
67
commonName              = supplied
77
commonName              = supplied
68
emailAddress            = optional
78
emailAddress            = optional
69
 
79
 
70
[ req ]
80
[req]
71
default_bits		= 2048
81
default_bits		= 2048
72
distinguished_name	= req_distinguished_name
82
distinguished_name	= req_distinguished_name
73
# attributes		= req_attributes
83
# attributes		= req_attributes
-
 
84
x509_extensions		= v3_ca		# The extentions to add to the self signed cert
74
 
85
 
-
 
86
[ v3_ca ]
-
 
87
subjectKeyIdentifier	= hash
-
 
88
authorityKeyIdentifier	= keyid:always,issuer:always
-
 
89
basicConstraints	= critical,CA:true
-
 
90
keyUsage		= cRLSign, keyCertSign
-
 
91
nsCertType		= sslCA
-
 
92
 
75
[ req_distinguished_name ]
93
[req_distinguished_name]
76
countryName = Country Name (2 letter code)
94
countryName			= Country Name (2 letter code)
77
countryName_default = FR
95
countryName_default		= FR
78
countryName_min = 2
96
countryName_min			= 2
79
countryName_max = 2
97
countryName_max			= 2
80
 
-
 
81
stateOrProvinceName = State or Province Name (full name)
98
stateOrProvinceName		= State or Province Name (full name)
82
stateOrProvinceName_default = Some-State
99
stateOrProvinceName_default	= Some-State
83
 
-
 
84
localityName = Locality Name (eg, city)
100
localityName			= Locality Name (eg, city)
85
localityName_default = Paris
101
localityName_default		= Lyon
86
 
-
 
87
0.organizationName = Organization Name (eg, company)
102
0.organizationName		= Organization Name (eg, company)
88
0.organizationName_default = your organization name
103
0.organizationName_default	= your organization name
89
 
-
 
90
# we can do this but it is not needed normally :-)
-
 
91
#1.organizationName = Second Organization Name (eg, company)
-
 
92
#1.organizationName_default = World Wide Web Pty Ltd
-
 
93
 
-
 
94
organizationalUnitName = Organizational Unit Name (eg, section)
104
organizationalUnitName		= Organizational Unit Name (eg, section)
95
#organizationalUnitName_default =
-
 
96
 
-
 
97
commonName = Common Name (eg, your name or your server\'s hostname)
105
commonName			= Common Name (eg, your name or your server\'s hostname)
98
commonName_max = 255
106
commonName_max			= 255
99
emailAddress = Email Address
107
emailAddress			= Email Address
100
emailAddress_max = 255
108
emailAddress_max		= 255
101
 
109
 
102
[ usr_cert ]
110
[usr_cert]
103
# These extensions are added when 'ca' signs a request.
-
 
104
# This goes against PKIX guidelines but some CAs do it and some software
-
 
105
# requires this to avoid interpreting an end user certificate as a CA.
-
 
106
basicConstraints=CA:FALSE
-
 
107
nsCertType = server
111
nsCertType			= server
108
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
-
 
109
subjectKeyIdentifier = hash
112
subjectKeyIdentifier		= hash
110
authorityKeyIdentifier = keyid,issuer
113
authorityKeyIdentifier		= keyid,issuer
111
 
-
 
112
# This stuff is for subjectAltName and issuerAltname.
-
 
113
subjectAltName = @alt_names
114
basicConstraints		= CA:FALSE
114
# Copy subject details
115
keyUsage			= digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
115
issuerAltName = issuer:copy
116
issuerAltName			= issuer:copy
-
 
117
subjectAltName			= @alt_names
116
 
118
 
117
[alt_names]
119
[alt_names]
118
DNS.1 = $HOSTNAME.$DOMAIN
120
DNS.1				= $fqdn_hostname
119
 
-
 
-
 
121
IP.1				= $private_ip
120
EOF
122
EOF
121
 
123
 
122
# The value for organizationalUnitName must be 64 chars or less;
-
 
123
#   thus, hostname must be 36 chars or less. If it's too big,
-
 
124
#   try removing domain (merci REXY ;-) ).
-
 
125
hostname_len=`echo $HOSTNAME| wc -c`
-
 
126
if [ $hostname_len -gt 36 ];
-
 
127
then
-
 
128
	HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1`
-
 
129
fi
-
 
130
 
-
 
131
CAMAIL=
124
CAMAIL=
132
SRVMAIL=
125
SRVMAIL=
133
 
-
 
134
echo 01 > $DIR_TMP/serial
126
echo 01 > $DIR_TMP/serial
135
touch $DIR_TMP/index.txt
127
touch $DIR_TMP/index.txt
136
 
128
 
137
# CA key
129
# CA key
138
rm -f $CAKEY
130
rm -f $CAKEY
139
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
131
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
140
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
132
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
141
 
133
 
142
# CA certificate
134
# CA certificate
143
rm -f $CACERT
135
rm -f $CACERT
-
 
136
echo >> $DIR_TMP/openssl-log
144
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
137
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
145
echo "$COUNTRY
138
echo "$COUNTRY
146
$PROVINCE
139
$PROVINCE
147
$LOCATION
140
$LOCATION
148
$ORGANIZATION
141
$ORGANIZATION
149
Certification Authority for $HOSTNAME.$DOMAIN
142
Certification Authority for $fqdn_hostname
150
$HOSTNAME-local-CA
143
$fqdn_hostname-local-CA
151
$CAMAIL" | 
144
$CAMAIL" | 
152
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
145
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
153
 
146
 
154
# Server key
147
# Server key
155
rm -f $SRVKEY	
148
rm -f $SRVKEY	
-
 
149
echo >> $DIR_TMP/openssl-log
156
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
150
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
157
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
151
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
158
 
152
 
159
# Server certificate "request"
153
# Server certificate "request"
-
 
154
echo >> $DIR_TMP/openssl-log
160
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
155
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
161
echo "$COUNTRY
156
echo "$COUNTRY
162
$PROVINCE
157
$PROVINCE
163
$LOCATION
158
$LOCATION
164
$ORGANIZATION
159
$ORGANIZATION
165
Server certificate for $HOSTNAME.$DOMAIN
160
Server certificate for $fqdn_hostname
166
$HOSTNAME.$DOMAIN
161
$fqdn_hostname
167
$SRVMAIL" | 
162
$SRVMAIL" | 
168
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
163
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
169
 
164
 
170
# Sign the server certificate "request" to create server certificate
165
# Sign the server certificate "request" to create server certificate
171
rm -f $SRVCERT
166
rm -f $SRVCERT
-
 
167
echo >> $DIR_TMP/openssl-log
172
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
168
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
173
openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
169
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
174
rm -f $SRVREQ
170
rm -f $SRVREQ
175
 
171
 
176
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
172
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
177
cp -f $CACERT $SRVCHAIN
173
cp -f $CACERT $SRVCHAIN
178
 
174