675 |
richard |
1 |
#!/bin/sh
|
64 |
franck |
2 |
# $Id: alcasar-CA.sh 2924 2021-02-23 21:42:48Z rexy $
|
|
|
3 |
|
1 |
root |
4 |
# alcasar-CA.sh
|
2924 |
rexy |
5 |
# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
1 |
root |
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
675 |
richard |
7 |
#
|
2454 |
tom.houday |
8 |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
|
675 |
richard |
9 |
# and Michel Arboi <arboi@alussinan.org>
|
|
|
10 |
#
|
1 |
root |
11 |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
|
|
|
12 |
DIR_PKI=/etc/pki
|
|
|
13 |
DIR_CERT=$DIR_PKI/tls
|
|
|
14 |
DIR_WEB=/var/www/html
|
|
|
15 |
CACERT=$DIR_PKI/CA/alcasar-ca.crt
|
|
|
16 |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
|
675 |
richard |
17 |
SRVREQ=$DIR_CERT/alcasar.req
|
|
|
18 |
SRVKEY=$DIR_CERT/private/alcasar.key
|
1 |
root |
19 |
SRVCERT=$DIR_CERT/certs/alcasar.crt
|
2488 |
lucas.echa |
20 |
SRVPEM=$DIR_CERT/private/alcasar.pem
|
2813 |
rexy |
21 |
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
|
2924 |
rexy |
22 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
|
|
23 |
hostname=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
|
|
|
24 |
domain=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
|
|
|
25 |
domain=${domain:=localdomain}
|
|
|
26 |
fqdn_hostname="$hostname.$domain"
|
|
|
27 |
# The value for organizationalUnitName must be 64 chars or less;
|
|
|
28 |
# thus, hostname must be 36 chars or less. If it's too big,
|
|
|
29 |
# try removing domain (merci REXY ;-) ).
|
|
|
30 |
hostname_len=`echo $fqdn_hostname| wc -c`
|
|
|
31 |
if [ $hostname_len -gt 36 ];
|
|
|
32 |
then
|
|
|
33 |
fqdn_hostname=$hostname
|
|
|
34 |
fi
|
|
|
35 |
private_ip=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
|
1 |
root |
36 |
|
|
|
37 |
CACERT_LIFETIME="1460"
|
|
|
38 |
SRVCERT_LIFETIME="1460"
|
|
|
39 |
COUNTRY="FR"
|
|
|
40 |
PROVINCE="none"
|
|
|
41 |
LOCATION="Paris"
|
5 |
franck |
42 |
ORGANIZATION="ALCASAR-Team"
|
1 |
root |
43 |
|
|
|
44 |
mkdir $DIR_TMP || exit 1
|
2801 |
rexy |
45 |
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
|
1 |
root |
46 |
# dynamic conf file for openssl
|
|
|
47 |
cat <<EOF >$DIR_TMP/ssl.conf
|
|
|
48 |
RANDFILE = $HOME/.rnd
|
|
|
49 |
#
|
2924 |
rexy |
50 |
[ca]
|
1 |
root |
51 |
default_ca = AlcasarCA
|
|
|
52 |
|
2924 |
rexy |
53 |
[AlcasarCA]
|
|
|
54 |
dir = $DIR_TMP # Where everything is kept
|
|
|
55 |
certs = \$dir # Where the issued certs are kept
|
|
|
56 |
crl_dir = \$dir # Where the issued crl are kept
|
|
|
57 |
database = \$dir/index.txt # database index file.
|
|
|
58 |
new_certs_dir = \$dir # default place for new certs.
|
|
|
59 |
certificate = $CACERT # The CA certificate
|
|
|
60 |
serial = \$dir/serial # The current serial number
|
|
|
61 |
crl = \$dir/crl.pem # The current CRL
|
|
|
62 |
private_key = $CAKEY # The private key
|
|
|
63 |
x509_extensions = usr_cert # The extentions to add to the cert
|
|
|
64 |
crl_extensions = crl_ext
|
|
|
65 |
default_days = 365 # how long to certify for
|
|
|
66 |
default_crl_days= 30 # how long before next CRL
|
|
|
67 |
default_md = sha256 # which message digest to use.
|
|
|
68 |
preserve = no # keep passed DN ordering
|
|
|
69 |
policy = policy_anything
|
1 |
root |
70 |
|
2924 |
rexy |
71 |
[policy_anything]
|
1 |
root |
72 |
countryName = optional
|
|
|
73 |
stateOrProvinceName = optional
|
|
|
74 |
localityName = optional
|
|
|
75 |
organizationName = optional
|
|
|
76 |
organizationalUnitName = optional
|
|
|
77 |
commonName = supplied
|
|
|
78 |
emailAddress = optional
|
|
|
79 |
|
2924 |
rexy |
80 |
[req]
|
1702 |
richard |
81 |
default_bits = 2048
|
1 |
root |
82 |
distinguished_name = req_distinguished_name
|
|
|
83 |
# attributes = req_attributes
|
2924 |
rexy |
84 |
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
1 |
root |
85 |
|
2924 |
rexy |
86 |
[ v3_ca ]
|
|
|
87 |
subjectKeyIdentifier = hash
|
|
|
88 |
authorityKeyIdentifier = keyid:always,issuer:always
|
|
|
89 |
basicConstraints = critical,CA:true
|
|
|
90 |
keyUsage = cRLSign, keyCertSign
|
|
|
91 |
nsCertType = sslCA
|
1 |
root |
92 |
|
2924 |
rexy |
93 |
[req_distinguished_name]
|
|
|
94 |
countryName = Country Name (2 letter code)
|
|
|
95 |
countryName_default = FR
|
|
|
96 |
countryName_min = 2
|
|
|
97 |
countryName_max = 2
|
|
|
98 |
stateOrProvinceName = State or Province Name (full name)
|
|
|
99 |
stateOrProvinceName_default = Some-State
|
|
|
100 |
localityName = Locality Name (eg, city)
|
|
|
101 |
localityName_default = Lyon
|
|
|
102 |
0.organizationName = Organization Name (eg, company)
|
|
|
103 |
0.organizationName_default = your organization name
|
|
|
104 |
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
|
105 |
commonName = Common Name (eg, your name or your server\'s hostname)
|
|
|
106 |
commonName_max = 255
|
|
|
107 |
emailAddress = Email Address
|
|
|
108 |
emailAddress_max = 255
|
1 |
root |
109 |
|
2924 |
rexy |
110 |
[usr_cert]
|
|
|
111 |
nsCertType = server
|
|
|
112 |
subjectKeyIdentifier = hash
|
|
|
113 |
authorityKeyIdentifier = keyid,issuer
|
|
|
114 |
basicConstraints = CA:FALSE
|
|
|
115 |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
|
|
116 |
issuerAltName = issuer:copy
|
|
|
117 |
subjectAltName = @alt_names
|
1 |
root |
118 |
|
2922 |
rexy |
119 |
[alt_names]
|
2924 |
rexy |
120 |
DNS.1 = $fqdn_hostname
|
|
|
121 |
IP.1 = $private_ip
|
1 |
root |
122 |
EOF
|
|
|
123 |
|
2814 |
rexy |
124 |
CAMAIL=
|
|
|
125 |
SRVMAIL=
|
1 |
root |
126 |
echo 01 > $DIR_TMP/serial
|
|
|
127 |
touch $DIR_TMP/index.txt
|
|
|
128 |
|
5 |
franck |
129 |
# CA key
|
|
|
130 |
rm -f $CAKEY
|
|
|
131 |
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
|
2924 |
rexy |
132 |
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
|
5 |
franck |
133 |
|
|
|
134 |
# CA certificate
|
|
|
135 |
rm -f $CACERT
|
2924 |
rexy |
136 |
echo >> $DIR_TMP/openssl-log
|
5 |
franck |
137 |
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
|
|
|
138 |
echo "$COUNTRY
|
1 |
root |
139 |
$PROVINCE
|
|
|
140 |
$LOCATION
|
|
|
141 |
$ORGANIZATION
|
2924 |
rexy |
142 |
Certification Authority for $fqdn_hostname
|
|
|
143 |
$fqdn_hostname-local-CA
|
1705 |
richard |
144 |
$CAMAIL" |
|
|
|
145 |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
|
5 |
franck |
146 |
|
1 |
root |
147 |
# Server key
|
|
|
148 |
rm -f $SRVKEY
|
2924 |
rexy |
149 |
echo >> $DIR_TMP/openssl-log
|
1 |
root |
150 |
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
|
1705 |
richard |
151 |
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
|
1 |
root |
152 |
|
|
|
153 |
# Server certificate "request"
|
2924 |
rexy |
154 |
echo >> $DIR_TMP/openssl-log
|
1 |
root |
155 |
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
|
|
|
156 |
echo "$COUNTRY
|
|
|
157 |
$PROVINCE
|
|
|
158 |
$LOCATION
|
|
|
159 |
$ORGANIZATION
|
2924 |
rexy |
160 |
Server certificate for $fqdn_hostname
|
|
|
161 |
$fqdn_hostname
|
1 |
root |
162 |
$SRVMAIL" |
|
|
|
163 |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
|
|
|
164 |
|
|
|
165 |
# Sign the server certificate "request" to create server certificate
|
|
|
166 |
rm -f $SRVCERT
|
2924 |
rexy |
167 |
echo >> $DIR_TMP/openssl-log
|
1 |
root |
168 |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
|
2924 |
rexy |
169 |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
|
1 |
root |
170 |
rm -f $SRVREQ
|
2554 |
lucas.echa |
171 |
|
|
|
172 |
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
|
2703 |
tom.houday |
173 |
cp -f $CACERT $SRVCHAIN
|
2554 |
lucas.echa |
174 |
|
2775 |
rexy |
175 |
# Limit rights
|
|
|
176 |
chown -R root:root $SRVKEY $CAKEY
|
|
|
177 |
chmod -R 0600 $SRVKEY $CAKEY
|
1 |
root |
178 |
|
675 |
richard |
179 |
# Link certs in ALCASAR Control Center
|
1 |
root |
180 |
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
|
2293 |
tom.houday |
181 |
then
|
|
|
182 |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
|
|
|
183 |
rm -f $DIR_WEB/certs/*
|
|
|
184 |
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
|
|
|
185 |
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
|
|
|
186 |
rm -rf $DIR_TMP
|
|
|
187 |
exit 0
|
1 |
root |
188 |
else
|
2758 |
rexy |
189 |
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
|
2293 |
tom.houday |
190 |
exit 1
|
1 |
root |
191 |
fi
|