2010-10-06 17:34:30 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
PREFIX=/etc/openvpn/ssl
|
|
|
|
|
CONFFILE=$PREFIX/openssl.cnf
|
2017-05-21 03:33:08 +02:00
|
|
|
OPENSSL=$(which openssl)
|
2010-10-06 17:34:30 +02:00
|
|
|
TIMESTAMP=$(/bin/date +"%s")
|
|
|
|
|
WWWDIR=/var/www/htdocs/vpn/ssl
|
|
|
|
|
|
|
|
|
|
|
2017-05-21 03:33:08 +02:00
|
|
|
if [ "$(id -u)" != "0" ]; then
|
2017-05-21 03:50:23 +02:00
|
|
|
echo "Please become root before running ${0##*/}!" >&2
|
2017-05-21 03:48:06 +02:00
|
|
|
echo >&2
|
|
|
|
|
echo "Press return to continue..." >&2
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
init() {
|
2017-05-21 03:50:23 +02:00
|
|
|
echo "Do you confirm ${0##*/} initialization?"
|
2010-10-06 17:34:30 +02:00
|
|
|
echo
|
|
|
|
|
echo "Press return to continue..."
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
echo
|
|
|
|
|
|
|
|
|
|
if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi
|
|
|
|
|
if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi
|
|
|
|
|
if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi
|
|
|
|
|
if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi
|
|
|
|
|
if [ ! -f $PREFIX/ca/index.txt ]; then touch $PREFIX/ca/index.txt; fi
|
|
|
|
|
if [ ! -f $PREFIX/files/ca/serial ]; then echo 01 > $PREFIX/ca/serial; fi
|
|
|
|
|
|
2017-05-21 04:10:46 +02:00
|
|
|
if [ ! -e "$CONFFILE" ]; then
|
|
|
|
|
echo "$CONFFILE is missing" >&2
|
|
|
|
|
echo >&2
|
|
|
|
|
echo "Press return to continue..." >&2
|
|
|
|
|
read REPLY
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
2015-07-22 09:56:04 +02:00
|
|
|
$OPENSSL dhparam -out $PREFIX/ca/dh2048.pem 2048
|
2018-01-15 17:38:52 +01:00
|
|
|
$OPENSSL genrsa -out $PREFIX/ca/private.key 4096
|
2010-10-06 17:34:30 +02:00
|
|
|
|
|
|
|
|
$OPENSSL req \
|
|
|
|
|
-config $CONFFILE \
|
|
|
|
|
-new -x509 -days 3650 \
|
2017-03-05 15:11:54 +01:00
|
|
|
-extensions v3_ca \
|
2010-10-06 17:34:30 +02:00
|
|
|
-keyout $PREFIX/ca/private.key \
|
|
|
|
|
-out $PREFIX/ca/cacert.pem
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
create() {
|
|
|
|
|
echo "Please enter your CN (Common Name)"
|
|
|
|
|
read cn
|
|
|
|
|
echo
|
|
|
|
|
echo "Your CN is '$cn'"
|
|
|
|
|
echo "Press return to continue..."
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
echo
|
|
|
|
|
|
|
|
|
|
if [ -e $PREFIX/certs/$cn.crt ]; then
|
|
|
|
|
echo "Please revoke actual $cn cert before creating one"
|
|
|
|
|
echo
|
|
|
|
|
echo "Press return to continue..."
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
DIR=$PREFIX/files/$cn-$TIMESTAMP
|
|
|
|
|
mkdir $DIR
|
|
|
|
|
|
|
|
|
|
# generate private key
|
2013-10-15 14:01:38 +02:00
|
|
|
echo -n "Should private key be protected by a passphrase? [y/N] "
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2017-07-20 12:01:59 +02:00
|
|
|
if [ "$REPLY" = "y" ] || [ "$REPLY" = "Y" ]; then
|
2017-05-21 04:37:07 +02:00
|
|
|
$OPENSSL genrsa -aes128 -out $DIR/$cn.key 2048
|
2013-10-15 14:01:38 +02:00
|
|
|
else
|
|
|
|
|
$OPENSSL genrsa -out $DIR/$cn.key 2048
|
|
|
|
|
fi
|
2010-10-06 17:34:30 +02:00
|
|
|
|
|
|
|
|
# generate csr req
|
|
|
|
|
$OPENSSL req \
|
2013-10-16 16:44:34 +02:00
|
|
|
-new \
|
|
|
|
|
-key $DIR/$cn.key \
|
|
|
|
|
-config $CONFFILE \
|
2010-10-06 17:34:30 +02:00
|
|
|
-out $DIR/$cn.csr
|
|
|
|
|
|
|
|
|
|
# ca sign and generate cert
|
|
|
|
|
$OPENSSL ca \
|
|
|
|
|
-config $CONFFILE \
|
|
|
|
|
-in $DIR/$cn.csr \
|
|
|
|
|
-out $DIR/$cn.crt
|
|
|
|
|
|
2017-05-21 04:11:48 +02:00
|
|
|
# pem cert style
|
2010-10-06 17:34:30 +02:00
|
|
|
cp $DIR/$cn.key $DIR/$cn.pem
|
|
|
|
|
cat $DIR/$cn.crt >> $DIR/$cn.pem
|
|
|
|
|
|
|
|
|
|
# copy to public certs dir
|
2017-05-21 04:45:07 +02:00
|
|
|
if [ -d "$WWWDIR" ]; then
|
|
|
|
|
echo
|
|
|
|
|
echo "copy cert to public certs dir"
|
|
|
|
|
echo
|
|
|
|
|
cp -i $DIR/$cn.crt $PREFIX/certs/
|
|
|
|
|
cp -i $DIR/$cn.crt $WWWDIR/
|
|
|
|
|
cp -i $DIR/$cn.key $WWWDIR/
|
|
|
|
|
chown -R root:www $WWWDIR
|
|
|
|
|
chmod -R u=rwX,g=rwX,o= $WWWDIR
|
|
|
|
|
echo
|
|
|
|
|
fi
|
2010-10-06 17:34:30 +02:00
|
|
|
|
2014-12-05 16:28:56 +01:00
|
|
|
# generate client configuration
|
|
|
|
|
|
|
|
|
|
if [ -e $PREFIX/template.conf ]; then
|
|
|
|
|
|
2017-09-11 11:11:22 +02:00
|
|
|
CA=$PREFIX/ca/cacert.pem
|
|
|
|
|
CERT=$WWWDIR/$cn.crt
|
|
|
|
|
KEY=$WWWDIR/$cn.key
|
2014-12-05 16:28:56 +01:00
|
|
|
REP=/tmp
|
|
|
|
|
|
|
|
|
|
cp $PREFIX/template.conf $REP/$cn.conf
|
|
|
|
|
echo "
|
2017-05-21 04:11:48 +02:00
|
|
|
|
2014-12-05 16:28:56 +01:00
|
|
|
<ca>
|
|
|
|
|
$(cat $CA)
|
|
|
|
|
</ca>
|
2010-10-06 17:34:30 +02:00
|
|
|
|
2014-12-05 16:28:56 +01:00
|
|
|
<cert>
|
|
|
|
|
$(cat $CERT)
|
|
|
|
|
</cert>
|
|
|
|
|
|
|
|
|
|
<key>
|
|
|
|
|
$(cat $KEY)
|
|
|
|
|
</key>
|
|
|
|
|
" >> $REP/$cn.conf
|
|
|
|
|
|
|
|
|
|
echo "The configuration file is available in $REP/$cn.conf"
|
|
|
|
|
fi
|
|
|
|
|
}
|
2010-10-06 17:34:30 +02:00
|
|
|
|
|
|
|
|
revoke() {
|
|
|
|
|
echo "Please enter CN (Common Name) to revoke"
|
|
|
|
|
read cn
|
|
|
|
|
echo
|
|
|
|
|
echo "CN '$cn' will be revoked"
|
|
|
|
|
echo "Press return to continue..."
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
echo
|
|
|
|
|
|
|
|
|
|
$OPENSSL ca \
|
|
|
|
|
-config $CONFFILE \
|
2017-05-21 04:11:48 +02:00
|
|
|
-revoke $PREFIX/certs/$cn.crt
|
2010-10-06 17:34:30 +02:00
|
|
|
|
|
|
|
|
rm -i $PREFIX/certs/$cn.crt
|
2017-05-21 04:45:07 +02:00
|
|
|
if [ -d "$WWWDIR" ]; then
|
|
|
|
|
rm -i $WWWDIR/$cn.crt
|
|
|
|
|
rm -i $WWWDIR/$cn.key
|
|
|
|
|
fi
|
2010-10-06 17:34:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fromcsr() {
|
|
|
|
|
echo "Please enter path for your CSR request file"
|
|
|
|
|
read path
|
|
|
|
|
echo
|
|
|
|
|
|
|
|
|
|
if [ ! -e $path ]; then
|
2017-05-21 04:11:48 +02:00
|
|
|
echo "Error in path..." >&2
|
2017-05-21 03:48:06 +02:00
|
|
|
echo >&2
|
|
|
|
|
echo "Press return to continue..." >&2
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Please enter the CN (Common Name)"
|
|
|
|
|
read cn
|
|
|
|
|
echo
|
|
|
|
|
echo "Your CN is '$cn'"
|
|
|
|
|
echo "Press return to continue..."
|
2017-03-05 00:03:08 +01:00
|
|
|
read REPLY
|
2010-10-06 17:34:30 +02:00
|
|
|
echo
|
|
|
|
|
|
|
|
|
|
DIR=$PREFIX/files/req_$cn-$TIMESTAMP
|
|
|
|
|
mkdir $DIR
|
|
|
|
|
|
|
|
|
|
cp $path $DIR
|
|
|
|
|
|
|
|
|
|
# ca sign and generate cert
|
|
|
|
|
$OPENSSL ca \
|
|
|
|
|
-config $CONFFILE \
|
|
|
|
|
-in $path \
|
|
|
|
|
-out $DIR/$cn.crt
|
|
|
|
|
|
|
|
|
|
# copy to public certs dir
|
|
|
|
|
echo
|
|
|
|
|
echo "copy cert to public certs dir"
|
|
|
|
|
echo
|
|
|
|
|
cp -i $DIR/$cn.crt $PREFIX/certs/
|
|
|
|
|
echo
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
crl() {
|
2017-05-21 04:11:48 +02:00
|
|
|
|
2010-10-06 17:34:30 +02:00
|
|
|
$OPENSSL ca -gencrl \
|
|
|
|
|
-config $CONFFILE \
|
|
|
|
|
-out crl.pem
|
|
|
|
|
|
|
|
|
|
# TODO : a voir pour l'importation pdts Mozilla, Apple et Microsoft
|
|
|
|
|
#openssl crl2pkcs7 -in crl.pem -certfile /etc/ssl/certs/cacert.pem -out p7.pem
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case "$1" in
|
|
|
|
|
init)
|
|
|
|
|
init
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
create)
|
|
|
|
|
create
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
fromcsr)
|
|
|
|
|
fromcsr
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
revoke)
|
|
|
|
|
revoke
|
|
|
|
|
;;
|
2014-12-05 16:28:56 +01:00
|
|
|
|
2010-10-06 17:34:30 +02:00
|
|
|
crl)
|
|
|
|
|
crl
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
*)
|
2017-05-21 03:50:23 +02:00
|
|
|
echo "Usage: ${0##*/} {init|create|fromcsr|revoke|crl}" >&2
|
2010-10-06 17:34:30 +02:00
|
|
|
exit 1
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
|
