Subversion Repositories ALCASAR

Rev

Rev 2814 | Rev 2924 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2814 Rev 2922
Line 1... Line 1...
1
#!/bin/sh
1
#!/bin/sh
2
# $Id: alcasar-CA.sh 2814 2020-04-27 22:02:20Z rexy $
2
# $Id: alcasar-CA.sh 2922 2021-02-22 22:48:39Z rexy $
3
 
3
 
4
# alcasar-CA.sh
4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#
7
#
Line 17... Line 17...
17
SRVREQ=$DIR_CERT/alcasar.req
17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
18
SRVKEY=$DIR_CERT/private/alcasar.key
19
SRVCERT=$DIR_CERT/certs/alcasar.crt
19
SRVCERT=$DIR_CERT/certs/alcasar.crt
20
SRVPEM=$DIR_CERT/private/alcasar.pem
20
SRVPEM=$DIR_CERT/private/alcasar.pem
21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
-
 
22
CONF_FILE="/usr/local/ets/alcasar.conf"
-
 
23
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
-
 
24
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
-
 
25
DOMAIN=${DOMAIN:=localdomain}
22
 
26
 
23
CACERT_LIFETIME="1460"
27
CACERT_LIFETIME="1460"
24
SRVCERT_LIFETIME="1460"
28
SRVCERT_LIFETIME="1460"
25
COUNTRY="FR"
29
COUNTRY="FR"
26
PROVINCE="none"
30
PROVINCE="none"
Line 35... Line 39...
35
#
39
#
36
[ ca ]
40
[ ca ]
37
default_ca = AlcasarCA
41
default_ca = AlcasarCA
38
 
42
 
39
[ AlcasarCA ]
43
[ AlcasarCA ]
40
dir		= $DIR_TMP		# Where everything is kept
44
dir = $DIR_TMP				# Where everything is kept
41
certs		= \$dir			# Where the issued certs are kept
45
certs = \$dir				# Where the issued certs are kept
42
crl_dir		= \$dir			# Where the issued crl are kept
46
crl_dir	= \$dir				# Where the issued crl are kept
43
database	= \$dir/index.txt	# database index file.
47
database = \$dir/index.txt	# database index file.
44
new_certs_dir	= \$dir			# default place for new certs.
48
new_certs_dir = \$dir		# default place for new certs.
45
 
-
 
46
certificate	= $CACERT	 	# The CA certificate
49
certificate = $CACERT	 	# The CA certificate
47
serial		= \$dir/serial 		# The current serial number
50
serial = \$dir/serial		# The current serial number
48
crl		= \$dir/crl.pem 	# The current CRL
51
crl = \$dir/crl.pem			# The current CRL
49
private_key	= $CAKEY		# The private key
52
private_key = $CAKEY		# The private key
50
 
-
 
51
x509_extensions	= usr_cert		# The extentions to add to the cert
53
x509_extensions = usr_cert	# The extentions to add to the cert
52
crl_extensions	= crl_ext
54
crl_extensions = crl_ext
53
 
-
 
54
default_days	= 365			# how long to certify for
55
default_days = 365			# how long to certify for
55
default_crl_days= 30			# how long before next CRL
56
default_crl_days = 30		# how long before next CRL
56
default_md	= sha256		# which message digest to use.
57
default_md = sha256			# which message digest to use.
57
preserve	= no			# keep passed DN ordering
58
preserve = no				# keep passed DN ordering
58
 
-
 
59
policy		= policy_anything
59
policy = policy_anything
60
 
60
 
61
[ policy_anything ]
61
[ policy_anything ]
62
countryName             = optional
62
countryName             = optional
63
stateOrProvinceName     = optional
63
stateOrProvinceName     = optional
64
localityName            = optional
64
localityName            = optional
Line 69... Line 69...
69
 
69
 
70
[ req ]
70
[ req ]
71
default_bits		= 2048
71
default_bits		= 2048
72
distinguished_name	= req_distinguished_name
72
distinguished_name	= req_distinguished_name
73
# attributes		= req_attributes
73
# attributes		= req_attributes
74
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
 
75
 
74
 
76
[ req_distinguished_name ]
75
[ req_distinguished_name ]
77
countryName			= Country Name (2 letter code)
76
countryName = Country Name (2 letter code)
78
countryName_default		= FR
77
countryName_default = FR
79
countryName_min			= 2
78
countryName_min = 2
80
countryName_max			= 2
79
countryName_max = 2
81
 
80
 
82
stateOrProvinceName		= State or Province Name (full name)
81
stateOrProvinceName = State or Province Name (full name)
83
stateOrProvinceName_default	= Some-State
82
stateOrProvinceName_default = Some-State
84
 
83
 
85
localityName			= Locality Name (eg, city)
84
localityName = Locality Name (eg, city)
86
localityName_default		= Lyon
85
localityName_default = Paris
87
 
86
 
88
0.organizationName		= Organization Name (eg, company)
87
0.organizationName = Organization Name (eg, company)
89
0.organizationName_default	= your organization name
88
0.organizationName_default = your organization name
90
 
89
 
91
# we can do this but it is not needed normally :-)
90
# we can do this but it is not needed normally :-)
92
#1.organizationName		= Second Organization Name (eg, company)
91
#1.organizationName = Second Organization Name (eg, company)
93
#1.organizationName_default	= World Wide Web Pty Ltd
92
#1.organizationName_default = World Wide Web Pty Ltd
94
 
-
 
95
organizationalUnitName		= Organizational Unit Name (eg, section)
-
 
96
#organizationalUnitName_default	=
-
 
97
 
93
 
98
commonName			= Common Name (eg, your name or your server\'s hostname)
94
organizationalUnitName = Organizational Unit Name (eg, section)
99
commonName_max			= 255
95
#organizationalUnitName_default =
100
 
96
 
-
 
97
commonName = Common Name (eg, your name or your server\'s hostname)
-
 
98
commonName_max = 255
101
emailAddress			= Email Address
99
emailAddress = Email Address
102
emailAddress_max		= 255
100
emailAddress_max = 255
103
 
-
 
104
# SET-ex3			= SET extension number 3
-
 
105
 
101
 
106
[ usr_cert ]
102
[ usr_cert ]
107
# These extensions are added when 'ca' signs a request.
103
# These extensions are added when 'ca' signs a request.
108
# This goes against PKIX guidelines but some CAs do it and some software
104
# This goes against PKIX guidelines but some CAs do it and some software
109
# requires this to avoid interpreting an end user certificate as a CA.
105
# requires this to avoid interpreting an end user certificate as a CA.
110
#basicConstraints=CA:FALSE
106
basicConstraints=CA:FALSE
111
 
-
 
112
# Here are some examples of the usage of nsCertType. If it is omitted
-
 
113
# the certificate can be used for anything *except* object signing.
-
 
114
 
-
 
115
# This is OK for an SSL server.
-
 
116
# nsCertType			= nsCertType
-
 
117
# For normal client use this is typical
-
 
118
# nsCertType = client, email
-
 
119
nsCertType			= server
107
nsCertType = server
120
 
-
 
121
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
108
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
122
 
-
 
123
# This will be displayed in Netscape's comment listbox.
-
 
124
nsComment			= "OpenSSL Generated Certificate"
-
 
125
 
-
 
126
# PKIX recommendations harmless if included in all certificates.
-
 
127
subjectKeyIdentifier=hash
109
subjectKeyIdentifier = hash
128
authorityKeyIdentifier=keyid,issuer:always
110
authorityKeyIdentifier = keyid,issuer
129
 
111
 
130
# This stuff is for subjectAltName and issuerAltname.
112
# This stuff is for subjectAltName and issuerAltname.
131
# Import the email address.
-
 
132
subjectAltName=email:copy
113
subjectAltName = @alt_names
133
 
-
 
134
# Copy subject details
114
# Copy subject details
135
issuerAltName=issuer:copy
115
issuerAltName = issuer:copy
136
 
116
 
137
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-
 
138
#nsBaseUrl
-
 
139
#nsRevocationUrl
-
 
140
#nsRenewalUrl
-
 
141
#nsCaPolicyUrl
-
 
142
#nsSslServerName
-
 
143
 
-
 
144
[ v3_ca ]
117
[alt_names]
145
# PKIX recommendation.
-
 
146
subjectKeyIdentifier=hash
-
 
147
authorityKeyIdentifier=keyid:always,issuer:always
-
 
148
 
-
 
149
# This is what PKIX recommends but some broken software chokes on critical
-
 
150
# extensions.
-
 
151
basicConstraints = critical,CA:true
-
 
152
# So we do this instead.
118
DNS.1 = $HOSTNAME.$DOMAIN
153
#basicConstraints = CA:true
-
 
154
 
-
 
155
# Key usage: this is typical for a CA certificate. However since it will
-
 
156
# prevent it being used as an test self-signed certificate it is best
-
 
157
# left out by default.
-
 
158
keyUsage = cRLSign, keyCertSign
-
 
159
nsCertType = sslCA
-
 
160
EOF
-
 
161
 
119
 
162
hostname=`hostname`
-
 
163
if [ -z "$hostname" ];
-
 
164
then
-
 
165
 echo "Impossible de déterminer le nom d'hôte !!!"
-
 
166
 exit 1
-
 
167
fi
120
EOF
168
 
121
 
169
# The value for organizationalUnitName must be 64 chars or less;
122
# The value for organizationalUnitName must be 64 chars or less;
170
#   thus, hostname must be 36 chars or less. If it's too big,
123
#   thus, hostname must be 36 chars or less. If it's too big,
171
#   try removing domain (merci REXY ;-) ).
124
#   try removing domain (merci REXY ;-) ).
172
hostname_len=`echo $hostname| wc -c`
125
hostname_len=`echo $HOSTNAME| wc -c`
173
if [ $hostname_len -gt 36 ];
126
if [ $hostname_len -gt 36 ];
174
then
127
then
175
	hostname=`echo $hostname | cut -d '.' -f 1`
128
	HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1`
176
fi
129
fi
177
 
130
 
178
CAMAIL=
131
CAMAIL=
179
SRVMAIL=
132
SRVMAIL=
180
 
133
 
Line 191... Line 144...
191
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
144
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
192
echo "$COUNTRY
145
echo "$COUNTRY
193
$PROVINCE
146
$PROVINCE
194
$LOCATION
147
$LOCATION
195
$ORGANIZATION
148
$ORGANIZATION
196
Certification Authority for $hostname
149
Certification Authority for $HOSTNAME.$DOMAIN
197
$hostname-local-CA
150
$HOSTNAME-local-CA
198
$CAMAIL" | 
151
$CAMAIL" | 
199
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
152
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
200
 
153
 
201
# Server key
154
# Server key
202
rm -f $SRVKEY	
155
rm -f $SRVKEY	
Line 207... Line 160...
207
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
160
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
208
echo "$COUNTRY
161
echo "$COUNTRY
209
$PROVINCE
162
$PROVINCE
210
$LOCATION
163
$LOCATION
211
$ORGANIZATION
164
$ORGANIZATION
212
Server certificate for $hostname
165
Server certificate for $HOSTNAME.$DOMAIN
213
$hostname
166
$HOSTNAME.$DOMAIN
214
$SRVMAIL" | 
167
$SRVMAIL" | 
215
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
168
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
216
 
169
 
217
# Sign the server certificate "request" to create server certificate
170
# Sign the server certificate "request" to create server certificate
218
rm -f $SRVCERT
171
rm -f $SRVCERT
219
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
172
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
220
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
173
openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
221
rm -f $SRVREQ
174
rm -f $SRVREQ
222
 
175
 
223
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
176
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
224
cp -f $CACERT $SRVCHAIN
177
cp -f $CACERT $SRVCHAIN
225
 
178