WebSVN – ALCASAR – Diff – /scripts/alcasar-CA.sh


#!/bin/sh
# $Id: alcasar-CA.sh 632 2011-06-12 17:48:40Z richard $
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> 
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVKEY=$DIR_CERT/private/alcasar.key
SRVREQ=$DIR_CERT/alcasar.req
 
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE		= $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
 
[ AlcasarCA ]
dir		= $DIR_TMP		# Where everything is kept
certs		= \$dir			# Where the issued certs are kept
crl_dir		= \$dir			# Where the issued crl are kept
database	= \$dir/index.txt	# database index file.
new_certs_dir	= \$dir			# default place for new certs.
 
certificate	= $CACERT	 	# The CA certificate
serial		= \$dir/serial 		# The current serial number
crl		= \$dir/crl.pem 	# The current CRL
private_key	= $CAKEY		# The private key
 
x509_extensions	= usr_cert		# The extentions to add to the cert
crl_extensions	= crl_ext
 
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering
 
policy		= policy_anything
 
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits		= 1024
distinguished_name	= req_distinguished_name
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FR
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State
 
localityName			= Locality Name (eg, city)
localityName_default		= Lyon
 
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= your organization name
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 255
 
emailAddress			= Email Address
emailAddress_max		= 255
 
# SET-ex3			= SET extension number 3
 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType			= server
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
 
# Copy subject details
issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
 
hostname=`hostname`
if [ -z "$hostname" ];
then
 echo "Impossible de déterminer le nom d'hôte !!!"
 exit 1
fi
 
# The value for organizationalUnitName must be 64 chars or less;
#   thus, hostname must be 36 chars or less. If it's too big,
#   try removing domain (merci REXY ;-) ).
hostname_len=`echo $hostname| wc -c`
if [ $hostname_len -gt 36 ];
then
  hostname=`echo $hostname | cut -d '.' -f 1`
fi
 
CAMAIL=ca@$hostname
SRVMAIL=apache@$hostname
 
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
 
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY  1024 2>> $DIR_TMP/openssl-log
 
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
ALCASAR-local-CA
$CAMAIL" |
	openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 
# Server key
rm -f $SRVKEY	
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log
 
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$hostname
$SRVMAIL" | 
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
chmod a+r $CACERT $SRVCERT 
 
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
 then
 
 
 
 
 
 
 [ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
 rm -f $DIR_WEB/certs/*
 ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
 ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
 rm -rf $DIR_TMP
 exit 0
else
 echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
 exit 1
fi
 

Rev 519	Rev 632
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-CA.sh 519 2011-03-25 16:30:32Z stephane $`	2	`# $Id: alcasar-CA.sh 632 2011-06-12 17:48:40Z richard $`
3		3
4	`# alcasar-CA.sh`	4	`# alcasar-CA.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`#`	7	`#`
8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`	8	`# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>`
9	`# and Michel Arboi <arboi@alussinan.org>`	9	`# and Michel Arboi <arboi@alussinan.org>`
10	`#`	10	`#`
11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`	11	`DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$`
12	`DIR_PKI=/etc/pki`	12	`DIR_PKI=/etc/pki`
13	`DIR_CERT=$DIR_PKI/tls`	13	`DIR_CERT=$DIR_PKI/tls`
14	`DIR_WEB=/var/www/html`	14	`DIR_WEB=/var/www/html`
15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`	15	`CACERT=$DIR_PKI/CA/alcasar-ca.crt`
16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`	16	`CAKEY=$DIR_PKI/CA/private/alcasar-ca.key`
17	`SRVCERT=$DIR_CERT/certs/alcasar.crt`	17	`SRVCERT=$DIR_CERT/certs/alcasar.crt`
18	`SRVKEY=$DIR_CERT/private/alcasar.key`	18	`SRVKEY=$DIR_CERT/private/alcasar.key`
19	`SRVREQ=$DIR_CERT/alcasar.req`	19	`SRVREQ=$DIR_CERT/alcasar.req`
20	`FIC_PARAM="/root/ALCASAR-parameters.txt"`	-
21		20
22	`CACERT_LIFETIME="1460"`	21	`CACERT_LIFETIME="1460"`
23	`SRVCERT_LIFETIME="1460"`	22	`SRVCERT_LIFETIME="1460"`
24	`COUNTRY="FR"`	23	`COUNTRY="FR"`
25	`PROVINCE="none"`	24	`PROVINCE="none"`
26	`LOCATION="Paris"`	25	`LOCATION="Paris"`
27	`ORGANIZATION="ALCASAR-Team"`	26	`ORGANIZATION="ALCASAR-Team"`
28		27
29	`mkdir $DIR_TMP \|\| exit 1`	28	`mkdir $DIR_TMP \|\| exit 1`
30	`# dynamic conf file for openssl`	29	`# dynamic conf file for openssl`
31	`cat <<EOF >$DIR_TMP/ssl.conf`	30	`cat <<EOF >$DIR_TMP/ssl.conf`
32	`RANDFILE = $HOME/.rnd`	31	`RANDFILE = $HOME/.rnd`
33	`#`	32	`#`
34	`[ ca ]`	33	`[ ca ]`
35	`default_ca = AlcasarCA`	34	`default_ca = AlcasarCA`
36		35
37	`[ AlcasarCA ]`	36	`[ AlcasarCA ]`
38	`dir = $DIR_TMP # Where everything is kept`	37	`dir = $DIR_TMP # Where everything is kept`
39	`certs = \$dir # Where the issued certs are kept`	38	`certs = \$dir # Where the issued certs are kept`
40	`crl_dir = \$dir # Where the issued crl are kept`	39	`crl_dir = \$dir # Where the issued crl are kept`
41	`database = \$dir/index.txt # database index file.`	40	`database = \$dir/index.txt # database index file.`
42	`new_certs_dir = \$dir # default place for new certs.`	41	`new_certs_dir = \$dir # default place for new certs.`
43		42
44	`certificate = $CACERT # The CA certificate`	43	`certificate = $CACERT # The CA certificate`
45	`serial = \$dir/serial # The current serial number`	44	`serial = \$dir/serial # The current serial number`
46	`crl = \$dir/crl.pem # The current CRL`	45	`crl = \$dir/crl.pem # The current CRL`
47	`private_key = $CAKEY # The private key`	46	`private_key = $CAKEY # The private key`
48		47
49	`x509_extensions = usr_cert # The extentions to add to the cert`	48	`x509_extensions = usr_cert # The extentions to add to the cert`
50	`crl_extensions = crl_ext`	49	`crl_extensions = crl_ext`
51		50
52	`default_days = 365 # how long to certify for`	51	`default_days = 365 # how long to certify for`
53	`default_crl_days= 30 # how long before next CRL`	52	`default_crl_days= 30 # how long before next CRL`
54	`default_md = md5 # which md to use.`	53	`default_md = md5 # which md to use.`
55	`preserve = no # keep passed DN ordering`	54	`preserve = no # keep passed DN ordering`
56		55
57	`policy = policy_anything`	56	`policy = policy_anything`
58		57
59	`[ policy_anything ]`	58	`[ policy_anything ]`
60	`countryName = optional`	59	`countryName = optional`
61	`stateOrProvinceName = optional`	60	`stateOrProvinceName = optional`
62	`localityName = optional`	61	`localityName = optional`
63	`organizationName = optional`	62	`organizationName = optional`
64	`organizationalUnitName = optional`	63	`organizationalUnitName = optional`
65	`commonName = supplied`	64	`commonName = supplied`
66	`emailAddress = optional`	65	`emailAddress = optional`
67		66
68	`[ req ]`	67	`[ req ]`
69	`default_bits = 1024`	68	`default_bits = 1024`
70	`distinguished_name = req_distinguished_name`	69	`distinguished_name = req_distinguished_name`
71	`# attributes = req_attributes`	70	`# attributes = req_attributes`
72	`x509_extensions = v3_ca # The extentions to add to the self signed cert`	71	`x509_extensions = v3_ca # The extentions to add to the self signed cert`
73		72
74	`[ req_distinguished_name ]`	73	`[ req_distinguished_name ]`
75	`countryName = Country Name (2 letter code)`	74	`countryName = Country Name (2 letter code)`
76	`countryName_default = FR`	75	`countryName_default = FR`
77	`countryName_min = 2`	76	`countryName_min = 2`
78	`countryName_max = 2`	77	`countryName_max = 2`
79		78
80	`stateOrProvinceName = State or Province Name (full name)`	79	`stateOrProvinceName = State or Province Name (full name)`
81	`stateOrProvinceName_default = Some-State`	80	`stateOrProvinceName_default = Some-State`
82		81
83	`localityName = Locality Name (eg, city)`	82	`localityName = Locality Name (eg, city)`
84	`localityName_default = Lyon`	83	`localityName_default = Lyon`
85		84
86	`0.organizationName = Organization Name (eg, company)`	85	`0.organizationName = Organization Name (eg, company)`
87	`0.organizationName_default = your organization name`	86	`0.organizationName_default = your organization name`
88		87
89	`# we can do this but it is not needed normally :-)`	88	`# we can do this but it is not needed normally :-)`
90	`#1.organizationName = Second Organization Name (eg, company)`	89	`#1.organizationName = Second Organization Name (eg, company)`
91	`#1.organizationName_default = World Wide Web Pty Ltd`	90	`#1.organizationName_default = World Wide Web Pty Ltd`
92		91
93	`organizationalUnitName = Organizational Unit Name (eg, section)`	92	`organizationalUnitName = Organizational Unit Name (eg, section)`
94	`#organizationalUnitName_default =`	93	`#organizationalUnitName_default =`
95		94
96	`commonName = Common Name (eg, your name or your server\'s hostname)`	95	`commonName = Common Name (eg, your name or your server\'s hostname)`
97	`commonName_max = 255`	96	`commonName_max = 255`
98		97
99	`emailAddress = Email Address`	98	`emailAddress = Email Address`
100	`emailAddress_max = 255`	99	`emailAddress_max = 255`
101		100
102	`# SET-ex3 = SET extension number 3`	101	`# SET-ex3 = SET extension number 3`
103		102
104	`[ usr_cert ]`	103	`[ usr_cert ]`
105	`# These extensions are added when 'ca' signs a request.`	104	`# These extensions are added when 'ca' signs a request.`
106	`# This goes against PKIX guidelines but some CAs do it and some software`	105	`# This goes against PKIX guidelines but some CAs do it and some software`
107	`# requires this to avoid interpreting an end user certificate as a CA.`	106	`# requires this to avoid interpreting an end user certificate as a CA.`
108	`#basicConstraints=CA:FALSE`	107	`#basicConstraints=CA:FALSE`
109		108
110	`# Here are some examples of the usage of nsCertType. If it is omitted`	109	`# Here are some examples of the usage of nsCertType. If it is omitted`
111	`# the certificate can be used for anything except object signing.`	110	`# the certificate can be used for anything except object signing.`
112		111
113	`# This is OK for an SSL server.`	112	`# This is OK for an SSL server.`
114	`# nsCertType = nsCertType`	113	`# nsCertType = nsCertType`
115	`# For normal client use this is typical`	114	`# For normal client use this is typical`
116	`# nsCertType = client, email`	115	`# nsCertType = client, email`
117	`nsCertType = server`	116	`nsCertType = server`
118		117
119	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`	118	`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
120		119
121	`# This will be displayed in Netscape's comment listbox.`	120	`# This will be displayed in Netscape's comment listbox.`
122	`nsComment = "OpenSSL Generated Certificate"`	121	`nsComment = "OpenSSL Generated Certificate"`
123		122
124	`# PKIX recommendations harmless if included in all certificates.`	123	`# PKIX recommendations harmless if included in all certificates.`
125	`subjectKeyIdentifier=hash`	124	`subjectKeyIdentifier=hash`
126	`authorityKeyIdentifier=keyid,issuer:always`	125	`authorityKeyIdentifier=keyid,issuer:always`
127		126
128	`# This stuff is for subjectAltName and issuerAltname.`	127	`# This stuff is for subjectAltName and issuerAltname.`
129	`# Import the email address.`	128	`# Import the email address.`
130	`subjectAltName=email:copy`	129	`subjectAltName=email:copy`
131		130
132	`# Copy subject details`	131	`# Copy subject details`
133	`issuerAltName=issuer:copy`	132	`issuerAltName=issuer:copy`
134		133
135	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`	134	`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`
136	`#nsBaseUrl`	135	`#nsBaseUrl`
137	`#nsRevocationUrl`	136	`#nsRevocationUrl`
138	`#nsRenewalUrl`	137	`#nsRenewalUrl`
139	`#nsCaPolicyUrl`	138	`#nsCaPolicyUrl`
140	`#nsSslServerName`	139	`#nsSslServerName`
141		140
142	`[ v3_ca ]`	141	`[ v3_ca ]`
143	`# PKIX recommendation.`	142	`# PKIX recommendation.`
144	`subjectKeyIdentifier=hash`	143	`subjectKeyIdentifier=hash`
145	`authorityKeyIdentifier=keyid:always,issuer:always`	144	`authorityKeyIdentifier=keyid:always,issuer:always`
146		145
147	`# This is what PKIX recommends but some broken software chokes on critical`	146	`# This is what PKIX recommends but some broken software chokes on critical`
148	`# extensions.`	147	`# extensions.`
149	`basicConstraints = critical,CA:true`	148	`basicConstraints = critical,CA:true`
150	`# So we do this instead.`	149	`# So we do this instead.`
151	`#basicConstraints = CA:true`	150	`#basicConstraints = CA:true`
152		151
153	`# Key usage: this is typical for a CA certificate. However since it will`	152	`# Key usage: this is typical for a CA certificate. However since it will`
154	`# prevent it being used as an test self-signed certificate it is best`	153	`# prevent it being used as an test self-signed certificate it is best`
155	`# left out by default.`	154	`# left out by default.`
156	`keyUsage = cRLSign, keyCertSign`	155	`keyUsage = cRLSign, keyCertSign`
157	`nsCertType = sslCA`	156	`nsCertType = sslCA`
158	`EOF`	157	`EOF`
159		158
160	hostname=`hostname`	159	hostname=`hostname`
161	`if [ -z "$hostname" ];`	160	`if [ -z "$hostname" ];`
162	`then`	161	`then`
163	`echo "Impossible de déterminer le nom d'hôte !!!"`	162	`echo "Impossible de déterminer le nom d'hôte !!!"`
164	`exit 1`	163	`exit 1`
165	`fi`	164	`fi`
166		165
167	`# The value for organizationalUnitName must be 64 chars or less;`	166	`# The value for organizationalUnitName must be 64 chars or less;`
168	`# thus, hostname must be 36 chars or less. If it's too big,`	167	`# thus, hostname must be 36 chars or less. If it's too big,`
169	`# try removing domain (merci REXY ;-) ).`	168	`# try removing domain (merci REXY ;-) ).`
170	hostname_len=`echo $hostname\| wc -c`	169	hostname_len=`echo $hostname\| wc -c`
171	`if [ $hostname_len -gt 36 ];`	170	`if [ $hostname_len -gt 36 ];`
172	`then`	171	`then`
173	hostname=`echo $hostname \| cut -d '.' -f 1`	172	hostname=`echo $hostname \| cut -d '.' -f 1`
174	`fi`	173	`fi`
175		174
176	`CAMAIL=ca@$hostname`	175	`CAMAIL=ca@$hostname`
177	`SRVMAIL=apache@$hostname`	176	`SRVMAIL=apache@$hostname`
178		177
179	`echo 01 > $DIR_TMP/serial`	178	`echo 01 > $DIR_TMP/serial`
180	`touch $DIR_TMP/index.txt`	179	`touch $DIR_TMP/index.txt`
181		180
182	`# CA key`	181	`# CA key`
183	`rm -f $CAKEY`	182	`rm -f $CAKEY`
184	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`	183	`echo "*******CAKEY*******" > $DIR_TMP/openssl-log`
185	`openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log`	184	`openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log`
186		185
187	`# CA certificate`	186	`# CA certificate`
188	`rm -f $CACERT`	187	`rm -f $CACERT`
189	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`	188	`echo "*******CACERT*******" >> $DIR_TMP/openssl-log`
190	`echo "$COUNTRY`	189	`echo "$COUNTRY`
191	`$PROVINCE`	190	`$PROVINCE`
192	`$LOCATION`	191	`$LOCATION`
193	`$ORGANIZATION`	192	`$ORGANIZATION`
194	`Certification Authority for $hostname`	193	`Certification Authority for $hostname`
195	`ALCASAR-local-CA`	194	`ALCASAR-local-CA`
196	`$CAMAIL" \|`	195	`$CAMAIL" \|`
197	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`	196	`openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log`
198		197
199	`# Server key`	198	`# Server key`
200	`rm -f $SRVKEY`	199	`rm -f $SRVKEY`
201	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`	200	`echo "*******SRVKEY*******" >> $DIR_TMP/openssl-log`
202	`openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log`	201	`openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log`
203		202
204	`# Server certificate "request"`	203	`# Server certificate "request"`
205	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`	204	`echo "*******SRVRQST*******" >> $DIR_TMP/openssl-log`
206	`echo "$COUNTRY`	205	`echo "$COUNTRY`
207	`$PROVINCE`	206	`$PROVINCE`
208	`$LOCATION`	207	`$LOCATION`
209	`$ORGANIZATION`	208	`$ORGANIZATION`
210	`Server certificate for $hostname`	209	`Server certificate for $hostname`
211	`$hostname`	210	`$hostname`
212	`$SRVMAIL" \|`	211	`$SRVMAIL" \|`
213	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`	212	`openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log`
214		213
215	`# Sign the server certificate "request" to create server certificate`	214	`# Sign the server certificate "request" to create server certificate`
216	`rm -f $SRVCERT`	215	`rm -f $SRVCERT`
217	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`	216	`echo "*******SRVCERT*******" >> $DIR_TMP/openssl-log`
218	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`	217	`openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log`
219	`rm -f $SRVREQ`	218	`rm -f $SRVREQ`
220	`chmod a+r $CACERT $SRVCERT`	219	`chmod a+r $CACERT $SRVCERT`
221		220
222	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`	221	`if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];`
223	`then`	222	`then`
224	`echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM`	-
225	`echo " Certificat = $CACERT" >> $FIC_PARAM`	-
226	`echo " Clée privée = $CAKEY" >> $FIC_PARAM`	-
227	`echo "- Certificat du serveur : " >> $FIC_PARAM`	-
228	`echo " Certificat = $SRVCERT" >> $FIC_PARAM`	-
229	`echo " Clée privée = $SRVKEY" >> $FIC_PARAM`	-
230	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`	223	`[ -d $DIR_WEB/certs ] \|\| mkdir -p $DIR_WEB/certs`
231	`rm -f $DIR_WEB/certs/*`	224	`rm -f $DIR_WEB/certs/*`
232	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`	225	`ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt`
233	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`	226	`ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt`
234	`rm -rf $DIR_TMP`	227	`rm -rf $DIR_TMP`
235	`exit 0`	228	`exit 0`
236	`else`	229	`else`
237	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`	230	`echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM`
238	`exit 1`	231	`exit 1`
239	`fi`	232	`fi`
240		233

Subversion Repositories ALCASAR

(root)/scripts/alcasar-CA.sh – Rev 519 → 632