Subversion Repositories ALCASAR

Rev

Rev 2814 | Rev 2924 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
675 richard 1
#!/bin/sh
64 franck 2
# $Id: alcasar-CA.sh 2922 2021-02-22 22:48:39Z rexy $
3
 
1 root 4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
675 richard 7
#
2454 tom.houday 8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
675 richard 9
# and Michel Arboi <arboi@alussinan.org>
10
#
1 root 11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
675 richard 17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
1 root 19
SRVCERT=$DIR_CERT/certs/alcasar.crt
2488 lucas.echa 20
SRVPEM=$DIR_CERT/private/alcasar.pem
2813 rexy 21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
2922 rexy 22
CONF_FILE="/usr/local/ets/alcasar.conf"
23
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
24
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
25
DOMAIN=${DOMAIN:=localdomain}
1 root 26
 
27
CACERT_LIFETIME="1460"
28
SRVCERT_LIFETIME="1460"
29
COUNTRY="FR"
30
PROVINCE="none"
31
LOCATION="Paris"
5 franck 32
ORGANIZATION="ALCASAR-Team"
1 root 33
 
34
mkdir $DIR_TMP || exit 1
2801 rexy 35
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
1 root 36
# dynamic conf file for openssl
37
cat <<EOF >$DIR_TMP/ssl.conf
38
RANDFILE		= $HOME/.rnd
39
#
40
[ ca ]
41
default_ca = AlcasarCA
42
 
43
[ AlcasarCA ]
2922 rexy 44
dir = $DIR_TMP				# Where everything is kept
45
certs = \$dir				# Where the issued certs are kept
46
crl_dir	= \$dir				# Where the issued crl are kept
47
database = \$dir/index.txt	# database index file.
48
new_certs_dir = \$dir		# default place for new certs.
49
certificate = $CACERT	 	# The CA certificate
50
serial = \$dir/serial		# The current serial number
51
crl = \$dir/crl.pem			# The current CRL
52
private_key = $CAKEY		# The private key
53
x509_extensions = usr_cert	# The extentions to add to the cert
54
crl_extensions = crl_ext
55
default_days = 365			# how long to certify for
56
default_crl_days = 30		# how long before next CRL
57
default_md = sha256			# which message digest to use.
58
preserve = no				# keep passed DN ordering
59
policy = policy_anything
1 root 60
 
61
[ policy_anything ]
62
countryName             = optional
63
stateOrProvinceName     = optional
64
localityName            = optional
65
organizationName        = optional
66
organizationalUnitName  = optional
67
commonName              = supplied
68
emailAddress            = optional
69
 
70
[ req ]
1702 richard 71
default_bits		= 2048
1 root 72
distinguished_name	= req_distinguished_name
73
# attributes		= req_attributes
74
 
75
[ req_distinguished_name ]
2922 rexy 76
countryName = Country Name (2 letter code)
77
countryName_default = FR
78
countryName_min = 2
79
countryName_max = 2
1 root 80
 
2922 rexy 81
stateOrProvinceName = State or Province Name (full name)
82
stateOrProvinceName_default = Some-State
1 root 83
 
2922 rexy 84
localityName = Locality Name (eg, city)
85
localityName_default = Paris
1 root 86
 
2922 rexy 87
0.organizationName = Organization Name (eg, company)
88
0.organizationName_default = your organization name
1 root 89
 
90
# we can do this but it is not needed normally :-)
2922 rexy 91
#1.organizationName = Second Organization Name (eg, company)
92
#1.organizationName_default = World Wide Web Pty Ltd
1 root 93
 
2922 rexy 94
organizationalUnitName = Organizational Unit Name (eg, section)
95
#organizationalUnitName_default =
1 root 96
 
2922 rexy 97
commonName = Common Name (eg, your name or your server\'s hostname)
98
commonName_max = 255
99
emailAddress = Email Address
100
emailAddress_max = 255
1 root 101
 
102
[ usr_cert ]
103
# These extensions are added when 'ca' signs a request.
104
# This goes against PKIX guidelines but some CAs do it and some software
105
# requires this to avoid interpreting an end user certificate as a CA.
2922 rexy 106
basicConstraints=CA:FALSE
107
nsCertType = server
108
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
109
subjectKeyIdentifier = hash
110
authorityKeyIdentifier = keyid,issuer
1 root 111
 
112
# This stuff is for subjectAltName and issuerAltname.
2922 rexy 113
subjectAltName = @alt_names
1 root 114
# Copy subject details
2922 rexy 115
issuerAltName = issuer:copy
1 root 116
 
2922 rexy 117
[alt_names]
118
DNS.1 = $HOSTNAME.$DOMAIN
1 root 119
 
120
EOF
121
 
122
# The value for organizationalUnitName must be 64 chars or less;
123
#   thus, hostname must be 36 chars or less. If it's too big,
124
#   try removing domain (merci REXY ;-) ).
2922 rexy 125
hostname_len=`echo $HOSTNAME| wc -c`
1 root 126
if [ $hostname_len -gt 36 ];
127
then
2922 rexy 128
	HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1`
1 root 129
fi
130
 
2814 rexy 131
CAMAIL=
132
SRVMAIL=
1 root 133
 
134
echo 01 > $DIR_TMP/serial
135
touch $DIR_TMP/index.txt
136
 
5 franck 137
# CA key
138
rm -f $CAKEY
139
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
1705 richard 140
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
5 franck 141
 
142
# CA certificate
143
rm -f $CACERT
144
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
145
echo "$COUNTRY
1 root 146
$PROVINCE
147
$LOCATION
148
$ORGANIZATION
2922 rexy 149
Certification Authority for $HOSTNAME.$DOMAIN
150
$HOSTNAME-local-CA
1705 richard 151
$CAMAIL" | 
152
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
5 franck 153
 
1 root 154
# Server key
155
rm -f $SRVKEY	
156
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
1705 richard 157
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
1 root 158
 
159
# Server certificate "request"
160
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
161
echo "$COUNTRY
162
$PROVINCE
163
$LOCATION
164
$ORGANIZATION
2922 rexy 165
Server certificate for $HOSTNAME.$DOMAIN
166
$HOSTNAME.$DOMAIN
1 root 167
$SRVMAIL" | 
168
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
169
 
170
# Sign the server certificate "request" to create server certificate
171
rm -f $SRVCERT
172
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
2922 rexy 173
openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
1 root 174
rm -f $SRVREQ
2554 lucas.echa 175
 
176
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
2703 tom.houday 177
cp -f $CACERT $SRVCHAIN
2554 lucas.echa 178
 
2775 rexy 179
# Limit rights
180
chown -R root:root $SRVKEY $CAKEY
181
chmod -R 0600 $SRVKEY $CAKEY
1 root 182
 
675 richard 183
# Link certs in ALCASAR Control Center
1 root 184
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
2293 tom.houday 185
	then
186
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
187
	rm -f $DIR_WEB/certs/*
188
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
189
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
190
	rm -rf $DIR_TMP
191
	exit 0
1 root 192
else
2758 rexy 193
	echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)" 
2293 tom.houday 194
	exit 1
1 root 195
fi