Subversion Repositories ALCASAR

Rev

Rev 632 | Rev 675 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
672 richard 1
#!/bin/bash
64 franck 2
# $Id: alcasar-CA.sh 672 2011-07-08 15:34:22Z richard $
3
 
1 root 4
# alcasar-CA.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
672 richard 7
 
8
# Création de la PKI et des certificats ALCASAR - Plusieurs idées ont été récupéées dans le script "nessus-mkcert" de Renaud Deraison et Michel Arboi
9
# Creation of the ALCASAR PKI and certificates - Some ideas are from "nessus-mkcert" script written by Renaud Deraison and Michel Arboi
10
 
1 root 11
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
12
DIR_PKI=/etc/pki
13
DIR_CERT=$DIR_PKI/tls
14
DIR_WEB=/var/www/html
15
CACERT=$DIR_PKI/CA/alcasar-ca.crt
16
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
17
SRVCERT=$DIR_CERT/certs/alcasar.crt
18
SRVKEY=$DIR_CERT/private/alcasar.key
19
SRVREQ=$DIR_CERT/alcasar.req
20
 
21
CACERT_LIFETIME="1460"
22
SRVCERT_LIFETIME="1460"
23
COUNTRY="FR"
24
PROVINCE="none"
25
LOCATION="Paris"
5 franck 26
ORGANIZATION="ALCASAR-Team"
1 root 27
 
28
mkdir $DIR_TMP || exit 1
29
# dynamic conf file for openssl
30
cat <<EOF >$DIR_TMP/ssl.conf
31
RANDFILE		= $HOME/.rnd
32
#
33
[ ca ]
34
default_ca = AlcasarCA
35
 
36
[ AlcasarCA ]
37
dir		= $DIR_TMP		# Where everything is kept
38
certs		= \$dir			# Where the issued certs are kept
39
crl_dir		= \$dir			# Where the issued crl are kept
40
database	= \$dir/index.txt	# database index file.
41
new_certs_dir	= \$dir			# default place for new certs.
42
 
43
certificate	= $CACERT	 	# The CA certificate
44
serial		= \$dir/serial 		# The current serial number
45
crl		= \$dir/crl.pem 	# The current CRL
46
private_key	= $CAKEY		# The private key
47
 
48
x509_extensions	= usr_cert		# The extentions to add to the cert
49
crl_extensions	= crl_ext
50
 
51
default_days	= 365			# how long to certify for
52
default_crl_days= 30			# how long before next CRL
53
default_md	= md5			# which md to use.
54
preserve	= no			# keep passed DN ordering
55
 
56
policy		= policy_anything
57
 
58
[ policy_anything ]
59
countryName             = optional
60
stateOrProvinceName     = optional
61
localityName            = optional
62
organizationName        = optional
63
organizationalUnitName  = optional
64
commonName              = supplied
65
emailAddress            = optional
66
 
67
[ req ]
68
default_bits		= 1024
69
distinguished_name	= req_distinguished_name
70
# attributes		= req_attributes
71
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
72
 
73
[ req_distinguished_name ]
74
countryName			= Country Name (2 letter code)
75
countryName_default		= FR
76
countryName_min			= 2
77
countryName_max			= 2
78
 
79
stateOrProvinceName		= State or Province Name (full name)
80
stateOrProvinceName_default	= Some-State
81
 
82
localityName			= Locality Name (eg, city)
83
localityName_default		= Lyon
84
 
85
0.organizationName		= Organization Name (eg, company)
86
0.organizationName_default	= your organization name
87
 
88
# we can do this but it is not needed normally :-)
89
#1.organizationName		= Second Organization Name (eg, company)
90
#1.organizationName_default	= World Wide Web Pty Ltd
91
 
92
organizationalUnitName		= Organizational Unit Name (eg, section)
93
#organizationalUnitName_default	=
94
 
95
commonName			= Common Name (eg, your name or your server\'s hostname)
96
commonName_max			= 255
97
 
98
emailAddress			= Email Address
99
emailAddress_max		= 255
100
 
101
# SET-ex3			= SET extension number 3
102
 
103
[ usr_cert ]
104
# These extensions are added when 'ca' signs a request.
105
# This goes against PKIX guidelines but some CAs do it and some software
106
# requires this to avoid interpreting an end user certificate as a CA.
107
#basicConstraints=CA:FALSE
108
 
109
# Here are some examples of the usage of nsCertType. If it is omitted
110
# the certificate can be used for anything *except* object signing.
111
 
112
# This is OK for an SSL server.
113
# nsCertType			= nsCertType
114
# For normal client use this is typical
115
# nsCertType = client, email
116
nsCertType			= server
117
 
118
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
119
 
120
# This will be displayed in Netscape's comment listbox.
121
nsComment			= "OpenSSL Generated Certificate"
122
 
123
# PKIX recommendations harmless if included in all certificates.
124
subjectKeyIdentifier=hash
125
authorityKeyIdentifier=keyid,issuer:always
126
 
127
# This stuff is for subjectAltName and issuerAltname.
128
# Import the email address.
129
subjectAltName=email:copy
130
 
131
# Copy subject details
132
issuerAltName=issuer:copy
133
 
134
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
135
#nsBaseUrl
136
#nsRevocationUrl
137
#nsRenewalUrl
138
#nsCaPolicyUrl
139
#nsSslServerName
140
 
141
[ v3_ca ]
142
# PKIX recommendation.
143
subjectKeyIdentifier=hash
144
authorityKeyIdentifier=keyid:always,issuer:always
145
 
146
# This is what PKIX recommends but some broken software chokes on critical
147
# extensions.
148
basicConstraints = critical,CA:true
149
# So we do this instead.
150
#basicConstraints = CA:true
151
 
152
# Key usage: this is typical for a CA certificate. However since it will
153
# prevent it being used as an test self-signed certificate it is best
154
# left out by default.
155
keyUsage = cRLSign, keyCertSign
156
nsCertType = sslCA
157
EOF
158
 
159
hostname=`hostname`
160
if [ -z "$hostname" ];
161
then
162
 echo "Impossible de déterminer le nom d'hôte !!!"
163
 exit 1
164
fi
165
 
166
# The value for organizationalUnitName must be 64 chars or less;
167
#   thus, hostname must be 36 chars or less. If it's too big,
168
#   try removing domain (merci REXY ;-) ).
169
hostname_len=`echo $hostname| wc -c`
170
if [ $hostname_len -gt 36 ];
171
then
172
  hostname=`echo $hostname | cut -d '.' -f 1`
173
fi
174
 
175
CAMAIL=ca@$hostname
176
SRVMAIL=apache@$hostname
177
 
178
echo 01 > $DIR_TMP/serial
179
touch $DIR_TMP/index.txt
180
 
5 franck 181
# CA key
182
rm -f $CAKEY
183
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
184
openssl genrsa -out $CAKEY  1024 2>> $DIR_TMP/openssl-log
185
 
186
# CA certificate
187
rm -f $CACERT
188
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
189
echo "$COUNTRY
1 root 190
$PROVINCE
191
$LOCATION
192
$ORGANIZATION
193
Certification Authority for $hostname
5 franck 194
ALCASAR-local-CA
1 root 195
$CAMAIL" |
196
	openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
5 franck 197
 
1 root 198
# Server key
199
rm -f $SRVKEY	
200
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
201
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log
202
 
203
# Server certificate "request"
204
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
205
echo "$COUNTRY
206
$PROVINCE
207
$LOCATION
208
$ORGANIZATION
209
Server certificate for $hostname
503 richard 210
$hostname
1 root 211
$SRVMAIL" | 
212
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
213
 
214
# Sign the server certificate "request" to create server certificate
215
rm -f $SRVCERT
216
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
217
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
218
rm -f $SRVREQ
219
chmod a+r $CACERT $SRVCERT 
220
 
221
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
222
 then
223
 [ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
224
 rm -f $DIR_WEB/certs/*
139 richard 225
 ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
226
 ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
1 root 227
 rm -rf $DIR_TMP
228
 exit 0
229
else
230
 echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
231
 exit 1
232
fi