675 |
richard |
1 |
#!/bin/sh
|
64 |
franck |
2 |
# $Id: alcasar-CA.sh 2801 2020-04-07 17:31:42Z rexy $
|
|
|
3 |
|
1 |
root |
4 |
# alcasar-CA.sh
|
|
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
|
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
675 |
richard |
7 |
#
|
2454 |
tom.houday |
8 |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
|
675 |
richard |
9 |
# and Michel Arboi <arboi@alussinan.org>
|
|
|
10 |
#
|
1 |
root |
11 |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
|
|
|
12 |
DIR_PKI=/etc/pki
|
|
|
13 |
DIR_CERT=$DIR_PKI/tls
|
|
|
14 |
DIR_WEB=/var/www/html
|
|
|
15 |
CACERT=$DIR_PKI/CA/alcasar-ca.crt
|
|
|
16 |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
|
675 |
richard |
17 |
SRVREQ=$DIR_CERT/alcasar.req
|
|
|
18 |
SRVKEY=$DIR_CERT/private/alcasar.key
|
1 |
root |
19 |
SRVCERT=$DIR_CERT/certs/alcasar.crt
|
2488 |
lucas.echa |
20 |
SRVPEM=$DIR_CERT/private/alcasar.pem
|
675 |
richard |
21 |
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
|
1 |
root |
22 |
|
|
|
23 |
CACERT_LIFETIME="1460"
|
|
|
24 |
SRVCERT_LIFETIME="1460"
|
|
|
25 |
COUNTRY="FR"
|
|
|
26 |
PROVINCE="none"
|
|
|
27 |
LOCATION="Paris"
|
5 |
franck |
28 |
ORGANIZATION="ALCASAR-Team"
|
1 |
root |
29 |
|
|
|
30 |
mkdir $DIR_TMP || exit 1
|
2801 |
rexy |
31 |
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
|
1 |
root |
32 |
# dynamic conf file for openssl
|
|
|
33 |
cat <<EOF >$DIR_TMP/ssl.conf
|
|
|
34 |
RANDFILE = $HOME/.rnd
|
|
|
35 |
#
|
|
|
36 |
[ ca ]
|
|
|
37 |
default_ca = AlcasarCA
|
|
|
38 |
|
|
|
39 |
[ AlcasarCA ]
|
|
|
40 |
dir = $DIR_TMP # Where everything is kept
|
|
|
41 |
certs = \$dir # Where the issued certs are kept
|
|
|
42 |
crl_dir = \$dir # Where the issued crl are kept
|
|
|
43 |
database = \$dir/index.txt # database index file.
|
|
|
44 |
new_certs_dir = \$dir # default place for new certs.
|
|
|
45 |
|
|
|
46 |
certificate = $CACERT # The CA certificate
|
|
|
47 |
serial = \$dir/serial # The current serial number
|
|
|
48 |
crl = \$dir/crl.pem # The current CRL
|
|
|
49 |
private_key = $CAKEY # The private key
|
|
|
50 |
|
|
|
51 |
x509_extensions = usr_cert # The extentions to add to the cert
|
|
|
52 |
crl_extensions = crl_ext
|
|
|
53 |
|
|
|
54 |
default_days = 365 # how long to certify for
|
|
|
55 |
default_crl_days= 30 # how long before next CRL
|
1702 |
richard |
56 |
default_md = sha256 # which message digest to use.
|
1 |
root |
57 |
preserve = no # keep passed DN ordering
|
|
|
58 |
|
|
|
59 |
policy = policy_anything
|
|
|
60 |
|
|
|
61 |
[ policy_anything ]
|
|
|
62 |
countryName = optional
|
|
|
63 |
stateOrProvinceName = optional
|
|
|
64 |
localityName = optional
|
|
|
65 |
organizationName = optional
|
|
|
66 |
organizationalUnitName = optional
|
|
|
67 |
commonName = supplied
|
|
|
68 |
emailAddress = optional
|
|
|
69 |
|
|
|
70 |
[ req ]
|
1702 |
richard |
71 |
default_bits = 2048
|
1 |
root |
72 |
distinguished_name = req_distinguished_name
|
|
|
73 |
# attributes = req_attributes
|
|
|
74 |
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
|
|
75 |
|
|
|
76 |
[ req_distinguished_name ]
|
|
|
77 |
countryName = Country Name (2 letter code)
|
|
|
78 |
countryName_default = FR
|
|
|
79 |
countryName_min = 2
|
|
|
80 |
countryName_max = 2
|
|
|
81 |
|
|
|
82 |
stateOrProvinceName = State or Province Name (full name)
|
|
|
83 |
stateOrProvinceName_default = Some-State
|
|
|
84 |
|
|
|
85 |
localityName = Locality Name (eg, city)
|
|
|
86 |
localityName_default = Lyon
|
|
|
87 |
|
|
|
88 |
0.organizationName = Organization Name (eg, company)
|
|
|
89 |
0.organizationName_default = your organization name
|
|
|
90 |
|
|
|
91 |
# we can do this but it is not needed normally :-)
|
|
|
92 |
#1.organizationName = Second Organization Name (eg, company)
|
|
|
93 |
#1.organizationName_default = World Wide Web Pty Ltd
|
|
|
94 |
|
|
|
95 |
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
|
96 |
#organizationalUnitName_default =
|
|
|
97 |
|
|
|
98 |
commonName = Common Name (eg, your name or your server\'s hostname)
|
|
|
99 |
commonName_max = 255
|
|
|
100 |
|
|
|
101 |
emailAddress = Email Address
|
|
|
102 |
emailAddress_max = 255
|
|
|
103 |
|
|
|
104 |
# SET-ex3 = SET extension number 3
|
|
|
105 |
|
|
|
106 |
[ usr_cert ]
|
|
|
107 |
# These extensions are added when 'ca' signs a request.
|
|
|
108 |
# This goes against PKIX guidelines but some CAs do it and some software
|
|
|
109 |
# requires this to avoid interpreting an end user certificate as a CA.
|
|
|
110 |
#basicConstraints=CA:FALSE
|
|
|
111 |
|
|
|
112 |
# Here are some examples of the usage of nsCertType. If it is omitted
|
|
|
113 |
# the certificate can be used for anything *except* object signing.
|
|
|
114 |
|
|
|
115 |
# This is OK for an SSL server.
|
|
|
116 |
# nsCertType = nsCertType
|
|
|
117 |
# For normal client use this is typical
|
|
|
118 |
# nsCertType = client, email
|
|
|
119 |
nsCertType = server
|
|
|
120 |
|
|
|
121 |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
122 |
|
|
|
123 |
# This will be displayed in Netscape's comment listbox.
|
|
|
124 |
nsComment = "OpenSSL Generated Certificate"
|
|
|
125 |
|
|
|
126 |
# PKIX recommendations harmless if included in all certificates.
|
|
|
127 |
subjectKeyIdentifier=hash
|
|
|
128 |
authorityKeyIdentifier=keyid,issuer:always
|
|
|
129 |
|
|
|
130 |
# This stuff is for subjectAltName and issuerAltname.
|
|
|
131 |
# Import the email address.
|
|
|
132 |
subjectAltName=email:copy
|
|
|
133 |
|
|
|
134 |
# Copy subject details
|
|
|
135 |
issuerAltName=issuer:copy
|
|
|
136 |
|
|
|
137 |
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
|
|
138 |
#nsBaseUrl
|
|
|
139 |
#nsRevocationUrl
|
|
|
140 |
#nsRenewalUrl
|
|
|
141 |
#nsCaPolicyUrl
|
|
|
142 |
#nsSslServerName
|
|
|
143 |
|
|
|
144 |
[ v3_ca ]
|
|
|
145 |
# PKIX recommendation.
|
|
|
146 |
subjectKeyIdentifier=hash
|
|
|
147 |
authorityKeyIdentifier=keyid:always,issuer:always
|
|
|
148 |
|
|
|
149 |
# This is what PKIX recommends but some broken software chokes on critical
|
|
|
150 |
# extensions.
|
|
|
151 |
basicConstraints = critical,CA:true
|
|
|
152 |
# So we do this instead.
|
|
|
153 |
#basicConstraints = CA:true
|
|
|
154 |
|
|
|
155 |
# Key usage: this is typical for a CA certificate. However since it will
|
|
|
156 |
# prevent it being used as an test self-signed certificate it is best
|
|
|
157 |
# left out by default.
|
|
|
158 |
keyUsage = cRLSign, keyCertSign
|
|
|
159 |
nsCertType = sslCA
|
|
|
160 |
EOF
|
|
|
161 |
|
|
|
162 |
hostname=`hostname`
|
|
|
163 |
if [ -z "$hostname" ];
|
|
|
164 |
then
|
|
|
165 |
echo "Impossible de déterminer le nom d'hôte !!!"
|
|
|
166 |
exit 1
|
|
|
167 |
fi
|
|
|
168 |
|
|
|
169 |
# The value for organizationalUnitName must be 64 chars or less;
|
|
|
170 |
# thus, hostname must be 36 chars or less. If it's too big,
|
|
|
171 |
# try removing domain (merci REXY ;-) ).
|
|
|
172 |
hostname_len=`echo $hostname| wc -c`
|
|
|
173 |
if [ $hostname_len -gt 36 ];
|
|
|
174 |
then
|
2454 |
tom.houday |
175 |
hostname=`echo $hostname | cut -d '.' -f 1`
|
1 |
root |
176 |
fi
|
|
|
177 |
|
|
|
178 |
CAMAIL=ca@$hostname
|
|
|
179 |
SRVMAIL=apache@$hostname
|
|
|
180 |
|
|
|
181 |
echo 01 > $DIR_TMP/serial
|
|
|
182 |
touch $DIR_TMP/index.txt
|
|
|
183 |
|
5 |
franck |
184 |
# CA key
|
|
|
185 |
rm -f $CAKEY
|
|
|
186 |
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
|
1705 |
richard |
187 |
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
|
5 |
franck |
188 |
|
|
|
189 |
# CA certificate
|
|
|
190 |
rm -f $CACERT
|
|
|
191 |
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
|
|
|
192 |
echo "$COUNTRY
|
1 |
root |
193 |
$PROVINCE
|
|
|
194 |
$LOCATION
|
|
|
195 |
$ORGANIZATION
|
|
|
196 |
Certification Authority for $hostname
|
2737 |
rexy |
197 |
$hostname-local-CA
|
1705 |
richard |
198 |
$CAMAIL" |
|
|
|
199 |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
|
5 |
franck |
200 |
|
1 |
root |
201 |
# Server key
|
|
|
202 |
rm -f $SRVKEY
|
|
|
203 |
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
|
1705 |
richard |
204 |
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
|
1 |
root |
205 |
|
|
|
206 |
# Server certificate "request"
|
|
|
207 |
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
|
|
|
208 |
echo "$COUNTRY
|
|
|
209 |
$PROVINCE
|
|
|
210 |
$LOCATION
|
|
|
211 |
$ORGANIZATION
|
|
|
212 |
Server certificate for $hostname
|
503 |
richard |
213 |
$hostname
|
1 |
root |
214 |
$SRVMAIL" |
|
|
|
215 |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
|
|
|
216 |
|
|
|
217 |
# Sign the server certificate "request" to create server certificate
|
|
|
218 |
rm -f $SRVCERT
|
|
|
219 |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
|
|
|
220 |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
|
|
|
221 |
rm -f $SRVREQ
|
2554 |
lucas.echa |
222 |
|
|
|
223 |
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
|
2703 |
tom.houday |
224 |
cp -f $CACERT $SRVCHAIN
|
2554 |
lucas.echa |
225 |
|
2775 |
rexy |
226 |
# Limit rights
|
|
|
227 |
chown -R root:root $SRVKEY $CAKEY
|
|
|
228 |
chmod -R 0600 $SRVKEY $CAKEY
|
1 |
root |
229 |
|
675 |
richard |
230 |
# Link certs in ALCASAR Control Center
|
1 |
root |
231 |
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
|
2293 |
tom.houday |
232 |
then
|
|
|
233 |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
|
|
|
234 |
rm -f $DIR_WEB/certs/*
|
|
|
235 |
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
|
|
|
236 |
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
|
|
|
237 |
rm -rf $DIR_TMP
|
|
|
238 |
exit 0
|
1 |
root |
239 |
else
|
2758 |
rexy |
240 |
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
|
2293 |
tom.houday |
241 |
exit 1
|
1 |
root |
242 |
fi
|