675 |
richard |
1 |
#!/bin/sh
|
64 |
franck |
2 |
# $Id: alcasar-CA.sh 2922 2021-02-22 22:48:39Z rexy $
|
|
|
3 |
|
1 |
root |
4 |
# alcasar-CA.sh
|
|
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
|
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
675 |
richard |
7 |
#
|
2454 |
tom.houday |
8 |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
|
675 |
richard |
9 |
# and Michel Arboi <arboi@alussinan.org>
|
|
|
10 |
#
|
1 |
root |
11 |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
|
|
|
12 |
DIR_PKI=/etc/pki
|
|
|
13 |
DIR_CERT=$DIR_PKI/tls
|
|
|
14 |
DIR_WEB=/var/www/html
|
|
|
15 |
CACERT=$DIR_PKI/CA/alcasar-ca.crt
|
|
|
16 |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
|
675 |
richard |
17 |
SRVREQ=$DIR_CERT/alcasar.req
|
|
|
18 |
SRVKEY=$DIR_CERT/private/alcasar.key
|
1 |
root |
19 |
SRVCERT=$DIR_CERT/certs/alcasar.crt
|
2488 |
lucas.echa |
20 |
SRVPEM=$DIR_CERT/private/alcasar.pem
|
2813 |
rexy |
21 |
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
|
2922 |
rexy |
22 |
CONF_FILE="/usr/local/ets/alcasar.conf"
|
|
|
23 |
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
|
|
|
24 |
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
|
|
|
25 |
DOMAIN=${DOMAIN:=localdomain}
|
1 |
root |
26 |
|
|
|
27 |
CACERT_LIFETIME="1460"
|
|
|
28 |
SRVCERT_LIFETIME="1460"
|
|
|
29 |
COUNTRY="FR"
|
|
|
30 |
PROVINCE="none"
|
|
|
31 |
LOCATION="Paris"
|
5 |
franck |
32 |
ORGANIZATION="ALCASAR-Team"
|
1 |
root |
33 |
|
|
|
34 |
mkdir $DIR_TMP || exit 1
|
2801 |
rexy |
35 |
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
|
1 |
root |
36 |
# dynamic conf file for openssl
|
|
|
37 |
cat <<EOF >$DIR_TMP/ssl.conf
|
|
|
38 |
RANDFILE = $HOME/.rnd
|
|
|
39 |
#
|
|
|
40 |
[ ca ]
|
|
|
41 |
default_ca = AlcasarCA
|
|
|
42 |
|
|
|
43 |
[ AlcasarCA ]
|
2922 |
rexy |
44 |
dir = $DIR_TMP # Where everything is kept
|
|
|
45 |
certs = \$dir # Where the issued certs are kept
|
|
|
46 |
crl_dir = \$dir # Where the issued crl are kept
|
|
|
47 |
database = \$dir/index.txt # database index file.
|
|
|
48 |
new_certs_dir = \$dir # default place for new certs.
|
|
|
49 |
certificate = $CACERT # The CA certificate
|
|
|
50 |
serial = \$dir/serial # The current serial number
|
|
|
51 |
crl = \$dir/crl.pem # The current CRL
|
|
|
52 |
private_key = $CAKEY # The private key
|
|
|
53 |
x509_extensions = usr_cert # The extentions to add to the cert
|
|
|
54 |
crl_extensions = crl_ext
|
|
|
55 |
default_days = 365 # how long to certify for
|
|
|
56 |
default_crl_days = 30 # how long before next CRL
|
|
|
57 |
default_md = sha256 # which message digest to use.
|
|
|
58 |
preserve = no # keep passed DN ordering
|
|
|
59 |
policy = policy_anything
|
1 |
root |
60 |
|
|
|
61 |
[ policy_anything ]
|
|
|
62 |
countryName = optional
|
|
|
63 |
stateOrProvinceName = optional
|
|
|
64 |
localityName = optional
|
|
|
65 |
organizationName = optional
|
|
|
66 |
organizationalUnitName = optional
|
|
|
67 |
commonName = supplied
|
|
|
68 |
emailAddress = optional
|
|
|
69 |
|
|
|
70 |
[ req ]
|
1702 |
richard |
71 |
default_bits = 2048
|
1 |
root |
72 |
distinguished_name = req_distinguished_name
|
|
|
73 |
# attributes = req_attributes
|
|
|
74 |
|
|
|
75 |
[ req_distinguished_name ]
|
2922 |
rexy |
76 |
countryName = Country Name (2 letter code)
|
|
|
77 |
countryName_default = FR
|
|
|
78 |
countryName_min = 2
|
|
|
79 |
countryName_max = 2
|
1 |
root |
80 |
|
2922 |
rexy |
81 |
stateOrProvinceName = State or Province Name (full name)
|
|
|
82 |
stateOrProvinceName_default = Some-State
|
1 |
root |
83 |
|
2922 |
rexy |
84 |
localityName = Locality Name (eg, city)
|
|
|
85 |
localityName_default = Paris
|
1 |
root |
86 |
|
2922 |
rexy |
87 |
0.organizationName = Organization Name (eg, company)
|
|
|
88 |
0.organizationName_default = your organization name
|
1 |
root |
89 |
|
|
|
90 |
# we can do this but it is not needed normally :-)
|
2922 |
rexy |
91 |
#1.organizationName = Second Organization Name (eg, company)
|
|
|
92 |
#1.organizationName_default = World Wide Web Pty Ltd
|
1 |
root |
93 |
|
2922 |
rexy |
94 |
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
|
95 |
#organizationalUnitName_default =
|
1 |
root |
96 |
|
2922 |
rexy |
97 |
commonName = Common Name (eg, your name or your server\'s hostname)
|
|
|
98 |
commonName_max = 255
|
|
|
99 |
emailAddress = Email Address
|
|
|
100 |
emailAddress_max = 255
|
1 |
root |
101 |
|
|
|
102 |
[ usr_cert ]
|
|
|
103 |
# These extensions are added when 'ca' signs a request.
|
|
|
104 |
# This goes against PKIX guidelines but some CAs do it and some software
|
|
|
105 |
# requires this to avoid interpreting an end user certificate as a CA.
|
2922 |
rexy |
106 |
basicConstraints=CA:FALSE
|
|
|
107 |
nsCertType = server
|
|
|
108 |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
|
|
|
109 |
subjectKeyIdentifier = hash
|
|
|
110 |
authorityKeyIdentifier = keyid,issuer
|
1 |
root |
111 |
|
|
|
112 |
# This stuff is for subjectAltName and issuerAltname.
|
2922 |
rexy |
113 |
subjectAltName = @alt_names
|
1 |
root |
114 |
# Copy subject details
|
2922 |
rexy |
115 |
issuerAltName = issuer:copy
|
1 |
root |
116 |
|
2922 |
rexy |
117 |
[alt_names]
|
|
|
118 |
DNS.1 = $HOSTNAME.$DOMAIN
|
1 |
root |
119 |
|
|
|
120 |
EOF
|
|
|
121 |
|
|
|
122 |
# The value for organizationalUnitName must be 64 chars or less;
|
|
|
123 |
# thus, hostname must be 36 chars or less. If it's too big,
|
|
|
124 |
# try removing domain (merci REXY ;-) ).
|
2922 |
rexy |
125 |
hostname_len=`echo $HOSTNAME| wc -c`
|
1 |
root |
126 |
if [ $hostname_len -gt 36 ];
|
|
|
127 |
then
|
2922 |
rexy |
128 |
HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1`
|
1 |
root |
129 |
fi
|
|
|
130 |
|
2814 |
rexy |
131 |
CAMAIL=
|
|
|
132 |
SRVMAIL=
|
1 |
root |
133 |
|
|
|
134 |
echo 01 > $DIR_TMP/serial
|
|
|
135 |
touch $DIR_TMP/index.txt
|
|
|
136 |
|
5 |
franck |
137 |
# CA key
|
|
|
138 |
rm -f $CAKEY
|
|
|
139 |
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
|
1705 |
richard |
140 |
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
|
5 |
franck |
141 |
|
|
|
142 |
# CA certificate
|
|
|
143 |
rm -f $CACERT
|
|
|
144 |
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
|
|
|
145 |
echo "$COUNTRY
|
1 |
root |
146 |
$PROVINCE
|
|
|
147 |
$LOCATION
|
|
|
148 |
$ORGANIZATION
|
2922 |
rexy |
149 |
Certification Authority for $HOSTNAME.$DOMAIN
|
|
|
150 |
$HOSTNAME-local-CA
|
1705 |
richard |
151 |
$CAMAIL" |
|
|
|
152 |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
|
5 |
franck |
153 |
|
1 |
root |
154 |
# Server key
|
|
|
155 |
rm -f $SRVKEY
|
|
|
156 |
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
|
1705 |
richard |
157 |
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
|
1 |
root |
158 |
|
|
|
159 |
# Server certificate "request"
|
|
|
160 |
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
|
|
|
161 |
echo "$COUNTRY
|
|
|
162 |
$PROVINCE
|
|
|
163 |
$LOCATION
|
|
|
164 |
$ORGANIZATION
|
2922 |
rexy |
165 |
Server certificate for $HOSTNAME.$DOMAIN
|
|
|
166 |
$HOSTNAME.$DOMAIN
|
1 |
root |
167 |
$SRVMAIL" |
|
|
|
168 |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
|
|
|
169 |
|
|
|
170 |
# Sign the server certificate "request" to create server certificate
|
|
|
171 |
rm -f $SRVCERT
|
|
|
172 |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
|
2922 |
rexy |
173 |
openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
|
1 |
root |
174 |
rm -f $SRVREQ
|
2554 |
lucas.echa |
175 |
|
|
|
176 |
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
|
2703 |
tom.houday |
177 |
cp -f $CACERT $SRVCHAIN
|
2554 |
lucas.echa |
178 |
|
2775 |
rexy |
179 |
# Limit rights
|
|
|
180 |
chown -R root:root $SRVKEY $CAKEY
|
|
|
181 |
chmod -R 0600 $SRVKEY $CAKEY
|
1 |
root |
182 |
|
675 |
richard |
183 |
# Link certs in ALCASAR Control Center
|
1 |
root |
184 |
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
|
2293 |
tom.houday |
185 |
then
|
|
|
186 |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
|
|
|
187 |
rm -f $DIR_WEB/certs/*
|
|
|
188 |
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
|
|
|
189 |
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
|
|
|
190 |
rm -rf $DIR_TMP
|
|
|
191 |
exit 0
|
1 |
root |
192 |
else
|
2758 |
rexy |
193 |
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
|
2293 |
tom.houday |
194 |
exit 1
|
1 |
root |
195 |
fi
|