Subversion Repositories ALCASAR

Rev

Rev 1830 | Rev 2454 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
675 richard 1
#!/bin/sh
64 franck 2
# $Id: alcasar-CA.sh 2293 2017-06-20 15:31:12Z tom.houdayer $
3
 
1 root 4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
675 richard 7
#
8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> 
9
# and Michel Arboi <arboi@alussinan.org>
10
#
1 root 11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
675 richard 17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
1 root 19
SRVCERT=$DIR_CERT/certs/alcasar.crt
675 richard 20
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
1 root 21
 
22
CACERT_LIFETIME="1460"
23
SRVCERT_LIFETIME="1460"
24
COUNTRY="FR"
25
PROVINCE="none"
26
LOCATION="Paris"
5 franck 27
ORGANIZATION="ALCASAR-Team"
1 root 28
 
29
mkdir $DIR_TMP || exit 1
30
# dynamic conf file for openssl
31
cat <<EOF >$DIR_TMP/ssl.conf
32
RANDFILE		= $HOME/.rnd
33
#
34
[ ca ]
35
default_ca = AlcasarCA
36
 
37
[ AlcasarCA ]
38
dir		= $DIR_TMP		# Where everything is kept
39
certs		= \$dir			# Where the issued certs are kept
40
crl_dir		= \$dir			# Where the issued crl are kept
41
database	= \$dir/index.txt	# database index file.
42
new_certs_dir	= \$dir			# default place for new certs.
43
 
44
certificate	= $CACERT	 	# The CA certificate
45
serial		= \$dir/serial 		# The current serial number
46
crl		= \$dir/crl.pem 	# The current CRL
47
private_key	= $CAKEY		# The private key
48
 
49
x509_extensions	= usr_cert		# The extentions to add to the cert
50
crl_extensions	= crl_ext
51
 
52
default_days	= 365			# how long to certify for
53
default_crl_days= 30			# how long before next CRL
1702 richard 54
default_md	= sha256		# which message digest to use.
1 root 55
preserve	= no			# keep passed DN ordering
56
 
57
policy		= policy_anything
58
 
59
[ policy_anything ]
60
countryName             = optional
61
stateOrProvinceName     = optional
62
localityName            = optional
63
organizationName        = optional
64
organizationalUnitName  = optional
65
commonName              = supplied
66
emailAddress            = optional
67
 
68
[ req ]
1702 richard 69
default_bits		= 2048
1 root 70
distinguished_name	= req_distinguished_name
71
# attributes		= req_attributes
72
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
73
 
74
[ req_distinguished_name ]
75
countryName			= Country Name (2 letter code)
76
countryName_default		= FR
77
countryName_min			= 2
78
countryName_max			= 2
79
 
80
stateOrProvinceName		= State or Province Name (full name)
81
stateOrProvinceName_default	= Some-State
82
 
83
localityName			= Locality Name (eg, city)
84
localityName_default		= Lyon
85
 
86
0.organizationName		= Organization Name (eg, company)
87
0.organizationName_default	= your organization name
88
 
89
# we can do this but it is not needed normally :-)
90
#1.organizationName		= Second Organization Name (eg, company)
91
#1.organizationName_default	= World Wide Web Pty Ltd
92
 
93
organizationalUnitName		= Organizational Unit Name (eg, section)
94
#organizationalUnitName_default	=
95
 
96
commonName			= Common Name (eg, your name or your server\'s hostname)
97
commonName_max			= 255
98
 
99
emailAddress			= Email Address
100
emailAddress_max		= 255
101
 
102
# SET-ex3			= SET extension number 3
103
 
104
[ usr_cert ]
105
# These extensions are added when 'ca' signs a request.
106
# This goes against PKIX guidelines but some CAs do it and some software
107
# requires this to avoid interpreting an end user certificate as a CA.
108
#basicConstraints=CA:FALSE
109
 
110
# Here are some examples of the usage of nsCertType. If it is omitted
111
# the certificate can be used for anything *except* object signing.
112
 
113
# This is OK for an SSL server.
114
# nsCertType			= nsCertType
115
# For normal client use this is typical
116
# nsCertType = client, email
117
nsCertType			= server
118
 
119
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
120
 
121
# This will be displayed in Netscape's comment listbox.
122
nsComment			= "OpenSSL Generated Certificate"
123
 
124
# PKIX recommendations harmless if included in all certificates.
125
subjectKeyIdentifier=hash
126
authorityKeyIdentifier=keyid,issuer:always
127
 
128
# This stuff is for subjectAltName and issuerAltname.
129
# Import the email address.
130
subjectAltName=email:copy
131
 
132
# Copy subject details
133
issuerAltName=issuer:copy
134
 
135
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
136
#nsBaseUrl
137
#nsRevocationUrl
138
#nsRenewalUrl
139
#nsCaPolicyUrl
140
#nsSslServerName
141
 
142
[ v3_ca ]
143
# PKIX recommendation.
144
subjectKeyIdentifier=hash
145
authorityKeyIdentifier=keyid:always,issuer:always
146
 
147
# This is what PKIX recommends but some broken software chokes on critical
148
# extensions.
149
basicConstraints = critical,CA:true
150
# So we do this instead.
151
#basicConstraints = CA:true
152
 
153
# Key usage: this is typical for a CA certificate. However since it will
154
# prevent it being used as an test self-signed certificate it is best
155
# left out by default.
156
keyUsage = cRLSign, keyCertSign
157
nsCertType = sslCA
158
EOF
159
 
160
hostname=`hostname`
161
if [ -z "$hostname" ];
162
then
163
 echo "Impossible de déterminer le nom d'hôte !!!"
164
 exit 1
165
fi
166
 
167
# The value for organizationalUnitName must be 64 chars or less;
168
#   thus, hostname must be 36 chars or less. If it's too big,
169
#   try removing domain (merci REXY ;-) ).
170
hostname_len=`echo $hostname| wc -c`
171
if [ $hostname_len -gt 36 ];
172
then
173
  hostname=`echo $hostname | cut -d '.' -f 1`
174
fi
175
 
176
CAMAIL=ca@$hostname
177
SRVMAIL=apache@$hostname
178
 
179
echo 01 > $DIR_TMP/serial
180
touch $DIR_TMP/index.txt
181
 
5 franck 182
# CA key
183
rm -f $CAKEY
184
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
1705 richard 185
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
5 franck 186
 
187
# CA certificate
188
rm -f $CACERT
189
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
190
echo "$COUNTRY
1 root 191
$PROVINCE
192
$LOCATION
193
$ORGANIZATION
194
Certification Authority for $hostname
5 franck 195
ALCASAR-local-CA
1705 richard 196
$CAMAIL" | 
197
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
5 franck 198
 
1 root 199
# Server key
200
rm -f $SRVKEY	
201
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
1705 richard 202
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
1 root 203
 
204
# Server certificate "request"
205
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
206
echo "$COUNTRY
207
$PROVINCE
208
$LOCATION
209
$ORGANIZATION
210
Server certificate for $hostname
503 richard 211
$hostname
1 root 212
$SRVMAIL" | 
213
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
214
 
215
# Sign the server certificate "request" to create server certificate
216
rm -f $SRVCERT
217
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
218
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
219
rm -f $SRVREQ
675 richard 220
cp -f $SRVCERT $SRVCHAIN  # in order to simplify the official intranet certificate import process
221
chmod a+r $CACERT $SRVCERT $SRVCHAIN
1 root 222
 
675 richard 223
# Link certs in ALCASAR Control Center
1 root 224
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
2293 tom.houday 225
	then
226
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
227
	rm -f $DIR_WEB/certs/*
228
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
229
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
230
	rm -rf $DIR_TMP
231
	exit 0
1 root 232
else
2293 tom.houday 233
	echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
234
	exit 1
1 root 235
fi