WebSVN – ALCASAR – Diff – //scripts/alcasar-CA.sh

 #!/bin/sh
-# $Id: alcasar-CA.sh 2814 2020-04-27 22:02:20Z rexy $
+# $Id: alcasar-CA.sh 2922 2021-02-22 22:48:39Z rexy $
 # alcasar-CA.sh
 # by Franck BOUIJOUX, Pascal LEVANT and Richard REY
 # This script is distributed under the Gnu General Public License (GPL)
+#
 SRVREQ=$DIR_CERT/alcasar.req
 SRVKEY=$DIR_CERT/private/alcasar.key
 SRVCERT=$DIR_CERT/certs/alcasar.crt
 SRVPEM=$DIR_CERT/private/alcasar.pem
 SRVCHAIN=$DIR_CERT/certs/server-chain.pem
+CONF_FILE="/usr/local/ets/alcasar.conf"
+HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
+DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
+DOMAIN=${DOMAIN:=localdomain}
 CACERT_LIFETIME="1460"
 SRVCERT_LIFETIME="1460"
 COUNTRY="FR"
 PROVINCE="none"
+#
 [ ca ]
 default_ca = AlcasarCA
 [ AlcasarCA ]
-dir		= $DIR_TMP		# Where everything is kept
+dir = $DIR_TMP				# Where everything is kept
-certs		= \$dir			# Where the issued certs are kept
+certs = \$dir				# Where the issued certs are kept
-crl_dir		= \$dir			# Where the issued crl are kept
+crl_dir	= \$dir				# Where the issued crl are kept
-database	= \$dir/index.txt	# database index file.
+database = \$dir/index.txt	# database index file.
-new_certs_dir	= \$dir			# default place for new certs.
+new_certs_dir = \$dir		# default place for new certs.
-certificate	= $CACERT	 	# The CA certificate
+certificate = $CACERT	 	# The CA certificate
-serial		= \$dir/serial 		# The current serial number
+serial = \$dir/serial		# The current serial number
-crl		= \$dir/crl.pem 	# The current CRL
+crl = \$dir/crl.pem			# The current CRL
-private_key	= $CAKEY		# The private key
+private_key = $CAKEY		# The private key
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions = usr_cert	# The extentions to add to the cert
-crl_extensions	= crl_ext
+crl_extensions = crl_ext
-default_days	= 365			# how long to certify for
+default_days = 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
+default_crl_days = 30		# how long before next CRL
-default_md	= sha256		# which message digest to use.
+default_md = sha256			# which message digest to use.
-preserve	= no			# keep passed DN ordering
+preserve = no				# keep passed DN ordering
-policy		= policy_anything
+policy = policy_anything
 [ policy_anything ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 [ req ]
 default_bits		= 2048
 distinguished_name	= req_distinguished_name
 # attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 [ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
+countryName = Country Name (2 letter code)
-countryName_default		= FR
+countryName_default = FR
-countryName_min			= 2
+countryName_min = 2
-countryName_max			= 2
+countryName_max = 2
-stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default = Some-State
-localityName			= Locality Name (eg, city)
+localityName = Locality Name (eg, city)
-localityName_default		= Lyon
+localityName_default = Paris
-.organizationName		= Organization Name (eg, company)
+.organizationName = Organization Name (eg, company)
-.organizationName_default	= your organization name
+.organizationName_default = your organization name
 # we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
+#1.organizationName_default = World Wide Web Pty Ltd
-organizationalUnitName		= Organizational Unit Name (eg, section)
-#organizationalUnitName_default	=
-commonName			= Common Name (eg, your name or your server\'s hostname)
+organizationalUnitName = Organizational Unit Name (eg, section)
-commonName_max			= 255
+#organizationalUnitName_default =
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 255
-emailAddress			= Email Address
+emailAddress = Email Address
-emailAddress_max		= 255
+emailAddress_max = 255
-# SET-ex3			= SET extension number 3
 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 # This goes against PKIX guidelines but some CAs do it and some software
 # requires this to avoid interpreting an end user certificate as a CA.
-#basicConstraints=CA:FALSE
+basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-# This is OK for an SSL server.
-# nsCertType			= nsCertType
-# For normal client use this is typical
-# nsCertType = client, email
-nsCertType			= server
+nsCertType = server
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
+subjectKeyIdentifier = hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier = keyid,issuer
 # This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
+subjectAltName = @alt_names
 # Copy subject details
-issuerAltName=issuer:copy
+issuerAltName = issuer:copy
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-[ v3_ca ]
+[alt_names]
-# PKIX recommendation.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-basicConstraints = critical,CA:true
-# So we do this instead.
+DNS.1 = $HOSTNAME.$DOMAIN
-#basicConstraints = CA:true
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-keyUsage = cRLSign, keyCertSign
-nsCertType = sslCA
-EOF
-hostname=`hostname`
-if [ -z "$hostname" ];
-then
- echo "Impossible de déterminer le nom d'hôte !!!"
- exit 1
-fi
+EOF
 # The value for organizationalUnitName must be 64 chars or less;
 #   thus, hostname must be 36 chars or less. If it's too big,
 #   try removing domain (merci REXY ;-) ).
-hostname_len=`echo $hostname| wc -c`
+hostname_len=`echo $HOSTNAME| wc -c`
 if [ $hostname_len -gt 36 ];
 then
-	hostname=`echo $hostname | cut -d '.' -f 1`
+	HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1`
 fi
 CAMAIL=
 SRVMAIL=
 echo "*********CACERT*********" >> $DIR_TMP/openssl-log
 echo "$COUNTRY
 $PROVINCE
 $LOCATION
 $ORGANIZATION
-Certification Authority for $hostname
+Certification Authority for $HOSTNAME.$DOMAIN
-$hostname-local-CA
+$HOSTNAME-local-CA
 $CAMAIL" |
 openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 # Server key
 rm -f $SRVKEY
 echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
 echo "$COUNTRY
 $PROVINCE
 $LOCATION
 $ORGANIZATION
-Server certificate for $hostname
+Server certificate for $HOSTNAME.$DOMAIN
-$hostname
+$HOSTNAME.$DOMAIN
 $SRVMAIL" |
 openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 # Sign the server certificate "request" to create server certificate
 rm -f $SRVCERT
 echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
-openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
+openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
 rm -f $SRVREQ
 (cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
 cp -f $CACERT $SRVCHAIN

Subversion Repositories ALCASAR

(root)//scripts/alcasar-CA.sh – Rev 2814 → 2922