0,0 → 1,246 |
#!/bin/sh |
# |
# alcasar-CA.sh |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
# and Michel Arboi <arboi@alussinan.org> |
# |
|
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$ |
DIR_PKI=/etc/pki |
DIR_CERT=$DIR_PKI/tls |
DIR_WEB=/var/www/html |
CACERT=$DIR_PKI/CA/alcasar-ca.crt |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key |
SRVCERT=$DIR_CERT/certs/alcasar.crt |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVREQ=$DIR_CERT/alcasar.req |
FIC_PARAM="/root/ALCASAR-parameters.txt" |
|
CACERT_LIFETIME="1460" |
SRVCERT_LIFETIME="1460" |
COUNTRY="FR" |
PROVINCE="none" |
LOCATION="Paris" |
ORGANIZATION="ALCASAR-Team" |
|
mkdir $DIR_TMP || exit 1 |
# dynamic conf file for openssl |
cat <<EOF >$DIR_TMP/ssl.conf |
RANDFILE = $HOME/.rnd |
# |
[ ca ] |
default_ca = AlcasarCA |
|
[ AlcasarCA ] |
dir = $DIR_TMP # Where everything is kept |
certs = \$dir # Where the issued certs are kept |
crl_dir = \$dir # Where the issued crl are kept |
database = \$dir/index.txt # database index file. |
new_certs_dir = \$dir # default place for new certs. |
|
certificate = $CACERT # The CA certificate |
serial = \$dir/serial # The current serial number |
crl = \$dir/crl.pem # The current CRL |
private_key = $CAKEY # The private key |
|
x509_extensions = usr_cert # The extentions to add to the cert |
crl_extensions = crl_ext |
|
default_days = 365 # how long to certify for |
default_crl_days= 30 # how long before next CRL |
default_md = md5 # which md to use. |
preserve = no # keep passed DN ordering |
|
policy = policy_anything |
|
[ policy_anything ] |
countryName = optional |
stateOrProvinceName = optional |
localityName = optional |
organizationName = optional |
organizationalUnitName = optional |
commonName = supplied |
emailAddress = optional |
|
[ req ] |
default_bits = 1024 |
distinguished_name = req_distinguished_name |
# attributes = req_attributes |
x509_extensions = v3_ca # The extentions to add to the self signed cert |
|
[ req_distinguished_name ] |
countryName = Country Name (2 letter code) |
countryName_default = FR |
countryName_min = 2 |
countryName_max = 2 |
|
stateOrProvinceName = State or Province Name (full name) |
stateOrProvinceName_default = Some-State |
|
localityName = Locality Name (eg, city) |
localityName_default = Lyon |
|
0.organizationName = Organization Name (eg, company) |
0.organizationName_default = your organization name |
|
# we can do this but it is not needed normally :-) |
#1.organizationName = Second Organization Name (eg, company) |
#1.organizationName_default = World Wide Web Pty Ltd |
|
organizationalUnitName = Organizational Unit Name (eg, section) |
#organizationalUnitName_default = |
|
commonName = Common Name (eg, your name or your server\'s hostname) |
commonName_max = 255 |
|
emailAddress = Email Address |
emailAddress_max = 255 |
|
# SET-ex3 = SET extension number 3 |
|
[ usr_cert ] |
# These extensions are added when 'ca' signs a request. |
# This goes against PKIX guidelines but some CAs do it and some software |
# requires this to avoid interpreting an end user certificate as a CA. |
#basicConstraints=CA:FALSE |
|
# Here are some examples of the usage of nsCertType. If it is omitted |
# the certificate can be used for anything *except* object signing. |
|
# This is OK for an SSL server. |
# nsCertType = nsCertType |
# For normal client use this is typical |
# nsCertType = client, email |
nsCertType = server |
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|
# This will be displayed in Netscape's comment listbox. |
nsComment = "OpenSSL Generated Certificate" |
|
# PKIX recommendations harmless if included in all certificates. |
subjectKeyIdentifier=hash |
authorityKeyIdentifier=keyid,issuer:always |
|
# This stuff is for subjectAltName and issuerAltname. |
# Import the email address. |
subjectAltName=email:copy |
|
# Copy subject details |
issuerAltName=issuer:copy |
|
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
#nsBaseUrl |
#nsRevocationUrl |
#nsRenewalUrl |
#nsCaPolicyUrl |
#nsSslServerName |
|
[ v3_ca ] |
# PKIX recommendation. |
subjectKeyIdentifier=hash |
authorityKeyIdentifier=keyid:always,issuer:always |
|
# This is what PKIX recommends but some broken software chokes on critical |
# extensions. |
basicConstraints = critical,CA:true |
# So we do this instead. |
#basicConstraints = CA:true |
|
# Key usage: this is typical for a CA certificate. However since it will |
# prevent it being used as an test self-signed certificate it is best |
# left out by default. |
keyUsage = cRLSign, keyCertSign |
nsCertType = sslCA |
EOF |
|
hostname=`hostname` |
if [ -z "$hostname" ]; |
then |
echo "Impossible de déterminer le nom d'hôte !!!" |
exit 1 |
fi |
|
# The value for organizationalUnitName must be 64 chars or less; |
# thus, hostname must be 36 chars or less. If it's too big, |
# try removing domain (merci REXY ;-) ). |
hostname_len=`echo $hostname| wc -c` |
|
if [ $hostname_len -gt 36 ]; |
then |
hostname=`echo $hostname | cut -d '.' -f 1` |
fi |
|
if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] |
then |
echo "Impossible de déterminer l'@-IP" |
exit 1 |
fi |
IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 |grep IPADDR|cut -d"=" -f2` |
CAMAIL=ca@$hostname |
SRVMAIL=apache@$hostname |
|
echo 01 > $DIR_TMP/serial |
touch $DIR_TMP/index.txt |
|
# CA key |
rm -f $CAKEY |
echo "*********CAKEY*********" > $DIR_TMP/openssl-log |
openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log |
|
# CA certificate |
rm -f $CACERT |
echo "*********CACERT*********" >> $DIR_TMP/openssl-log |
echo "$COUNTRY |
$PROVINCE |
$LOCATION |
$ORGANIZATION |
Certification Authority for $hostname |
ALCASAR-local-CA |
$CAMAIL" | |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log |
|
# Server key |
rm -f $SRVKEY |
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log |
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log |
|
# Server certificate "request" |
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log |
echo "$COUNTRY |
$PROVINCE |
$LOCATION |
$ORGANIZATION |
Server certificate for $hostname |
$IPADDR |
$SRVMAIL" | |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log |
|
# Sign the server certificate "request" to create server certificate |
rm -f $SRVCERT |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log |
rm -f $SRVREQ |
chmod a+r $CACERT $SRVCERT |
|
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ]; |
then |
echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM |
echo " Certificat = $CACERT" >> $FIC_PARAM |
echo " Clée privée = $CAKEY" >> $FIC_PARAM |
echo "- Certificat du serveur : " >> $FIC_PARAM |
echo " Certificat = $SRVCERT" >> $FIC_PARAM |
echo " Clée privée = $SRVKEY" >> $FIC_PARAM |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs |
rm -f $DIR_WEB/certs/* |
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.pem |
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.pem |
rm -rf $DIR_TMP |
exit 0 |
else |
echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM |
exit 1 |
fi |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |