WebSVN – ALCASAR – Diff – /scripts/alcasar-CA.sh


#!/bin/sh
# $Id: alcasar-CA.sh 247 2010-09-13 16:54:46Z franck $
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> 
# and Michel Arboi <arboi@alussinan.org>
#
 
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVKEY=$DIR_CERT/private/alcasar.key
SRVREQ=$DIR_CERT/alcasar.req
FIC_PARAM="/root/ALCASAR-parameters.txt"
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE		= $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
 
[ AlcasarCA ]
dir		= $DIR_TMP		# Where everything is kept
certs		= \$dir			# Where the issued certs are kept
crl_dir		= \$dir			# Where the issued crl are kept
database	= \$dir/index.txt	# database index file.
new_certs_dir	= \$dir			# default place for new certs.
 
certificate	= $CACERT	 	# The CA certificate
serial		= \$dir/serial 		# The current serial number
crl		= \$dir/crl.pem 	# The current CRL
private_key	= $CAKEY		# The private key
 
x509_extensions	= usr_cert		# The extentions to add to the cert
crl_extensions	= crl_ext
 
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering
 
policy		= policy_anything
 
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits		= 1024
distinguished_name	= req_distinguished_name
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FR
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State
 
localityName			= Locality Name (eg, city)
localityName_default		= Lyon
 
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= your organization name
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 255
 
emailAddress			= Email Address
emailAddress_max		= 255
 
# SET-ex3			= SET extension number 3
 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType			= server
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
 
# Copy subject details
issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
 
hostname=`hostname`
if [ -z "$hostname" ];
then
 echo "Impossible de déterminer le nom d'hôte !!!"
 exit 1
fi
 
# The value for organizationalUnitName must be 64 chars or less;
#   thus, hostname must be 36 chars or less. If it's too big,
#   try removing domain (merci REXY ;-) ).
hostname_len=`echo $hostname| wc -c`
 
if [ $hostname_len -gt 36 ];
then
  hostname=`echo $hostname | cut -d '.' -f 1`
fi
 
if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ]
then
  echo "Impossible de déterminer l'@-IP"
  exit 1
fi
IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 |grep IPADDR|cut -d"=" -f2`
CAMAIL=ca@$hostname
SRVMAIL=apache@$hostname
 
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
 
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY  1024 2>> $DIR_TMP/openssl-log
 
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
ALCASAR-local-CA
$CAMAIL" |
	openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 
# Server key
rm -f $SRVKEY	
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log
 
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$IPADDR
$SRVMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
chmod a+r $CACERT $SRVCERT 
 
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
 then
 echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM
 echo "   Certificat = $CACERT" >> $FIC_PARAM
 echo "   Clée privée = $CAKEY" >> $FIC_PARAM
 echo "- Certificat du serveur : " >> $FIC_PARAM
 echo "    Certificat = $SRVCERT" >> $FIC_PARAM
 echo "    Clée privée = $SRVKEY" >> $FIC_PARAM
 [ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
 rm -f $DIR_WEB/certs/*
 ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
 ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
 rm -rf $DIR_TMP
 exit 0
else
 echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
 exit 1
fi
 

Rev 139	Rev 247
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-CA.sh 139 2010-05-26 21:37:30Z richard $`	2	`# $Id: alcasar-CA.sh 247 2010-09-13 16:54:46Z franck $`
3		3
4	`# alcasar-CA.sh`	4	`# alcasar-CA.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`#`	7	`#`
8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`	8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`
9	`# and Michel Arboi <arboi@alussinan.org>`	9	`# and Michel Arboi <arboi@alussinan.org>`
10	`#`	10	`#`
11		11
12	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`	12	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`
13	`DIR_PKI=/etc/pki`	13	`DIR_PKI=/etc/pki`
14	`DIR_CERT=$DIR_PKI/tls`	14	`DIR_CERT=$DIR_PKI/tls`
15	`DIR_WEB=/var/www/html`	15	`DIR_WEB=/var/www/html`
16	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`	16	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`
17	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`	17	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`
18	`SRVCERT=$DIR_CERT/certs/alcasar.crt`	18	`SRVCERT=$DIR_CERT/certs/alcasar.crt`
19	`SRVKEY=$DIR_CERT/private/alcasar.key`	19	`SRVKEY=$DIR_CERT/private/alcasar.key`
20	`SRVREQ=$DIR_CERT/alcasar.req`	20	`SRVREQ=$DIR_CERT/alcasar.req`
21	`FIC_PARAM="/root/ALCASAR-parameters.txt"`	21	`FIC_PARAM="/root/ALCASAR-parameters.txt"`
22		22
23	`CACERT_LIFETIME="1460"`	23	`CACERT_LIFETIME="1460"`
24	`SRVCERT_LIFETIME="1460"`	24	`SRVCERT_LIFETIME="1460"`
25	`COUNTRY="FR"`	25	`COUNTRY="FR"`
26	`PROVINCE="none"`	26	`PROVINCE="none"`
27	`LOCATION="Paris"`	27	`LOCATION="Paris"`
28	`ORGANIZATION="ALCASAR-Team"`	28	`ORGANIZATION="ALCASAR-Team"`
29		29
30	`mkdir $DIR_TMP \|\| exit 1`	30	`mkdir $DIR_TMP \|\| exit 1`
31	`# dynamic conf file for openssl`	31	`# dynamic conf file for openssl`
32	`cat <<EOF >$DIR_TMP/ssl.conf`	32	`cat <<EOF >$DIR_TMP/ssl.conf`
33	`RANDFILE = $HOME/.rnd`	33	`RANDFILE = $HOME/.rnd`
34	`#`	34	`#`
35	`[ ca ]`	35	`[ ca ]`
36	`default_ca = AlcasarCA`	36	`default_ca = AlcasarCA`
37		37
38	`[ AlcasarCA ]`	38	`[ AlcasarCA ]`
39	`dir = $DIR_TMP # Where everything is kept`	39	`dir = $DIR_TMP # Where everything is kept`
40	`certs = \$dir # Where the issued certs are kept`	40	`certs = \$dir # Where the issued certs are kept`
41	`crl_dir = \$dir # Where the issued crl are kept`	41	`crl_dir = \$dir # Where the issued crl are kept`
42	`database = \$dir/index.txt # database index file.`	42	`database = \$dir/index.txt # database index file.`
43	`new_certs_dir = \$dir # default place for new certs.`	43	`new_certs_dir = \$dir # default place for new certs.`
44		44
45	`certificate = $CACERT # The CA certificate`	45	`certificate = $CACERT # The CA certificate`
46	`serial = \$dir/serial # The current serial number`	46	`serial = \$dir/serial # The current serial number`
47	`crl = \$dir/crl.pem # The current CRL`	47	`crl = \$dir/crl.pem # The current CRL`
48	`private_key = $CAKEY # The private key`	48	`private_key = $CAKEY # The private key`
49		49
50	`x509_extensions = usr_cert # The extentions to add to the cert`	50	`x509_extensions = usr_cert # The extentions to add to the cert`
51	`crl_extensions = crl_ext`	51	`crl_extensions = crl_ext`
52		52
53	`default_days = 365 # how long to certify for`	53	`default_days = 365 # how long to certify for`
54	`default_crl_days= 30 # how long before next CRL`	54	`default_crl_days= 30 # how long before next CRL`
55	`default_md = md5 # which md to use.`	55	`default_md = md5 # which md to use.`
56	`preserve = no # keep passed DN ordering`	56	`preserve = no # keep passed DN ordering`
57		57
58	`policy = policy_anything`	58	`policy = policy_anything`
59		59
60	`[ policy_anything ]`	60	`[ policy_anything ]`
61	`countryName = optional`	61	`countryName = optional`
62	`stateOrProvinceName = optional`	62	`stateOrProvinceName = optional`
63	`localityName = optional`	63	`localityName = optional`
64	`organizationName = optional`	64	`organizationName = optional`
65	`organizationalUnitName = optional`	65	`organizationalUnitName = optional`
66	`commonName = supplied`	66	`commonName = supplied`
67	`emailAddress = optional`	67	`emailAddress = optional`
68		68
69	`[ req ]`	69	`[ req ]`
70	`default_bits = 1024`	70	`default_bits = 1024`
71	`distinguished_name = req_distinguished_name`	71	`distinguished_name = req_distinguished_name`
72	`# attributes = req_attributes`	72	`# attributes = req_attributes`
73	`x509_extensions = v3_ca # The extentions to add to the self signed cert`	73	`x509_extensions = v3_ca # The extentions to add to the self signed cert`
74		74
75	`[ req_distinguished_name ]`	75	`[ req_distinguished_name ]`
76	`countryName = Country Name (2 letter code)`	76	`countryName = Country Name (2 letter code)`
77	`countryName_default = FR`	77	`countryName_default = FR`
78	`countryName_min = 2`	78	`countryName_min = 2`
79	`countryName_max = 2`	79	`countryName_max = 2`
80		80
81	`stateOrProvinceName = State or Province Name (full name)`	81	`stateOrProvinceName = State or Province Name (full name)`
82	`stateOrProvinceName_default = Some-State`	82	`stateOrProvinceName_default = Some-State`
83		83
84	`localityName = Locality Name (eg, city)`	84	`localityName = Locality Name (eg, city)`
85	`localityName_default = Lyon`	85	`localityName_default = Lyon`
86		86
87	`0.organizationName = Organization Name (eg, company)`	87	`0.organizationName = Organization Name (eg, company)`
88	`0.organizationName_default = your organization name`	88	`0.organizationName_default = your organization name`
89		89
90	`# we can do this but it is not needed normally :-)`	90	`# we can do this but it is not needed normally :-)`
91	`#1.organizationName = Second Organization Name (eg, company)`	91	`#1.organizationName = Second Organization Name (eg, company)`
92	`#1.organizationName_default = World Wide Web Pty Ltd`	92	`#1.organizationName_default = World Wide Web Pty Ltd`
93		93
94	`organizationalUnitName = Organizational Unit Name (eg, section)`	94	`organizationalUnitName = Organizational Unit Name (eg, section)`
95	`#organizationalUnitName_default =`	95	`#organizationalUnitName_default =`
96		96
97	`commonName = Common Name (eg, your name or your server\'s hostname)`	97	`commonName = Common Name (eg, your name or your server\'s hostname)`
98	`commonName_max = 255`	98	`commonName_max = 255`
99		99
100	`emailAddress = Email Address`	100	`emailAddress = Email Address`
101	`emailAddress_max = 255`	101	`emailAddress_max = 255`
102		102
103	`# SET-ex3 = SET extension number 3`	103	`# SET-ex3 = SET extension number 3`
104		104
105	`[ usr_cert ]`	105	`[ usr_cert ]`
106	`# These extensions are added when 'ca' signs a request.`	106	`# These extensions are added when 'ca' signs a request.`
107	`# This goes against PKIX guidelines but some CAs do it and some software`	107	`# This goes against PKIX guidelines but some CAs do it and some software`
108	`# requires this to avoid interpreting an end user certificate as a CA.`	108	`# requires this to avoid interpreting an end user certificate as a CA.`
109	`#basicConstraints=CA:FALSE`	109	`#basicConstraints=CA:FALSE`
110		110
111	`# Here are some examples of the usage of nsCertType. If it is omitted`	111	`# Here are some examples of the usage of nsCertType. If it is omitted`
112	`# the certificate can be used for anything except object signing.`	112	`# the certificate can be used for anything except object signing.`
113		113
114	`# This is OK for an SSL server.`	114	`# This is OK for an SSL server.`
115	`# nsCertType = nsCertType`	115	`# nsCertType = nsCertType`
116	`# For normal client use this is typical`	116	`# For normal client use this is typical`
117	`# nsCertType = client, email`	117	`# nsCertType = client, email`
118	`nsCertType = server`	118	`nsCertType = server`
119		119
120	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`	120	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
121		121
122	`# This will be displayed in Netscape's comment listbox.`	122	`# This will be displayed in Netscape's comment listbox.`
123	`nsComment = "OpenSSL Generated Certificate"`	123	`nsComment = "OpenSSL Generated Certificate"`
124		124
125	`# PKIX recommendations harmless if included in all certificates.`	125	`# PKIX recommendations harmless if included in all certificates.`
126	`subjectKeyIdentifier=hash`	126	`subjectKeyIdentifier=hash`
127	`authorityKeyIdentifier=keyid,issuer:always`	127	`authorityKeyIdentifier=keyid,issuer:always`
128		128
129	`# This stuff is for subjectAltName and issuerAltname.`	129	`# This stuff is for subjectAltName and issuerAltname.`
130	`# Import the email address.`	130	`# Import the email address.`
131	`subjectAltName=email:copy`	131	`subjectAltName=email:copy`
132		132
133	`# Copy subject details`	133	`# Copy subject details`
134	`issuerAltName=issuer:copy`	134	`issuerAltName=issuer:copy`
135		135
136	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`	136	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`
137	`#nsBaseUrl`	137	`#nsBaseUrl`
138	`#nsRevocationUrl`	138	`#nsRevocationUrl`
139	`#nsRenewalUrl`	139	`#nsRenewalUrl`
140	`#nsCaPolicyUrl`	140	`#nsCaPolicyUrl`
141	`#nsSslServerName`	141	`#nsSslServerName`
142		142
143	`[ v3_ca ]`	143	`[ v3_ca ]`
144	`# PKIX recommendation.`	144	`# PKIX recommendation.`
145	`subjectKeyIdentifier=hash`	145	`subjectKeyIdentifier=hash`
146	`authorityKeyIdentifier=keyid:always,issuer:always`	146	`authorityKeyIdentifier=keyid:always,issuer:always`
147		147
148	`# This is what PKIX recommends but some broken software chokes on critical`	148	`# This is what PKIX recommends but some broken software chokes on critical`
149	`# extensions.`	149	`# extensions.`
150	`basicConstraints = critical,CA:true`	150	`basicConstraints = critical,CA:true`
151	`# So we do this instead.`	151	`# So we do this instead.`
152	`#basicConstraints = CA:true`	152	`#basicConstraints = CA:true`
153		153
154	`# Key usage: this is typical for a CA certificate. However since it will`	154	`# Key usage: this is typical for a CA certificate. However since it will`
155	`# prevent it being used as an test self-signed certificate it is best`	155	`# prevent it being used as an test self-signed certificate it is best`
156	`# left out by default.`	156	`# left out by default.`
157	`keyUsage = cRLSign, keyCertSign`	157	`keyUsage = cRLSign, keyCertSign`
158	`nsCertType = sslCA`	158	`nsCertType = sslCA`
159	`EOF`	159	`EOF`
160		160
161	hostname=`hostname`	161	hostname=`hostname`
162	`if [ -z "$hostname" ];`	162	`if [ -z "$hostname" ];`
163	`then`	163	`then`
164	`echo "Impossible de déterminer le nom d'hôte !!!"`	164	`echo "Impossible de déterminer le nom d'hôte !!!"`
165	`exit 1`	165	`exit 1`
166	`fi`	166	`fi`
167		167
168	`# The value for organizationalUnitName must be 64 chars or less;`	168	`# The value for organizationalUnitName must be 64 chars or less;`
169	`# thus, hostname must be 36 chars or less. If it's too big,`	169	`# thus, hostname must be 36 chars or less. If it's too big,`
170	`# try removing domain (merci REXY ;-) ).`	170	`# try removing domain (merci REXY ;-) ).`
171	hostname_len=`echo $hostname\| wc -c`	171	hostname_len=`echo $hostname\| wc -c`
172		172
173	`if [ $hostname_len -gt 36 ];`	173	`if [ $hostname_len -gt 36 ];`
174	`then`	174	`then`
175	hostname=`echo $hostname \| cut -d '.' -f 1`	175	hostname=`echo $hostname \| cut -d '.' -f 1`
176	`fi`	176	`fi`
177		177
178	`if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ]`	178	`if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ]`
179	`then`	179	`then`
180	`echo "Impossible de déterminer l'@-IP"`	180	`echo "Impossible de déterminer l'@-IP"`
181	`exit 1`	181	`exit 1`
182	`fi`	182	`fi`
183	IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 \|grep IPADDR\|cut -d"=" -f2`	183	IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 \|grep IPADDR\|cut -d"=" -f2`
184	`CAMAIL=ca@$hostname`	184	`CAMAIL=ca@$hostname`
185	`SRVMAIL=apache@$hostname`	185	`SRVMAIL=apache@$hostname`
186		186
187	`echo 01 > $DIR_TMP/serial`	187	`echo 01 > $DIR_TMP/serial`
188	`touch $DIR_TMP/index.txt`	188	`touch $DIR_TMP/index.txt`
189		189
190	`# CA key`	190	`# CA key`
191	`rm -f $CAKEY`	191	`rm -f $CAKEY`
192	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`	192	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`
193	`openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log`	193	`openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log`
194		194
195	`# CA certificate`	195	`# CA certificate`
196	`rm -f $CACERT`	196	`rm -f $CACERT`
197	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`	197	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`
198	`echo "$COUNTRY`	198	`echo "$COUNTRY`
199	`$PROVINCE`	199	`$PROVINCE`
200	`$LOCATION`	200	`$LOCATION`
201	`$ORGANIZATION`	201	`$ORGANIZATION`
202	`Certification Authority for $hostname`	202	`Certification Authority for $hostname`
203	`ALCASAR-local-CA`	203	`ALCASAR-local-CA`
204	`$CAMAIL" \|`	204	`$CAMAIL" \|`
205	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`	205	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`
206		206
207	`# Server key`	207	`# Server key`
208	`rm -f $SRVKEY`	208	`rm -f $SRVKEY`
209	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`	209	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`
210	`openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log`	210	`openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log`
211		211
212	`# Server certificate "request"`	212	`# Server certificate "request"`
213	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`	213	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`
214	`echo "$COUNTRY`	214	`echo "$COUNTRY`
215	`$PROVINCE`	215	`$PROVINCE`
216	`$LOCATION`	216	`$LOCATION`
217	`$ORGANIZATION`	217	`$ORGANIZATION`
218	`Server certificate for $hostname`	218	`Server certificate for $hostname`
219	`$IPADDR`	219	`$IPADDR`
220	`$SRVMAIL" \|`	220	`$SRVMAIL" \|`
221	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`	221	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`
222		222
223	`# Sign the server certificate "request" to create server certificate`	223	`# Sign the server certificate "request" to create server certificate`
224	`rm -f $SRVCERT`	224	`rm -f $SRVCERT`
225	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`	225	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`
226	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`	226	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`
227	`rm -f $SRVREQ`	227	`rm -f $SRVREQ`
228	`chmod a+r $CACERT $SRVCERT`	228	`chmod a+r $CACERT $SRVCERT`
229		229
230	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`	230	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`
231	`then`	231	`then`
232	`echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM`	232	`echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM`
233	`echo " Certificat = $CACERT" >> $FIC_PARAM`	233	`echo " Certificat = $CACERT" >> $FIC_PARAM`
234	`echo " Clée privée = $CAKEY" >> $FIC_PARAM`	234	`echo " Clée privée = $CAKEY" >> $FIC_PARAM`
235	`echo "- Certificat du serveur : " >> $FIC_PARAM`	235	`echo "- Certificat du serveur : " >> $FIC_PARAM`
236	`echo " Certificat = $SRVCERT" >> $FIC_PARAM`	236	`echo " Certificat = $SRVCERT" >> $FIC_PARAM`
237	`echo " Clée privée = $SRVKEY" >> $FIC_PARAM`	237	`echo " Clée privée = $SRVKEY" >> $FIC_PARAM`
238	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`	238	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`
239	`rm -f $DIR_WEB/certs/*`	239	`rm -f $DIR_WEB/certs/*`
240	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`	240	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`
241	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`	241	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`
242	`rm -rf $DIR_TMP`	242	`rm -rf $DIR_TMP`
243	`exit 0`	243	`exit 0`
244	`else`	244	`else`
245	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`	245	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`
246	`exit 1`	246	`exit 1`
247	`fi`	247	`fi`
248		248

Subversion Repositories ALCASAR

(root)/scripts/alcasar-CA.sh – Rev 139 → 247