WebSVN – ALCASAR – Blame – /scripts/alcasar-CA.sh

Rev	Author	Line No.	Line
675	richard	1	`#!/bin/sh`
64	franck	2	`# $Id: alcasar-CA.sh 3201 2024-05-28 17:21:34Z rexy $`
		3
1	root	4	`# alcasar-CA.sh`
2924	rexy	5	`# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`
1	root	6	`# This script is distributed under the Gnu General Public License (GPL)`
675	richard	7	`#`
2454	tom.houday	8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`
675	richard	9	`# and Michel Arboi <arboi@alussinan.org>`
		10	`#`
1	root	11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`
		12	`DIR_PKI=/etc/pki`
		13	`DIR_CERT=$DIR_PKI/tls`
		14	`DIR_WEB=/var/www/html`
		15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`
		16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`
675	richard	17	`SRVREQ=$DIR_CERT/alcasar.req`
		18	`SRVKEY=$DIR_CERT/private/alcasar.key`
1	root	19	`SRVCERT=$DIR_CERT/certs/alcasar.crt`
2488	lucas.echa	20	`SRVPEM=$DIR_CERT/private/alcasar.pem`
2813	rexy	21	`SRVCHAIN=$DIR_CERT/certs/server-chain.pem`
2924	rexy	22	`CONF_FILE="/usr/local/etc/alcasar.conf"`
		23	hostname=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2`
		24	domain=`grep ^DOMAIN= $CONF_FILE\|cut -d"=" -f2`
		25	`domain=${domain:=localdomain}`
		26	`fqdn_hostname="$hostname.$domain"`
		27	`# The value for organizationalUnitName must be 64 chars or less;`
		28	`# thus, hostname must be 36 chars or less. If it's too big,`
		29	`# try removing domain (merci REXY ;-) ).`
		30	hostname_len=`echo $fqdn_hostname\| wc -c`
		31	`if [ $hostname_len -gt 36 ];`
		32	`then`
		33	`fqdn_hostname=$hostname`
		34	`fi`
		35	private_ip=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2\|cut -d"/" -f1`
1	root	36
		37	`CACERT_LIFETIME="1460"`
		38	`SRVCERT_LIFETIME="1460"`
		39	`COUNTRY="FR"`
		40	`PROVINCE="none"`
		41	`LOCATION="Paris"`
5	franck	42	`ORGANIZATION="ALCASAR-Team"`
1	root	43
		44	`mkdir $DIR_TMP \|\| exit 1`
2801	rexy	45	`[ -d $DIR_PKI/CA/private ] \|\| mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA`
1	root	46	`# dynamic conf file for openssl`
		47	`cat <<EOF >$DIR_TMP/ssl.conf`
		48	`RANDFILE = $HOME/.rnd`
		49	`#`
2924	rexy	50	`[ca]`
1	root	51	`default_ca = AlcasarCA`
		52
2924	rexy	53	`[AlcasarCA]`
		54	`dir = $DIR_TMP # Where everything is kept`
		55	`certs = \$dir # Where the issued certs are kept`
		56	`crl_dir = \$dir # Where the issued crl are kept`
		57	`database = \$dir/index.txt # database index file.`
		58	`new_certs_dir = \$dir # default place for new certs.`
		59	`certificate = $CACERT # The CA certificate`
		60	`serial = \$dir/serial # The current serial number`
		61	`crl = \$dir/crl.pem # The current CRL`
		62	`private_key = $CAKEY # The private key`
		63	`x509_extensions = usr_cert # The extentions to add to the cert`
		64	`crl_extensions = crl_ext`
		65	`default_days = 365 # how long to certify for`
		66	`default_crl_days= 30 # how long before next CRL`
		67	`default_md = sha256 # which message digest to use.`
		68	`preserve = no # keep passed DN ordering`
		69	`policy = policy_anything`
1	root	70
2924	rexy	71	`[policy_anything]`
1	root	72	`countryName = optional`
		73	`stateOrProvinceName = optional`
		74	`localityName = optional`
		75	`organizationName = optional`
		76	`organizationalUnitName = optional`
		77	`commonName = supplied`
		78	`emailAddress = optional`
		79
2924	rexy	80	`[req]`
1702	richard	81	`default_bits = 2048`
1	root	82	`distinguished_name = req_distinguished_name`
		83	`# attributes = req_attributes`
2924	rexy	84	`x509_extensions = v3_ca # The extentions to add to the self signed cert`
1	root	85
2924	rexy	86	`[ v3_ca ]`
		87	`subjectKeyIdentifier = hash`
		88	`authorityKeyIdentifier = keyid:always,issuer:always`
		89	`basicConstraints = critical,CA:true`
		90	`keyUsage = cRLSign, keyCertSign`
		91	`nsCertType = sslCA`
1	root	92
2924	rexy	93	`[req_distinguished_name]`
		94	`countryName = Country Name (2 letter code)`
		95	`countryName_default = FR`
		96	`countryName_min = 2`
		97	`countryName_max = 2`
		98	`stateOrProvinceName = State or Province Name (full name)`
		99	`stateOrProvinceName_default = Some-State`
		100	`localityName = Locality Name (eg, city)`
		101	`localityName_default = Lyon`
		102	`0.organizationName = Organization Name (eg, company)`
		103	`0.organizationName_default = your organization name`
		104	`organizationalUnitName = Organizational Unit Name (eg, section)`
		105	`commonName = Common Name (eg, your name or your server\'s hostname)`
		106	`commonName_max = 255`
		107	`emailAddress = Email Address`
		108	`emailAddress_max = 255`
1	root	109
2924	rexy	110	`[usr_cert]`
		111	`nsCertType = server`
		112	`subjectKeyIdentifier = hash`
		113	`authorityKeyIdentifier = keyid,issuer`
		114	`basicConstraints = CA:FALSE`
		115	`keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment`
		116	`issuerAltName = issuer:copy`
		117	`subjectAltName = @alt_names`
1	root	118
2922	rexy	119	`[alt_names]`
2924	rexy	120	`DNS.1 = $fqdn_hostname`
		121	`IP.1 = $private_ip`
1	root	122	`EOF`
		123
2814	rexy	124	`CAMAIL=`
		125	`SRVMAIL=`
3201	rexy	126	echo `date +%s` > $DIR_TMP/serial
1	root	127	`touch $DIR_TMP/index.txt`
		128
5	franck	129	`# CA key`
		130	`rm -f $CAKEY`
		131	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`
2924	rexy	132	`openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log`
5	franck	133
		134	`# CA certificate`
		135	`rm -f $CACERT`
2924	rexy	136	`echo >> $DIR_TMP/openssl-log`
5	franck	137	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`
		138	`echo "$COUNTRY`
1	root	139	`$PROVINCE`
		140	`$LOCATION`
		141	`$ORGANIZATION`
2924	rexy	142	`Certification Authority for $fqdn_hostname`
		143	`$fqdn_hostname-local-CA`
1705	richard	144	`$CAMAIL" \|`
		145	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`
5	franck	146
1	root	147	`# Server key`
		148	`rm -f $SRVKEY`
2924	rexy	149	`echo >> $DIR_TMP/openssl-log`
1	root	150	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`
1705	richard	151	`openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log`
1	root	152
		153	`# Server certificate "request"`
2924	rexy	154	`echo >> $DIR_TMP/openssl-log`
1	root	155	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`
		156	`echo "$COUNTRY`
		157	`$PROVINCE`
		158	`$LOCATION`
		159	`$ORGANIZATION`
2924	rexy	160	`Server certificate for $fqdn_hostname`
		161	`$fqdn_hostname`
1	root	162	`$SRVMAIL" \|`
		163	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`
		164
		165	`# Sign the server certificate "request" to create server certificate`
		166	`rm -f $SRVCERT`
2924	rexy	167	`echo >> $DIR_TMP/openssl-log`
1	root	168	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`
2924	rexy	169	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`
1	root	170	`rm -f $SRVREQ`
2554	lucas.echa	171
		172	`(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM`
2703	tom.houday	173	`cp -f $CACERT $SRVCHAIN`
2554	lucas.echa	174
2775	rexy	175	`# Limit rights`
		176	`chown -R root:root $SRVKEY $CAKEY`
		177	`chmod -R 0600 $SRVKEY $CAKEY`
1	root	178
675	richard	179	`# Link certs in ALCASAR Control Center`
1	root	180	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`
2293	tom.houday	181	`then`
		182	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`
		183	`rm -f $DIR_WEB/certs/*`
		184	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`
		185	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`
		186	`rm -rf $DIR_TMP`
		187	`exit 0`
1	root	188	`else`
2758	rexy	189	`echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"`
2293	tom.houday	190	`exit 1`
1	root	191	`fi`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-CA.sh @ 2724 – Rev 3201