initial import
This commit is contained in:
commit
0d497b10e2
2 changed files with 246 additions and 0 deletions
50
openssl.cnf
Normal file
50
openssl.cnf
Normal file
|
@ -0,0 +1,50 @@
|
|||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
dir = /etc/openvpn/ssl/ca
|
||||
certs = /etc/openvpn/ssl/certs
|
||||
new_certs_dir = /etc/openvpn/ssl/ca/tmp
|
||||
database = $dir/index.txt
|
||||
certificate = $dir/cacert.pem
|
||||
serial = $dir/serial
|
||||
crl = /etc/openvpn/ssl/crl.pem
|
||||
private_key = $dir/private.key
|
||||
RANDFILE = $dir/.rand
|
||||
default_days = 365
|
||||
default_crl_days= 365
|
||||
default_md = md5
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
|
||||
[ policy_match ]
|
||||
countryName = supplied
|
||||
stateOrProvinceName = supplied
|
||||
organizationName = supplied
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = supplied
|
||||
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = FR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
stateOrProvinceName = State or Province
|
||||
stateOrProvinceName_default = 13
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Marseille
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Evolix
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = security@evolix.net
|
||||
emailAddress_max = 40
|
||||
|
||||
|
196
shellpki.sh
Executable file
196
shellpki.sh
Executable file
|
@ -0,0 +1,196 @@
|
|||
#!/bin/sh
|
||||
|
||||
PREFIX=/etc/openvpn/ssl
|
||||
CONFFILE=$PREFIX/openssl.cnf
|
||||
OPENSSL=`which openssl`
|
||||
TIMESTAMP=$(/bin/date +"%s")
|
||||
WWWDIR=/var/www/htdocs/vpn/ssl
|
||||
|
||||
|
||||
if [ "`id -u`" != "0" ]; then
|
||||
echo "Please become root before running shellpki!"
|
||||
echo
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
exit 1
|
||||
fi
|
||||
|
||||
init() {
|
||||
echo "Do you confirm shellpki initialization?"
|
||||
echo
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
echo
|
||||
|
||||
if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi
|
||||
if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi
|
||||
if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi
|
||||
if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi
|
||||
if [ ! -f $PREFIX/ca/index.txt ]; then touch $PREFIX/ca/index.txt; fi
|
||||
if [ ! -f $PREFIX/files/ca/serial ]; then echo 01 > $PREFIX/ca/serial; fi
|
||||
|
||||
$OPENSSL dhparam -out $PREFIX/ca/dh1024.pem 1024
|
||||
$OPENSSL genrsa -out $PREFIX/ca/private.key 1024
|
||||
|
||||
$OPENSSL req \
|
||||
-config $CONFFILE \
|
||||
-new -x509 -days 3650 \
|
||||
-keyout $PREFIX/ca/private.key \
|
||||
-out $PREFIX/ca/cacert.pem
|
||||
|
||||
}
|
||||
|
||||
create() {
|
||||
echo "Please enter your CN (Common Name)"
|
||||
read cn
|
||||
echo
|
||||
echo "Your CN is '$cn'"
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
echo
|
||||
|
||||
if [ -e $PREFIX/certs/$cn.crt ]; then
|
||||
echo "Please revoke actual $cn cert before creating one"
|
||||
echo
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DIR=$PREFIX/files/$cn-$TIMESTAMP
|
||||
mkdir $DIR
|
||||
|
||||
# generate private key
|
||||
$OPENSSL genrsa -out $DIR/$cn.key 1024
|
||||
|
||||
# generate csr req
|
||||
$OPENSSL req \
|
||||
-new -days 1000 \
|
||||
-config $CONFFILE \
|
||||
-newkey rsa:1024 \
|
||||
-nodes \
|
||||
-keyout $DIR/$cn.key \
|
||||
-out $DIR/$cn.csr
|
||||
|
||||
# ca sign and generate cert
|
||||
$OPENSSL ca \
|
||||
-config $CONFFILE \
|
||||
-in $DIR/$cn.csr \
|
||||
-out $DIR/$cn.crt
|
||||
|
||||
# pem cert style
|
||||
cp $DIR/$cn.key $DIR/$cn.pem
|
||||
cat $DIR/$cn.crt >> $DIR/$cn.pem
|
||||
|
||||
# copy to public certs dir
|
||||
echo
|
||||
echo "copy cert to public certs dir"
|
||||
echo
|
||||
cp -i $DIR/$cn.crt $PREFIX/certs/
|
||||
cp -i $DIR/$cn.{crt,key} $WWWDIR/
|
||||
chown -R root:www $WWWDIR
|
||||
chmod -R u=rwX,g=rwX,o= $WWWDIR
|
||||
echo
|
||||
|
||||
}
|
||||
|
||||
|
||||
revoke() {
|
||||
echo "Please enter CN (Common Name) to revoke"
|
||||
read cn
|
||||
echo
|
||||
echo "CN '$cn' will be revoked"
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
echo
|
||||
|
||||
$OPENSSL ca \
|
||||
-config $CONFFILE \
|
||||
-revoke $PREFIX/certs/$cn.crt
|
||||
|
||||
rm -i $PREFIX/certs/$cn.crt
|
||||
rm -i $WWWDIR/$cn.crt
|
||||
rm -i $WWWDIR/$cn.key
|
||||
|
||||
}
|
||||
|
||||
fromcsr() {
|
||||
echo "Please enter path for your CSR request file"
|
||||
read path
|
||||
echo
|
||||
|
||||
if [ ! -e $path ]; then
|
||||
echo "Error in path..."
|
||||
echo
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Please enter the CN (Common Name)"
|
||||
read cn
|
||||
echo
|
||||
echo "Your CN is '$cn'"
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
echo
|
||||
|
||||
DIR=$PREFIX/files/req_$cn-$TIMESTAMP
|
||||
mkdir $DIR
|
||||
|
||||
cp $path $DIR
|
||||
|
||||
# ca sign and generate cert
|
||||
$OPENSSL ca \
|
||||
-config $CONFFILE \
|
||||
-in $path \
|
||||
-out $DIR/$cn.crt
|
||||
|
||||
# copy to public certs dir
|
||||
echo
|
||||
echo "copy cert to public certs dir"
|
||||
echo
|
||||
cp -i $DIR/$cn.crt $PREFIX/certs/
|
||||
echo
|
||||
|
||||
}
|
||||
|
||||
|
||||
crl() {
|
||||
|
||||
$OPENSSL ca -gencrl \
|
||||
-config $CONFFILE \
|
||||
-out crl.pem
|
||||
|
||||
# TODO : a voir pour l'importation pdts Mozilla, Apple et Microsoft
|
||||
#openssl crl2pkcs7 -in crl.pem -certfile /etc/ssl/certs/cacert.pem -out p7.pem
|
||||
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
init)
|
||||
init
|
||||
;;
|
||||
|
||||
create)
|
||||
create
|
||||
;;
|
||||
|
||||
fromcsr)
|
||||
fromcsr
|
||||
;;
|
||||
|
||||
revoke)
|
||||
revoke
|
||||
;;
|
||||
|
||||
crl)
|
||||
crl
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: shellpki.sh {init|create|fromcsr|revoke|crl}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
Loading…
Add table
Reference in a new issue