Subversion Repositories ALCASAR

Rev

Rev 2737 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
675 richard 1
#!/bin/sh
64 franck 2
# $Id: alcasar-CA.sh 2758 2019-11-03 23:17:20Z rexy $
3
 
1 root 4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
675 richard 7
#
2454 tom.houday 8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
675 richard 9
# and Michel Arboi <arboi@alussinan.org>
10
#
1 root 11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
675 richard 17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
1 root 19
SRVCERT=$DIR_CERT/certs/alcasar.crt
2488 lucas.echa 20
SRVPEM=$DIR_CERT/private/alcasar.pem
675 richard 21
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
1 root 22
 
23
CACERT_LIFETIME="1460"
24
SRVCERT_LIFETIME="1460"
25
COUNTRY="FR"
26
PROVINCE="none"
27
LOCATION="Paris"
5 franck 28
ORGANIZATION="ALCASAR-Team"
1 root 29
 
30
mkdir $DIR_TMP || exit 1
2758 rexy 31
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:apache $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
1 root 32
# dynamic conf file for openssl
33
cat <<EOF >$DIR_TMP/ssl.conf
34
RANDFILE                = $HOME/.rnd
35
#
36
[ ca ]
37
default_ca = AlcasarCA
38
 
39
[ AlcasarCA ]
40
dir             = $DIR_TMP              # Where everything is kept
41
certs           = \$dir                 # Where the issued certs are kept
42
crl_dir         = \$dir                 # Where the issued crl are kept
43
database        = \$dir/index.txt       # database index file.
44
new_certs_dir   = \$dir                 # default place for new certs.
45
 
46
certificate     = $CACERT               # The CA certificate
47
serial          = \$dir/serial          # The current serial number
48
crl             = \$dir/crl.pem         # The current CRL
49
private_key     = $CAKEY                # The private key
50
 
51
x509_extensions = usr_cert              # The extentions to add to the cert
52
crl_extensions  = crl_ext
53
 
54
default_days    = 365                   # how long to certify for
55
default_crl_days= 30                    # how long before next CRL
1702 richard 56
default_md      = sha256                # which message digest to use.
1 root 57
preserve        = no                    # keep passed DN ordering
58
 
59
policy          = policy_anything
60
 
61
[ policy_anything ]
62
countryName             = optional
63
stateOrProvinceName     = optional
64
localityName            = optional
65
organizationName        = optional
66
organizationalUnitName  = optional
67
commonName              = supplied
68
emailAddress            = optional
69
 
70
[ req ]
1702 richard 71
default_bits            = 2048
1 root 72
distinguished_name      = req_distinguished_name
73
# attributes            = req_attributes
74
x509_extensions = v3_ca # The extentions to add to the self signed cert
75
 
76
[ req_distinguished_name ]
77
countryName                     = Country Name (2 letter code)
78
countryName_default             = FR
79
countryName_min                 = 2
80
countryName_max                 = 2
81
 
82
stateOrProvinceName             = State or Province Name (full name)
83
stateOrProvinceName_default     = Some-State
84
 
85
localityName                    = Locality Name (eg, city)
86
localityName_default            = Lyon
87
 
88
0.organizationName              = Organization Name (eg, company)
89
0.organizationName_default      = your organization name
90
 
91
# we can do this but it is not needed normally :-)
92
#1.organizationName             = Second Organization Name (eg, company)
93
#1.organizationName_default     = World Wide Web Pty Ltd
94
 
95
organizationalUnitName          = Organizational Unit Name (eg, section)
96
#organizationalUnitName_default =
97
 
98
commonName                      = Common Name (eg, your name or your server\'s hostname)
99
commonName_max                  = 255
100
 
101
emailAddress                    = Email Address
102
emailAddress_max                = 255
103
 
104
# SET-ex3                       = SET extension number 3
105
 
106
[ usr_cert ]
107
# These extensions are added when 'ca' signs a request.
108
# This goes against PKIX guidelines but some CAs do it and some software
109
# requires this to avoid interpreting an end user certificate as a CA.
110
#basicConstraints=CA:FALSE
111
 
112
# Here are some examples of the usage of nsCertType. If it is omitted
113
# the certificate can be used for anything *except* object signing.
114
 
115
# This is OK for an SSL server.
116
# nsCertType                    = nsCertType
117
# For normal client use this is typical
118
# nsCertType = client, email
119
nsCertType                      = server
120
 
121
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
122
 
123
# This will be displayed in Netscape's comment listbox.
124
nsComment                       = "OpenSSL Generated Certificate"
125
 
126
# PKIX recommendations harmless if included in all certificates.
127
subjectKeyIdentifier=hash
128
authorityKeyIdentifier=keyid,issuer:always
129
 
130
# This stuff is for subjectAltName and issuerAltname.
131
# Import the email address.
132
subjectAltName=email:copy
133
 
134
# Copy subject details
135
issuerAltName=issuer:copy
136
 
137
#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
138
#nsBaseUrl
139
#nsRevocationUrl
140
#nsRenewalUrl
141
#nsCaPolicyUrl
142
#nsSslServerName
143
 
144
[ v3_ca ]
145
# PKIX recommendation.
146
subjectKeyIdentifier=hash
147
authorityKeyIdentifier=keyid:always,issuer:always
148
 
149
# This is what PKIX recommends but some broken software chokes on critical
150
# extensions.
151
basicConstraints = critical,CA:true
152
# So we do this instead.
153
#basicConstraints = CA:true
154
 
155
# Key usage: this is typical for a CA certificate. However since it will
156
# prevent it being used as an test self-signed certificate it is best
157
# left out by default.
158
keyUsage = cRLSign, keyCertSign
159
nsCertType = sslCA
160
EOF
161
 
162
hostname=`hostname`
163
if [ -z "$hostname" ];
164
then
165
 echo "Impossible de déterminer le nom d'hôte !!!"
166
 exit 1
167
fi
168
 
169
# The value for organizationalUnitName must be 64 chars or less;
170
#   thus, hostname must be 36 chars or less. If it's too big,
171
#   try removing domain (merci REXY ;-) ).
172
hostname_len=`echo $hostname| wc -c`
173
if [ $hostname_len -gt 36 ];
174
then
2454 tom.houday 175
        hostname=`echo $hostname | cut -d '.' -f 1`
1 root 176
fi
177
 
178
CAMAIL=ca@$hostname
179
SRVMAIL=apache@$hostname
180
 
181
echo 01 > $DIR_TMP/serial
182
touch $DIR_TMP/index.txt
183
 
5 franck 184
# CA key
185
rm -f $CAKEY
186
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
1705 richard 187
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
5 franck 188
 
189
# CA certificate
190
rm -f $CACERT
191
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
192
echo "$COUNTRY
1 root 193
$PROVINCE
194
$LOCATION
195
$ORGANIZATION
196
Certification Authority for $hostname
2737 rexy 197
$hostname-local-CA
1705 richard 198
$CAMAIL" |
199
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
5 franck 200
 
1 root 201
# Server key
202
rm -f $SRVKEY  
203
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
1705 richard 204
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
1 root 205
 
206
# Server certificate "request"
207
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
208
echo "$COUNTRY
209
$PROVINCE
210
$LOCATION
211
$ORGANIZATION
212
Server certificate for $hostname
503 richard 213
$hostname
1 root 214
$SRVMAIL" |
215
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
216
 
217
# Sign the server certificate "request" to create server certificate
218
rm -f $SRVCERT
219
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
220
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
221
rm -f $SRVREQ
2554 lucas.echa 222
 
223
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
2703 tom.houday 224
cp -f $CACERT $SRVCHAIN
2554 lucas.echa 225
 
675 richard 226
chmod a+r $CACERT $SRVCERT $SRVCHAIN
1 root 227
 
675 richard 228
# Link certs in ALCASAR Control Center
1 root 229
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
2293 tom.houday 230
        then
231
        [ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
232
        rm -f $DIR_WEB/certs/*
233
        ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
234
        ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
235
        rm -rf $DIR_TMP
236
        exit 0
1 root 237
else
2758 rexy 238
        echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
2293 tom.houday 239
        exit 1
1 root 240
fi