Rev 2814 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log
#!/bin/sh
# $Id: alcasar-CA.sh 2922 2021-02-22 22:48:39Z rexy $
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
CONF_FILE="/usr/local/ets/alcasar.conf"
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
DOMAIN=${DOMAIN:=localdomain}
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
mkdir $DIR_TMP || exit 1
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE = $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
[ AlcasarCA ]
dir = $DIR_TMP # Where everything is kept
certs = \$dir # Where the issued certs are kept
crl_dir = \$dir # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir # default place for new certs.
certificate = $CACERT # The CA certificate
serial = \$dir/serial # The current serial number
crl = \$dir/crl.pem # The current CRL
private_key = $CAKEY # The private key
x509_extensions = usr_cert # The extentions to add to the cert
crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha256 # which message digest to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
# attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
localityName_default = Paris
0.organizationName = Organization Name (eg, company)
0.organizationName_default = your organization name
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 255
emailAddress = Email Address
emailAddress_max = 255
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
subjectAltName = @alt_names
# Copy subject details
issuerAltName = issuer:copy
[alt_names]
DNS.1 = $HOSTNAME.$DOMAIN
EOF
# The value for organizationalUnitName must be 64 chars or less;
# thus, hostname must be 36 chars or less. If it's too big,
# try removing domain (merci REXY ;-) ).
hostname_len=`echo $HOSTNAME| wc -c`
if [ $hostname_len -gt 36 ];
then
HOSTNAME=`echo $HOSTNAME | cut -d '.' -f 1`
fi
CAMAIL=
SRVMAIL=
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $HOSTNAME.$DOMAIN
$HOSTNAME-local-CA
$CAMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
# Server key
rm -f $SRVKEY
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $HOSTNAME.$DOMAIN
$HOSTNAME.$DOMAIN
$SRVMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name $HOSTNAME-local-CA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
cp -f $CACERT $SRVCHAIN
# Limit rights
chown -R root:root $SRVKEY $CAKEY
chmod -R 0600 $SRVKEY $CAKEY
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
then
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
rm -f $DIR_WEB/certs/*
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
rm -rf $DIR_TMP
exit 0
else
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
exit 1
fi