Subversion Repositories ALCASAR

Rev

Rev 5 | Go to most recent revision | Details | Last modification | View Log

Rev Author Line No. Line
1 root 1
#!/bin/sh
2
#
3
# alcasar-CA.sh
4
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
5
# This script is distributed under the Gnu General Public License (GPL)
6
#
7
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> 
8
# and Michel Arboi <arboi@alussinan.org>
9
#
10
 
11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
17
SRVCERT=$DIR_CERT/certs/alcasar.crt
18
SRVKEY=$DIR_CERT/private/alcasar.key
19
SRVREQ=$DIR_CERT/alcasar.req
20
FIC_PARAM="/root/ALCASAR-parameters.txt"
21
 
22
CACERT_LIFETIME="1460"
23
SRVCERT_LIFETIME="1460"
24
COUNTRY="FR"
25
PROVINCE="none"
26
LOCATION="Paris"
27
ORGANIZATION="ALCASAR"
28
 
29
mkdir $DIR_TMP || exit 1
30
# dynamic conf file for openssl
31
cat <<EOF >$DIR_TMP/ssl.conf
32
RANDFILE		= $HOME/.rnd
33
#
34
[ ca ]
35
default_ca = AlcasarCA
36
 
37
[ AlcasarCA ]
38
dir		= $DIR_TMP		# Where everything is kept
39
certs		= \$dir			# Where the issued certs are kept
40
crl_dir		= \$dir			# Where the issued crl are kept
41
database	= \$dir/index.txt	# database index file.
42
new_certs_dir	= \$dir			# default place for new certs.
43
 
44
certificate	= $CACERT	 	# The CA certificate
45
serial		= \$dir/serial 		# The current serial number
46
crl		= \$dir/crl.pem 	# The current CRL
47
private_key	= $CAKEY		# The private key
48
 
49
x509_extensions	= usr_cert		# The extentions to add to the cert
50
crl_extensions	= crl_ext
51
 
52
default_days	= 365			# how long to certify for
53
default_crl_days= 30			# how long before next CRL
54
default_md	= md5			# which md to use.
55
preserve	= no			# keep passed DN ordering
56
 
57
policy		= policy_anything
58
 
59
[ policy_anything ]
60
countryName             = optional
61
stateOrProvinceName     = optional
62
localityName            = optional
63
organizationName        = optional
64
organizationalUnitName  = optional
65
commonName              = supplied
66
emailAddress            = optional
67
 
68
[ req ]
69
default_bits		= 1024
70
distinguished_name	= req_distinguished_name
71
# attributes		= req_attributes
72
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
73
 
74
[ req_distinguished_name ]
75
countryName			= Country Name (2 letter code)
76
countryName_default		= FR
77
countryName_min			= 2
78
countryName_max			= 2
79
 
80
stateOrProvinceName		= State or Province Name (full name)
81
stateOrProvinceName_default	= Some-State
82
 
83
localityName			= Locality Name (eg, city)
84
localityName_default		= Lyon
85
 
86
0.organizationName		= Organization Name (eg, company)
87
0.organizationName_default	= your organization name
88
 
89
# we can do this but it is not needed normally :-)
90
#1.organizationName		= Second Organization Name (eg, company)
91
#1.organizationName_default	= World Wide Web Pty Ltd
92
 
93
organizationalUnitName		= Organizational Unit Name (eg, section)
94
#organizationalUnitName_default	=
95
 
96
commonName			= Common Name (eg, your name or your server\'s hostname)
97
commonName_max			= 255
98
 
99
emailAddress			= Email Address
100
emailAddress_max		= 255
101
 
102
# SET-ex3			= SET extension number 3
103
 
104
[ usr_cert ]
105
# These extensions are added when 'ca' signs a request.
106
# This goes against PKIX guidelines but some CAs do it and some software
107
# requires this to avoid interpreting an end user certificate as a CA.
108
#basicConstraints=CA:FALSE
109
 
110
# Here are some examples of the usage of nsCertType. If it is omitted
111
# the certificate can be used for anything *except* object signing.
112
 
113
# This is OK for an SSL server.
114
# nsCertType			= nsCertType
115
# For normal client use this is typical
116
# nsCertType = client, email
117
nsCertType			= server
118
 
119
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
120
 
121
# This will be displayed in Netscape's comment listbox.
122
nsComment			= "OpenSSL Generated Certificate"
123
 
124
# PKIX recommendations harmless if included in all certificates.
125
subjectKeyIdentifier=hash
126
authorityKeyIdentifier=keyid,issuer:always
127
 
128
# This stuff is for subjectAltName and issuerAltname.
129
# Import the email address.
130
subjectAltName=email:copy
131
 
132
# Copy subject details
133
issuerAltName=issuer:copy
134
 
135
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
136
#nsBaseUrl
137
#nsRevocationUrl
138
#nsRenewalUrl
139
#nsCaPolicyUrl
140
#nsSslServerName
141
 
142
[ v3_ca ]
143
# PKIX recommendation.
144
subjectKeyIdentifier=hash
145
authorityKeyIdentifier=keyid:always,issuer:always
146
 
147
# This is what PKIX recommends but some broken software chokes on critical
148
# extensions.
149
basicConstraints = critical,CA:true
150
# So we do this instead.
151
#basicConstraints = CA:true
152
 
153
# Key usage: this is typical for a CA certificate. However since it will
154
# prevent it being used as an test self-signed certificate it is best
155
# left out by default.
156
keyUsage = cRLSign, keyCertSign
157
nsCertType = sslCA
158
EOF
159
 
160
hostname=`hostname`
161
if [ -z "$hostname" ];
162
then
163
 echo "Impossible de déterminer le nom d'hôte !!!"
164
 exit 1
165
fi
166
 
167
# The value for organizationalUnitName must be 64 chars or less;
168
#   thus, hostname must be 36 chars or less. If it's too big,
169
#   try removing domain (merci REXY ;-) ).
170
hostname_len=`echo $hostname| wc -c`
171
 
172
if [ $hostname_len -gt 36 ];
173
then
174
  hostname=`echo $hostname | cut -d '.' -f 1`
175
fi
176
 
177
if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ]
178
then
179
  echo "Impossible de déterminer l'@-IP"
180
  exit 1
181
fi
182
IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 |grep IPADDR|cut -d"=" -f2`
183
CAMAIL=ca@$hostname
184
SRVMAIL=apache@$hostname
185
 
186
echo 01 > $DIR_TMP/serial
187
touch $DIR_TMP/index.txt
188
# Don't create CA when update
189
if [ "$1" != "update" ]
190
then
191
	# CA key
192
	rm -f $CAKEY
193
	echo "*********CAKEY*********" > $DIR_TMP/openssl-log
194
	openssl genrsa -out $CAKEY  1024 2>> $DIR_TMP/openssl-log
195
 
196
	# CA certificate
197
	rm -f $CACERT
198
	echo "*********CACERT*********" >> $DIR_TMP/openssl-log
199
	echo "$COUNTRY
200
$PROVINCE
201
$LOCATION
202
$ORGANIZATION
203
Certification Authority for $hostname
204
$hostname
205
$CAMAIL" |
206
	openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
207
fi
208
# Server key
209
rm -f $SRVKEY	
210
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
211
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log
212
 
213
# Server certificate "request"
214
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
215
echo "$COUNTRY
216
$PROVINCE
217
$LOCATION
218
$ORGANIZATION
219
Server certificate for $hostname
220
$IPADDR
221
$SRVMAIL" | 
222
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
223
 
224
# Sign the server certificate "request" to create server certificate
225
rm -f $SRVCERT
226
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
227
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
228
rm -f $SRVREQ
229
chmod a+r $CACERT $SRVCERT 
230
 
231
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
232
 then
233
 echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM
234
 echo "   Certificat = $CACERT" >> $FIC_PARAM
235
 echo "   Clée privée = $CAKEY" >> $FIC_PARAM
236
 echo "- Certificat du serveur : " >> $FIC_PARAM
237
 echo "    Certificat = $SRVCERT" >> $FIC_PARAM
238
 echo "    Clée privée = $SRVKEY" >> $FIC_PARAM
239
 [ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
240
 rm -f $DIR_WEB/certs/*
241
 ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.pem
242
 ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.pem
243
 rm -rf $DIR_TMP
244
 exit 0
245
else
246
 echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
247
 exit 1
248
fi