WebSVN – ALCASAR – Diff – /scripts/alcasar-CA.sh


#!/bin/sh
# $Id: alcasar-CA.sh 2814 2020-04-27 22:02:20Z rexy $
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE		= $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
 
[ AlcasarCA ]
dir		= $DIR_TMP		# Where everything is kept
certs		= \$dir			# Where the issued certs are kept
crl_dir		= \$dir			# Where the issued crl are kept
database	= \$dir/index.txt	# database index file.
new_certs_dir	= \$dir			# default place for new certs.
 
certificate	= $CACERT	 	# The CA certificate
serial		= \$dir/serial 		# The current serial number
crl		= \$dir/crl.pem 	# The current CRL
private_key	= $CAKEY		# The private key
 
x509_extensions	= usr_cert		# The extentions to add to the cert
crl_extensions	= crl_ext
 
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# which message digest to use.
preserve	= no			# keep passed DN ordering
 
policy		= policy_anything
 
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits		= 2048
distinguished_name	= req_distinguished_name
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FR
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State
 
localityName			= Locality Name (eg, city)
localityName_default		= Lyon
 
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= your organization name
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 255
 
emailAddress			= Email Address
emailAddress_max		= 255
 
# SET-ex3			= SET extension number 3
 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType			= server
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
 
# Copy subject details
issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
 
hostname=`hostname`
if [ -z "$hostname" ];
then
 echo "Impossible de déterminer le nom d'hôte !!!"
 exit 1
fi
 
# The value for organizationalUnitName must be 64 chars or less;
#   thus, hostname must be 36 chars or less. If it's too big,
#   try removing domain (merci REXY ;-) ).
hostname_len=`echo $hostname| wc -c`
if [ $hostname_len -gt 36 ];
then
	hostname=`echo $hostname | cut -d '.' -f 1`
fi
 
CAMAIL=
SRVMAIL=
 
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
 
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
 
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
$hostname-local-CA
$CAMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 
# Server key
rm -f $SRVKEY	
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
 
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$hostname
$SRVMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
 
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
cp -f $CACERT $SRVCHAIN
 
# Limit rights
chown -R root:root $SRVKEY $CAKEY
chmod -R 0600 $SRVKEY $CAKEY
 
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
	then
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
	rm -f $DIR_WEB/certs/*
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
	rm -rf $DIR_TMP
	exit 0
else
	echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)" 
	exit 1
fi
 

Rev 2813	Rev 2814
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-CA.sh 2813 2020-04-26 21:26:32Z rexy $`	2	`# $Id: alcasar-CA.sh 2814 2020-04-27 22:02:20Z rexy $`
3		3
4	`# alcasar-CA.sh`	4	`# alcasar-CA.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`#`	7	`#`
8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`	8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`
9	`# and Michel Arboi <arboi@alussinan.org>`	9	`# and Michel Arboi <arboi@alussinan.org>`
10	`#`	10	`#`
11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`	11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`
12	`DIR_PKI=/etc/pki`	12	`DIR_PKI=/etc/pki`
13	`DIR_CERT=$DIR_PKI/tls`	13	`DIR_CERT=$DIR_PKI/tls`
14	`DIR_WEB=/var/www/html`	14	`DIR_WEB=/var/www/html`
15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`	15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`
16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`	16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`
17	`SRVREQ=$DIR_CERT/alcasar.req`	17	`SRVREQ=$DIR_CERT/alcasar.req`
18	`SRVKEY=$DIR_CERT/private/alcasar.key`	18	`SRVKEY=$DIR_CERT/private/alcasar.key`
19	`SRVCERT=$DIR_CERT/certs/alcasar.crt`	19	`SRVCERT=$DIR_CERT/certs/alcasar.crt`
20	`SRVPEM=$DIR_CERT/private/alcasar.pem`	20	`SRVPEM=$DIR_CERT/private/alcasar.pem`
21	`SRVCHAIN=$DIR_CERT/certs/server-chain.pem`	21	`SRVCHAIN=$DIR_CERT/certs/server-chain.pem`
22		22
23	`CACERT_LIFETIME="1460"`	23	`CACERT_LIFETIME="1460"`
24	`SRVCERT_LIFETIME="1460"`	24	`SRVCERT_LIFETIME="1460"`
25	`COUNTRY="FR"`	25	`COUNTRY="FR"`
26	`PROVINCE="none"`	26	`PROVINCE="none"`
27	`LOCATION="Paris"`	27	`LOCATION="Paris"`
28	`ORGANIZATION="ALCASAR-Team"`	28	`ORGANIZATION="ALCASAR-Team"`
29		29
30	`mkdir $DIR_TMP \|\| exit 1`	30	`mkdir $DIR_TMP \|\| exit 1`
31	`[ -d $DIR_PKI/CA/private ] \|\| mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA`	31	`[ -d $DIR_PKI/CA/private ] \|\| mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA`
32	`# dynamic conf file for openssl`	32	`# dynamic conf file for openssl`
33	`cat <<EOF >$DIR_TMP/ssl.conf`	33	`cat <<EOF >$DIR_TMP/ssl.conf`
34	`RANDFILE = $HOME/.rnd`	34	`RANDFILE = $HOME/.rnd`
35	`#`	35	`#`
36	`[ ca ]`	36	`[ ca ]`
37	`default_ca = AlcasarCA`	37	`default_ca = AlcasarCA`
38		38
39	`[ AlcasarCA ]`	39	`[ AlcasarCA ]`
40	`dir = $DIR_TMP # Where everything is kept`	40	`dir = $DIR_TMP # Where everything is kept`
41	`certs = \$dir # Where the issued certs are kept`	41	`certs = \$dir # Where the issued certs are kept`
42	`crl_dir = \$dir # Where the issued crl are kept`	42	`crl_dir = \$dir # Where the issued crl are kept`
43	`database = \$dir/index.txt # database index file.`	43	`database = \$dir/index.txt # database index file.`
44	`new_certs_dir = \$dir # default place for new certs.`	44	`new_certs_dir = \$dir # default place for new certs.`
45		45
46	`certificate = $CACERT # The CA certificate`	46	`certificate = $CACERT # The CA certificate`
47	`serial = \$dir/serial # The current serial number`	47	`serial = \$dir/serial # The current serial number`
48	`crl = \$dir/crl.pem # The current CRL`	48	`crl = \$dir/crl.pem # The current CRL`
49	`private_key = $CAKEY # The private key`	49	`private_key = $CAKEY # The private key`
50		50
51	`x509_extensions = usr_cert # The extentions to add to the cert`	51	`x509_extensions = usr_cert # The extentions to add to the cert`
52	`crl_extensions = crl_ext`	52	`crl_extensions = crl_ext`
53		53
54	`default_days = 365 # how long to certify for`	54	`default_days = 365 # how long to certify for`
55	`default_crl_days= 30 # how long before next CRL`	55	`default_crl_days= 30 # how long before next CRL`
56	`default_md = sha256 # which message digest to use.`	56	`default_md = sha256 # which message digest to use.`
57	`preserve = no # keep passed DN ordering`	57	`preserve = no # keep passed DN ordering`
58		58
59	`policy = policy_anything`	59	`policy = policy_anything`
60		60
61	`[ policy_anything ]`	61	`[ policy_anything ]`
62	`countryName = optional`	62	`countryName = optional`
63	`stateOrProvinceName = optional`	63	`stateOrProvinceName = optional`
64	`localityName = optional`	64	`localityName = optional`
65	`organizationName = optional`	65	`organizationName = optional`
66	`organizationalUnitName = optional`	66	`organizationalUnitName = optional`
67	`commonName = supplied`	67	`commonName = supplied`
68	`emailAddress = optional`	68	`emailAddress = optional`
69		69
70	`[ req ]`	70	`[ req ]`
71	`default_bits = 2048`	71	`default_bits = 2048`
72	`distinguished_name = req_distinguished_name`	72	`distinguished_name = req_distinguished_name`
73	`# attributes = req_attributes`	73	`# attributes = req_attributes`
74	`x509_extensions = v3_ca # The extentions to add to the self signed cert`	74	`x509_extensions = v3_ca # The extentions to add to the self signed cert`
75		75
76	`[ req_distinguished_name ]`	76	`[ req_distinguished_name ]`
77	`countryName = Country Name (2 letter code)`	77	`countryName = Country Name (2 letter code)`
78	`countryName_default = FR`	78	`countryName_default = FR`
79	`countryName_min = 2`	79	`countryName_min = 2`
80	`countryName_max = 2`	80	`countryName_max = 2`
81		81
82	`stateOrProvinceName = State or Province Name (full name)`	82	`stateOrProvinceName = State or Province Name (full name)`
83	`stateOrProvinceName_default = Some-State`	83	`stateOrProvinceName_default = Some-State`
84		84
85	`localityName = Locality Name (eg, city)`	85	`localityName = Locality Name (eg, city)`
86	`localityName_default = Lyon`	86	`localityName_default = Lyon`
87		87
88	`0.organizationName = Organization Name (eg, company)`	88	`0.organizationName = Organization Name (eg, company)`
89	`0.organizationName_default = your organization name`	89	`0.organizationName_default = your organization name`
90		90
91	`# we can do this but it is not needed normally :-)`	91	`# we can do this but it is not needed normally :-)`
92	`#1.organizationName = Second Organization Name (eg, company)`	92	`#1.organizationName = Second Organization Name (eg, company)`
93	`#1.organizationName_default = World Wide Web Pty Ltd`	93	`#1.organizationName_default = World Wide Web Pty Ltd`
94		94
95	`organizationalUnitName = Organizational Unit Name (eg, section)`	95	`organizationalUnitName = Organizational Unit Name (eg, section)`
96	`#organizationalUnitName_default =`	96	`#organizationalUnitName_default =`
97		97
98	`commonName = Common Name (eg, your name or your server\'s hostname)`	98	`commonName = Common Name (eg, your name or your server\'s hostname)`
99	`commonName_max = 255`	99	`commonName_max = 255`
100		100
101	`emailAddress = Email Address`	101	`emailAddress = Email Address`
102	`emailAddress_max = 255`	102	`emailAddress_max = 255`
103		103
104	`# SET-ex3 = SET extension number 3`	104	`# SET-ex3 = SET extension number 3`
105		105
106	`[ usr_cert ]`	106	`[ usr_cert ]`
107	`# These extensions are added when 'ca' signs a request.`	107	`# These extensions are added when 'ca' signs a request.`
108	`# This goes against PKIX guidelines but some CAs do it and some software`	108	`# This goes against PKIX guidelines but some CAs do it and some software`
109	`# requires this to avoid interpreting an end user certificate as a CA.`	109	`# requires this to avoid interpreting an end user certificate as a CA.`
110	`#basicConstraints=CA:FALSE`	110	`#basicConstraints=CA:FALSE`
111		111
112	`# Here are some examples of the usage of nsCertType. If it is omitted`	112	`# Here are some examples of the usage of nsCertType. If it is omitted`
113	`# the certificate can be used for anything except object signing.`	113	`# the certificate can be used for anything except object signing.`
114		114
115	`# This is OK for an SSL server.`	115	`# This is OK for an SSL server.`
116	`# nsCertType = nsCertType`	116	`# nsCertType = nsCertType`
117	`# For normal client use this is typical`	117	`# For normal client use this is typical`
118	`# nsCertType = client, email`	118	`# nsCertType = client, email`
119	`nsCertType = server`	119	`nsCertType = server`
120		120
121	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`	121	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
122		122
123	`# This will be displayed in Netscape's comment listbox.`	123	`# This will be displayed in Netscape's comment listbox.`
124	`nsComment = "OpenSSL Generated Certificate"`	124	`nsComment = "OpenSSL Generated Certificate"`
125		125
126	`# PKIX recommendations harmless if included in all certificates.`	126	`# PKIX recommendations harmless if included in all certificates.`
127	`subjectKeyIdentifier=hash`	127	`subjectKeyIdentifier=hash`
128	`authorityKeyIdentifier=keyid,issuer:always`	128	`authorityKeyIdentifier=keyid,issuer:always`
129		129
130	`# This stuff is for subjectAltName and issuerAltname.`	130	`# This stuff is for subjectAltName and issuerAltname.`
131	`# Import the email address.`	131	`# Import the email address.`
132	`subjectAltName=email:copy`	132	`subjectAltName=email:copy`
133		133
134	`# Copy subject details`	134	`# Copy subject details`
135	`issuerAltName=issuer:copy`	135	`issuerAltName=issuer:copy`
136		136
137	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`	137	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`
138	`#nsBaseUrl`	138	`#nsBaseUrl`
139	`#nsRevocationUrl`	139	`#nsRevocationUrl`
140	`#nsRenewalUrl`	140	`#nsRenewalUrl`
141	`#nsCaPolicyUrl`	141	`#nsCaPolicyUrl`
142	`#nsSslServerName`	142	`#nsSslServerName`
143		143
144	`[ v3_ca ]`	144	`[ v3_ca ]`
145	`# PKIX recommendation.`	145	`# PKIX recommendation.`
146	`subjectKeyIdentifier=hash`	146	`subjectKeyIdentifier=hash`
147	`authorityKeyIdentifier=keyid:always,issuer:always`	147	`authorityKeyIdentifier=keyid:always,issuer:always`
148		148
149	`# This is what PKIX recommends but some broken software chokes on critical`	149	`# This is what PKIX recommends but some broken software chokes on critical`
150	`# extensions.`	150	`# extensions.`
151	`basicConstraints = critical,CA:true`	151	`basicConstraints = critical,CA:true`
152	`# So we do this instead.`	152	`# So we do this instead.`
153	`#basicConstraints = CA:true`	153	`#basicConstraints = CA:true`
154		154
155	`# Key usage: this is typical for a CA certificate. However since it will`	155	`# Key usage: this is typical for a CA certificate. However since it will`
156	`# prevent it being used as an test self-signed certificate it is best`	156	`# prevent it being used as an test self-signed certificate it is best`
157	`# left out by default.`	157	`# left out by default.`
158	`keyUsage = cRLSign, keyCertSign`	158	`keyUsage = cRLSign, keyCertSign`
159	`nsCertType = sslCA`	159	`nsCertType = sslCA`
160	`EOF`	160	`EOF`
161		161
162	hostname=`hostname`	162	hostname=`hostname`
163	`if [ -z "$hostname" ];`	163	`if [ -z "$hostname" ];`
164	`then`	164	`then`
165	`echo "Impossible de déterminer le nom d'hôte !!!"`	165	`echo "Impossible de déterminer le nom d'hôte !!!"`
166	`exit 1`	166	`exit 1`
167	`fi`	167	`fi`
168		168
169	`# The value for organizationalUnitName must be 64 chars or less;`	169	`# The value for organizationalUnitName must be 64 chars or less;`
170	`# thus, hostname must be 36 chars or less. If it's too big,`	170	`# thus, hostname must be 36 chars or less. If it's too big,`
171	`# try removing domain (merci REXY ;-) ).`	171	`# try removing domain (merci REXY ;-) ).`
172	hostname_len=`echo $hostname\| wc -c`	172	hostname_len=`echo $hostname\| wc -c`
173	`if [ $hostname_len -gt 36 ];`	173	`if [ $hostname_len -gt 36 ];`
174	`then`	174	`then`
175	hostname=`echo $hostname \| cut -d '.' -f 1`	175	hostname=`echo $hostname \| cut -d '.' -f 1`
176	`fi`	176	`fi`
177		177
178	`CAMAIL=ca@$hostname`	178	`CAMAIL=`
179	`SRVMAIL=apache@$hostname`	179	`SRVMAIL=`
180		180
181	`echo 01 > $DIR_TMP/serial`	181	`echo 01 > $DIR_TMP/serial`
182	`touch $DIR_TMP/index.txt`	182	`touch $DIR_TMP/index.txt`
183		183
184	`# CA key`	184	`# CA key`
185	`rm -f $CAKEY`	185	`rm -f $CAKEY`
186	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`	186	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`
187	`openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log`	187	`openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log`
188		188
189	`# CA certificate`	189	`# CA certificate`
190	`rm -f $CACERT`	190	`rm -f $CACERT`
191	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`	191	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`
192	`echo "$COUNTRY`	192	`echo "$COUNTRY`
193	`$PROVINCE`	193	`$PROVINCE`
194	`$LOCATION`	194	`$LOCATION`
195	`$ORGANIZATION`	195	`$ORGANIZATION`
196	`Certification Authority for $hostname`	196	`Certification Authority for $hostname`
197	`$hostname-local-CA`	197	`$hostname-local-CA`
198	`$CAMAIL" \|`	198	`$CAMAIL" \|`
199	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`	199	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`
200		200
201	`# Server key`	201	`# Server key`
202	`rm -f $SRVKEY`	202	`rm -f $SRVKEY`
203	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`	203	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`
204	`openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log`	204	`openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log`
205		205
206	`# Server certificate "request"`	206	`# Server certificate "request"`
207	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`	207	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`
208	`echo "$COUNTRY`	208	`echo "$COUNTRY`
209	`$PROVINCE`	209	`$PROVINCE`
210	`$LOCATION`	210	`$LOCATION`
211	`$ORGANIZATION`	211	`$ORGANIZATION`
212	`Server certificate for $hostname`	212	`Server certificate for $hostname`
213	`$hostname`	213	`$hostname`
214	`$SRVMAIL" \|`	214	`$SRVMAIL" \|`
215	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`	215	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`
216		216
217	`# Sign the server certificate "request" to create server certificate`	217	`# Sign the server certificate "request" to create server certificate`
218	`rm -f $SRVCERT`	218	`rm -f $SRVCERT`
219	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`	219	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`
220	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`	220	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`
221	`rm -f $SRVREQ`	221	`rm -f $SRVREQ`
222		222
223	`(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM`	223	`(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM`
224	`cp -f $CACERT $SRVCHAIN`	224	`cp -f $CACERT $SRVCHAIN`
225		225
226	`# Limit rights`	226	`# Limit rights`
227	`chown -R root:root $SRVKEY $CAKEY`	227	`chown -R root:root $SRVKEY $CAKEY`
228	`chmod -R 0600 $SRVKEY $CAKEY`	228	`chmod -R 0600 $SRVKEY $CAKEY`
229		229
230	`# Link certs in ALCASAR Control Center`	230	`# Link certs in ALCASAR Control Center`
231	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`	231	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`
232	`then`	232	`then`
233	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`	233	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`
234	`rm -f $DIR_WEB/certs/*`	234	`rm -f $DIR_WEB/certs/*`
235	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`	235	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`
236	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`	236	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`
237	`rm -rf $DIR_TMP`	237	`rm -rf $DIR_TMP`
238	`exit 0`	238	`exit 0`
239	`else`	239	`else`
240	`echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"`	240	`echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"`
241	`exit 1`	241	`exit 1`
242	`fi`	242	`fi`
243		243

Subversion Repositories ALCASAR

(root)/scripts/alcasar-CA.sh – Rev 2813 → 2814