WebSVN – ALCASAR – Diff – /scripts/alcasar-CA.sh


#!/bin/sh
# $Id: alcasar-CA.sh 2488 2018-02-25 14:53:54Z lucas.echard $
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE		= $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
 
[ AlcasarCA ]
dir		= $DIR_TMP		# Where everything is kept
certs		= \$dir			# Where the issued certs are kept
crl_dir		= \$dir			# Where the issued crl are kept
database	= \$dir/index.txt	# database index file.
new_certs_dir	= \$dir			# default place for new certs.
 
certificate	= $CACERT	 	# The CA certificate
serial		= \$dir/serial 		# The current serial number
crl		= \$dir/crl.pem 	# The current CRL
private_key	= $CAKEY		# The private key
 
x509_extensions	= usr_cert		# The extentions to add to the cert
crl_extensions	= crl_ext
 
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# which message digest to use.
preserve	= no			# keep passed DN ordering
 
policy		= policy_anything
 
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits		= 2048
distinguished_name	= req_distinguished_name
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FR
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State
 
localityName			= Locality Name (eg, city)
localityName_default		= Lyon
 
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= your organization name
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 255
 
emailAddress			= Email Address
emailAddress_max		= 255
 
# SET-ex3			= SET extension number 3
 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType			= server
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
 
# Copy subject details
issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
 
hostname=`hostname`
if [ -z "$hostname" ];
then
 echo "Impossible de déterminer le nom d'hôte !!!"
 exit 1
fi
 
# The value for organizationalUnitName must be 64 chars or less;
#   thus, hostname must be 36 chars or less. If it's too big,
#   try removing domain (merci REXY ;-) ).
hostname_len=`echo $hostname| wc -c`
if [ $hostname_len -gt 36 ];
then
	hostname=`echo $hostname | cut -d '.' -f 1`
fi
 
CAMAIL=ca@$hostname
SRVMAIL=apache@$hostname
 
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
 
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
 
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
ALCASAR-local-CA
$CAMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 
# Server key
rm -f $SRVKEY	
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
 
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$hostname
$SRVMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
cp -f $SRVCERT $SRVCHAIN  # in order to simplify the official intranet certificate import process
cat $SRVKEY $SRVCERT > $SRVPEM
chmod a+r $CACERT $SRVCERT $SRVCHAIN
 
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
	then
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
	rm -f $DIR_WEB/certs/*
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
	rm -rf $DIR_TMP
	exit 0
else
	echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
	exit 1
fi
 

Rev 2454	Rev 2488
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-CA.sh 2454 2017-12-09 18:59:31Z tom.houdayer $`	2	`# $Id: alcasar-CA.sh 2488 2018-02-25 14:53:54Z lucas.echard $`
3		3
4	`# alcasar-CA.sh`	4	`# alcasar-CA.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`#`	7	`#`
8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`	8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`
9	`# and Michel Arboi <arboi@alussinan.org>`	9	`# and Michel Arboi <arboi@alussinan.org>`
10	`#`	10	`#`
11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`	11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`
12	`DIR_PKI=/etc/pki`	12	`DIR_PKI=/etc/pki`
13	`DIR_CERT=$DIR_PKI/tls`	13	`DIR_CERT=$DIR_PKI/tls`
14	`DIR_WEB=/var/www/html`	14	`DIR_WEB=/var/www/html`
15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`	15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`
16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`	16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`
17	`SRVREQ=$DIR_CERT/alcasar.req`	17	`SRVREQ=$DIR_CERT/alcasar.req`
18	`SRVKEY=$DIR_CERT/private/alcasar.key`	18	`SRVKEY=$DIR_CERT/private/alcasar.key`
19	`SRVCERT=$DIR_CERT/certs/alcasar.crt`	19	`SRVCERT=$DIR_CERT/certs/alcasar.crt`
-		20	`SRVPEM=$DIR_CERT/private/alcasar.pem`
20	`SRVCHAIN=$DIR_CERT/certs/server-chain.crt`	21	`SRVCHAIN=$DIR_CERT/certs/server-chain.crt`
21		22
22	`CACERT_LIFETIME="1460"`	23	`CACERT_LIFETIME="1460"`
23	`SRVCERT_LIFETIME="1460"`	24	`SRVCERT_LIFETIME="1460"`
24	`COUNTRY="FR"`	25	`COUNTRY="FR"`
25	`PROVINCE="none"`	26	`PROVINCE="none"`
26	`LOCATION="Paris"`	27	`LOCATION="Paris"`
27	`ORGANIZATION="ALCASAR-Team"`	28	`ORGANIZATION="ALCASAR-Team"`
28		29
29	`mkdir $DIR_TMP \|\| exit 1`	30	`mkdir $DIR_TMP \|\| exit 1`
30	`# dynamic conf file for openssl`	31	`# dynamic conf file for openssl`
31	`cat <<EOF >$DIR_TMP/ssl.conf`	32	`cat <<EOF >$DIR_TMP/ssl.conf`
32	`RANDFILE = $HOME/.rnd`	33	`RANDFILE = $HOME/.rnd`
33	`#`	34	`#`
34	`[ ca ]`	35	`[ ca ]`
35	`default_ca = AlcasarCA`	36	`default_ca = AlcasarCA`
36		37
37	`[ AlcasarCA ]`	38	`[ AlcasarCA ]`
38	`dir = $DIR_TMP # Where everything is kept`	39	`dir = $DIR_TMP # Where everything is kept`
39	`certs = \$dir # Where the issued certs are kept`	40	`certs = \$dir # Where the issued certs are kept`
40	`crl_dir = \$dir # Where the issued crl are kept`	41	`crl_dir = \$dir # Where the issued crl are kept`
41	`database = \$dir/index.txt # database index file.`	42	`database = \$dir/index.txt # database index file.`
42	`new_certs_dir = \$dir # default place for new certs.`	43	`new_certs_dir = \$dir # default place for new certs.`
43		44
44	`certificate = $CACERT # The CA certificate`	45	`certificate = $CACERT # The CA certificate`
45	`serial = \$dir/serial # The current serial number`	46	`serial = \$dir/serial # The current serial number`
46	`crl = \$dir/crl.pem # The current CRL`	47	`crl = \$dir/crl.pem # The current CRL`
47	`private_key = $CAKEY # The private key`	48	`private_key = $CAKEY # The private key`
48		49
49	`x509_extensions = usr_cert # The extentions to add to the cert`	50	`x509_extensions = usr_cert # The extentions to add to the cert`
50	`crl_extensions = crl_ext`	51	`crl_extensions = crl_ext`
51		52
52	`default_days = 365 # how long to certify for`	53	`default_days = 365 # how long to certify for`
53	`default_crl_days= 30 # how long before next CRL`	54	`default_crl_days= 30 # how long before next CRL`
54	`default_md = sha256 # which message digest to use.`	55	`default_md = sha256 # which message digest to use.`
55	`preserve = no # keep passed DN ordering`	56	`preserve = no # keep passed DN ordering`
56		57
57	`policy = policy_anything`	58	`policy = policy_anything`
58		59
59	`[ policy_anything ]`	60	`[ policy_anything ]`
60	`countryName = optional`	61	`countryName = optional`
61	`stateOrProvinceName = optional`	62	`stateOrProvinceName = optional`
62	`localityName = optional`	63	`localityName = optional`
63	`organizationName = optional`	64	`organizationName = optional`
64	`organizationalUnitName = optional`	65	`organizationalUnitName = optional`
65	`commonName = supplied`	66	`commonName = supplied`
66	`emailAddress = optional`	67	`emailAddress = optional`
67		68
68	`[ req ]`	69	`[ req ]`
69	`default_bits = 2048`	70	`default_bits = 2048`
70	`distinguished_name = req_distinguished_name`	71	`distinguished_name = req_distinguished_name`
71	`# attributes = req_attributes`	72	`# attributes = req_attributes`
72	`x509_extensions = v3_ca # The extentions to add to the self signed cert`	73	`x509_extensions = v3_ca # The extentions to add to the self signed cert`
73		74
74	`[ req_distinguished_name ]`	75	`[ req_distinguished_name ]`
75	`countryName = Country Name (2 letter code)`	76	`countryName = Country Name (2 letter code)`
76	`countryName_default = FR`	77	`countryName_default = FR`
77	`countryName_min = 2`	78	`countryName_min = 2`
78	`countryName_max = 2`	79	`countryName_max = 2`
79		80
80	`stateOrProvinceName = State or Province Name (full name)`	81	`stateOrProvinceName = State or Province Name (full name)`
81	`stateOrProvinceName_default = Some-State`	82	`stateOrProvinceName_default = Some-State`
82		83
83	`localityName = Locality Name (eg, city)`	84	`localityName = Locality Name (eg, city)`
84	`localityName_default = Lyon`	85	`localityName_default = Lyon`
85		86
86	`0.organizationName = Organization Name (eg, company)`	87	`0.organizationName = Organization Name (eg, company)`
87	`0.organizationName_default = your organization name`	88	`0.organizationName_default = your organization name`
88		89
89	`# we can do this but it is not needed normally :-)`	90	`# we can do this but it is not needed normally :-)`
90	`#1.organizationName = Second Organization Name (eg, company)`	91	`#1.organizationName = Second Organization Name (eg, company)`
91	`#1.organizationName_default = World Wide Web Pty Ltd`	92	`#1.organizationName_default = World Wide Web Pty Ltd`
92		93
93	`organizationalUnitName = Organizational Unit Name (eg, section)`	94	`organizationalUnitName = Organizational Unit Name (eg, section)`
94	`#organizationalUnitName_default =`	95	`#organizationalUnitName_default =`
95		96
96	`commonName = Common Name (eg, your name or your server\'s hostname)`	97	`commonName = Common Name (eg, your name or your server\'s hostname)`
97	`commonName_max = 255`	98	`commonName_max = 255`
98		99
99	`emailAddress = Email Address`	100	`emailAddress = Email Address`
100	`emailAddress_max = 255`	101	`emailAddress_max = 255`
101		102
102	`# SET-ex3 = SET extension number 3`	103	`# SET-ex3 = SET extension number 3`
103		104
104	`[ usr_cert ]`	105	`[ usr_cert ]`
105	`# These extensions are added when 'ca' signs a request.`	106	`# These extensions are added when 'ca' signs a request.`
106	`# This goes against PKIX guidelines but some CAs do it and some software`	107	`# This goes against PKIX guidelines but some CAs do it and some software`
107	`# requires this to avoid interpreting an end user certificate as a CA.`	108	`# requires this to avoid interpreting an end user certificate as a CA.`
108	`#basicConstraints=CA:FALSE`	109	`#basicConstraints=CA:FALSE`
109		110
110	`# Here are some examples of the usage of nsCertType. If it is omitted`	111	`# Here are some examples of the usage of nsCertType. If it is omitted`
111	`# the certificate can be used for anything except object signing.`	112	`# the certificate can be used for anything except object signing.`
112		113
113	`# This is OK for an SSL server.`	114	`# This is OK for an SSL server.`
114	`# nsCertType = nsCertType`	115	`# nsCertType = nsCertType`
115	`# For normal client use this is typical`	116	`# For normal client use this is typical`
116	`# nsCertType = client, email`	117	`# nsCertType = client, email`
117	`nsCertType = server`	118	`nsCertType = server`
118		119
119	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`	120	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
120		121
121	`# This will be displayed in Netscape's comment listbox.`	122	`# This will be displayed in Netscape's comment listbox.`
122	`nsComment = "OpenSSL Generated Certificate"`	123	`nsComment = "OpenSSL Generated Certificate"`
123		124
124	`# PKIX recommendations harmless if included in all certificates.`	125	`# PKIX recommendations harmless if included in all certificates.`
125	`subjectKeyIdentifier=hash`	126	`subjectKeyIdentifier=hash`
126	`authorityKeyIdentifier=keyid,issuer:always`	127	`authorityKeyIdentifier=keyid,issuer:always`
127		128
128	`# This stuff is for subjectAltName and issuerAltname.`	129	`# This stuff is for subjectAltName and issuerAltname.`
129	`# Import the email address.`	130	`# Import the email address.`
130	`subjectAltName=email:copy`	131	`subjectAltName=email:copy`
131		132
132	`# Copy subject details`	133	`# Copy subject details`
133	`issuerAltName=issuer:copy`	134	`issuerAltName=issuer:copy`
134		135
135	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`	136	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`
136	`#nsBaseUrl`	137	`#nsBaseUrl`
137	`#nsRevocationUrl`	138	`#nsRevocationUrl`
138	`#nsRenewalUrl`	139	`#nsRenewalUrl`
139	`#nsCaPolicyUrl`	140	`#nsCaPolicyUrl`
140	`#nsSslServerName`	141	`#nsSslServerName`
141		142
142	`[ v3_ca ]`	143	`[ v3_ca ]`
143	`# PKIX recommendation.`	144	`# PKIX recommendation.`
144	`subjectKeyIdentifier=hash`	145	`subjectKeyIdentifier=hash`
145	`authorityKeyIdentifier=keyid:always,issuer:always`	146	`authorityKeyIdentifier=keyid:always,issuer:always`
146		147
147	`# This is what PKIX recommends but some broken software chokes on critical`	148	`# This is what PKIX recommends but some broken software chokes on critical`
148	`# extensions.`	149	`# extensions.`
149	`basicConstraints = critical,CA:true`	150	`basicConstraints = critical,CA:true`
150	`# So we do this instead.`	151	`# So we do this instead.`
151	`#basicConstraints = CA:true`	152	`#basicConstraints = CA:true`
152		153
153	`# Key usage: this is typical for a CA certificate. However since it will`	154	`# Key usage: this is typical for a CA certificate. However since it will`
154	`# prevent it being used as an test self-signed certificate it is best`	155	`# prevent it being used as an test self-signed certificate it is best`
155	`# left out by default.`	156	`# left out by default.`
156	`keyUsage = cRLSign, keyCertSign`	157	`keyUsage = cRLSign, keyCertSign`
157	`nsCertType = sslCA`	158	`nsCertType = sslCA`
158	`EOF`	159	`EOF`
159		160
160	hostname=`hostname`	161	hostname=`hostname`
161	`if [ -z "$hostname" ];`	162	`if [ -z "$hostname" ];`
162	`then`	163	`then`
163	`echo "Impossible de déterminer le nom d'hôte !!!"`	164	`echo "Impossible de déterminer le nom d'hôte !!!"`
164	`exit 1`	165	`exit 1`
165	`fi`	166	`fi`
166		167
167	`# The value for organizationalUnitName must be 64 chars or less;`	168	`# The value for organizationalUnitName must be 64 chars or less;`
168	`# thus, hostname must be 36 chars or less. If it's too big,`	169	`# thus, hostname must be 36 chars or less. If it's too big,`
169	`# try removing domain (merci REXY ;-) ).`	170	`# try removing domain (merci REXY ;-) ).`
170	hostname_len=`echo $hostname\| wc -c`	171	hostname_len=`echo $hostname\| wc -c`
171	`if [ $hostname_len -gt 36 ];`	172	`if [ $hostname_len -gt 36 ];`
172	`then`	173	`then`
173	hostname=`echo $hostname \| cut -d '.' -f 1`	174	hostname=`echo $hostname \| cut -d '.' -f 1`
174	`fi`	175	`fi`
175		176
176	`CAMAIL=ca@$hostname`	177	`CAMAIL=ca@$hostname`
177	`SRVMAIL=apache@$hostname`	178	`SRVMAIL=apache@$hostname`
178		179
179	`echo 01 > $DIR_TMP/serial`	180	`echo 01 > $DIR_TMP/serial`
180	`touch $DIR_TMP/index.txt`	181	`touch $DIR_TMP/index.txt`
181		182
182	`# CA key`	183	`# CA key`
183	`rm -f $CAKEY`	184	`rm -f $CAKEY`
184	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`	185	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`
185	`openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log`	186	`openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log`
186		187
187	`# CA certificate`	188	`# CA certificate`
188	`rm -f $CACERT`	189	`rm -f $CACERT`
189	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`	190	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`
190	`echo "$COUNTRY`	191	`echo "$COUNTRY`
191	`$PROVINCE`	192	`$PROVINCE`
192	`$LOCATION`	193	`$LOCATION`
193	`$ORGANIZATION`	194	`$ORGANIZATION`
194	`Certification Authority for $hostname`	195	`Certification Authority for $hostname`
195	`ALCASAR-local-CA`	196	`ALCASAR-local-CA`
196	`$CAMAIL" \|`	197	`$CAMAIL" \|`
197	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`	198	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`
198		199
199	`# Server key`	200	`# Server key`
200	`rm -f $SRVKEY`	201	`rm -f $SRVKEY`
201	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`	202	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`
202	`openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log`	203	`openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log`
203		204
204	`# Server certificate "request"`	205	`# Server certificate "request"`
205	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`	206	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`
206	`echo "$COUNTRY`	207	`echo "$COUNTRY`
207	`$PROVINCE`	208	`$PROVINCE`
208	`$LOCATION`	209	`$LOCATION`
209	`$ORGANIZATION`	210	`$ORGANIZATION`
210	`Server certificate for $hostname`	211	`Server certificate for $hostname`
211	`$hostname`	212	`$hostname`
212	`$SRVMAIL" \|`	213	`$SRVMAIL" \|`
213	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`	214	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`
214		215
215	`# Sign the server certificate "request" to create server certificate`	216	`# Sign the server certificate "request" to create server certificate`
216	`rm -f $SRVCERT`	217	`rm -f $SRVCERT`
217	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`	218	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`
218	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`	219	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`
219	`rm -f $SRVREQ`	220	`rm -f $SRVREQ`
220	`cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process`	221	`cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process`
-		222	`cat $SRVKEY $SRVCERT > $SRVPEM`
221	`chmod a+r $CACERT $SRVCERT $SRVCHAIN`	223	`chmod a+r $CACERT $SRVCERT $SRVCHAIN`
222		224
223	`# Link certs in ALCASAR Control Center`	225	`# Link certs in ALCASAR Control Center`
224	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`	226	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`
225	`then`	227	`then`
226	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`	228	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`
227	`rm -f $DIR_WEB/certs/*`	229	`rm -f $DIR_WEB/certs/*`
228	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`	230	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`
229	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`	231	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`
230	`rm -rf $DIR_TMP`	232	`rm -rf $DIR_TMP`
231	`exit 0`	233	`exit 0`
232	`else`	234	`else`
233	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`	235	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`
234	`exit 1`	236	`exit 1`
235	`fi`	237	`fi`
236		238

Subversion Repositories ALCASAR

(root)/scripts/alcasar-CA.sh – Rev 2454 → 2488