Subversion Repositories ALCASAR

Rev

Rev 2813 | Rev 2922 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
675 richard 1
#!/bin/sh
64 franck 2
# $Id: alcasar-CA.sh 2814 2020-04-27 22:02:20Z rexy $
3
 
1 root 4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
675 richard 7
#
2454 tom.houday 8
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
675 richard 9
# and Michel Arboi <arboi@alussinan.org>
10
#
1 root 11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
675 richard 17
SRVREQ=$DIR_CERT/alcasar.req
18
SRVKEY=$DIR_CERT/private/alcasar.key
1 root 19
SRVCERT=$DIR_CERT/certs/alcasar.crt
2488 lucas.echa 20
SRVPEM=$DIR_CERT/private/alcasar.pem
2813 rexy 21
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
1 root 22
 
23
CACERT_LIFETIME="1460"
24
SRVCERT_LIFETIME="1460"
25
COUNTRY="FR"
26
PROVINCE="none"
27
LOCATION="Paris"
5 franck 28
ORGANIZATION="ALCASAR-Team"
1 root 29
 
30
mkdir $DIR_TMP || exit 1
2801 rexy 31
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
1 root 32
# dynamic conf file for openssl
33
cat <<EOF >$DIR_TMP/ssl.conf
34
RANDFILE		= $HOME/.rnd
35
#
36
[ ca ]
37
default_ca = AlcasarCA
38
 
39
[ AlcasarCA ]
40
dir		= $DIR_TMP		# Where everything is kept
41
certs		= \$dir			# Where the issued certs are kept
42
crl_dir		= \$dir			# Where the issued crl are kept
43
database	= \$dir/index.txt	# database index file.
44
new_certs_dir	= \$dir			# default place for new certs.
45
 
46
certificate	= $CACERT	 	# The CA certificate
47
serial		= \$dir/serial 		# The current serial number
48
crl		= \$dir/crl.pem 	# The current CRL
49
private_key	= $CAKEY		# The private key
50
 
51
x509_extensions	= usr_cert		# The extentions to add to the cert
52
crl_extensions	= crl_ext
53
 
54
default_days	= 365			# how long to certify for
55
default_crl_days= 30			# how long before next CRL
1702 richard 56
default_md	= sha256		# which message digest to use.
1 root 57
preserve	= no			# keep passed DN ordering
58
 
59
policy		= policy_anything
60
 
61
[ policy_anything ]
62
countryName             = optional
63
stateOrProvinceName     = optional
64
localityName            = optional
65
organizationName        = optional
66
organizationalUnitName  = optional
67
commonName              = supplied
68
emailAddress            = optional
69
 
70
[ req ]
1702 richard 71
default_bits		= 2048
1 root 72
distinguished_name	= req_distinguished_name
73
# attributes		= req_attributes
74
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
75
 
76
[ req_distinguished_name ]
77
countryName			= Country Name (2 letter code)
78
countryName_default		= FR
79
countryName_min			= 2
80
countryName_max			= 2
81
 
82
stateOrProvinceName		= State or Province Name (full name)
83
stateOrProvinceName_default	= Some-State
84
 
85
localityName			= Locality Name (eg, city)
86
localityName_default		= Lyon
87
 
88
0.organizationName		= Organization Name (eg, company)
89
0.organizationName_default	= your organization name
90
 
91
# we can do this but it is not needed normally :-)
92
#1.organizationName		= Second Organization Name (eg, company)
93
#1.organizationName_default	= World Wide Web Pty Ltd
94
 
95
organizationalUnitName		= Organizational Unit Name (eg, section)
96
#organizationalUnitName_default	=
97
 
98
commonName			= Common Name (eg, your name or your server\'s hostname)
99
commonName_max			= 255
100
 
101
emailAddress			= Email Address
102
emailAddress_max		= 255
103
 
104
# SET-ex3			= SET extension number 3
105
 
106
[ usr_cert ]
107
# These extensions are added when 'ca' signs a request.
108
# This goes against PKIX guidelines but some CAs do it and some software
109
# requires this to avoid interpreting an end user certificate as a CA.
110
#basicConstraints=CA:FALSE
111
 
112
# Here are some examples of the usage of nsCertType. If it is omitted
113
# the certificate can be used for anything *except* object signing.
114
 
115
# This is OK for an SSL server.
116
# nsCertType			= nsCertType
117
# For normal client use this is typical
118
# nsCertType = client, email
119
nsCertType			= server
120
 
121
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
122
 
123
# This will be displayed in Netscape's comment listbox.
124
nsComment			= "OpenSSL Generated Certificate"
125
 
126
# PKIX recommendations harmless if included in all certificates.
127
subjectKeyIdentifier=hash
128
authorityKeyIdentifier=keyid,issuer:always
129
 
130
# This stuff is for subjectAltName and issuerAltname.
131
# Import the email address.
132
subjectAltName=email:copy
133
 
134
# Copy subject details
135
issuerAltName=issuer:copy
136
 
137
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
138
#nsBaseUrl
139
#nsRevocationUrl
140
#nsRenewalUrl
141
#nsCaPolicyUrl
142
#nsSslServerName
143
 
144
[ v3_ca ]
145
# PKIX recommendation.
146
subjectKeyIdentifier=hash
147
authorityKeyIdentifier=keyid:always,issuer:always
148
 
149
# This is what PKIX recommends but some broken software chokes on critical
150
# extensions.
151
basicConstraints = critical,CA:true
152
# So we do this instead.
153
#basicConstraints = CA:true
154
 
155
# Key usage: this is typical for a CA certificate. However since it will
156
# prevent it being used as an test self-signed certificate it is best
157
# left out by default.
158
keyUsage = cRLSign, keyCertSign
159
nsCertType = sslCA
160
EOF
161
 
162
hostname=`hostname`
163
if [ -z "$hostname" ];
164
then
165
 echo "Impossible de déterminer le nom d'hôte !!!"
166
 exit 1
167
fi
168
 
169
# The value for organizationalUnitName must be 64 chars or less;
170
#   thus, hostname must be 36 chars or less. If it's too big,
171
#   try removing domain (merci REXY ;-) ).
172
hostname_len=`echo $hostname| wc -c`
173
if [ $hostname_len -gt 36 ];
174
then
2454 tom.houday 175
	hostname=`echo $hostname | cut -d '.' -f 1`
1 root 176
fi
177
 
2814 rexy 178
CAMAIL=
179
SRVMAIL=
1 root 180
 
181
echo 01 > $DIR_TMP/serial
182
touch $DIR_TMP/index.txt
183
 
5 franck 184
# CA key
185
rm -f $CAKEY
186
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
1705 richard 187
openssl genrsa -out $CAKEY  2048 2>> $DIR_TMP/openssl-log
5 franck 188
 
189
# CA certificate
190
rm -f $CACERT
191
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
192
echo "$COUNTRY
1 root 193
$PROVINCE
194
$LOCATION
195
$ORGANIZATION
196
Certification Authority for $hostname
2737 rexy 197
$hostname-local-CA
1705 richard 198
$CAMAIL" | 
199
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
5 franck 200
 
1 root 201
# Server key
202
rm -f $SRVKEY	
203
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
1705 richard 204
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
1 root 205
 
206
# Server certificate "request"
207
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
208
echo "$COUNTRY
209
$PROVINCE
210
$LOCATION
211
$ORGANIZATION
212
Server certificate for $hostname
503 richard 213
$hostname
1 root 214
$SRVMAIL" | 
215
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
216
 
217
# Sign the server certificate "request" to create server certificate
218
rm -f $SRVCERT
219
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
220
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
221
rm -f $SRVREQ
2554 lucas.echa 222
 
223
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
2703 tom.houday 224
cp -f $CACERT $SRVCHAIN
2554 lucas.echa 225
 
2775 rexy 226
# Limit rights
227
chown -R root:root $SRVKEY $CAKEY
228
chmod -R 0600 $SRVKEY $CAKEY
1 root 229
 
675 richard 230
# Link certs in ALCASAR Control Center
1 root 231
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
2293 tom.houday 232
	then
233
	[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
234
	rm -f $DIR_WEB/certs/*
235
	ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
236
	ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
237
	rm -rf $DIR_TMP
238
	exit 0
1 root 239
else
2758 rexy 240
	echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)" 
2293 tom.houday 241
	exit 1
1 root 242
fi