initial import

2010-10-06 17:34:30 +02:00 · 2010-10-06 17:34:30 +02:00 · 0d497b10e2
commit 0d497b10e2
2 changed files with 246 additions and 0 deletions
--- a/openssl.cnf
+++ b/openssl.cnf
@ -0,0 +1,50 @@
+[ ca ]
+default_ca      = CA_default
+
+[ CA_default ]
+dir             = /etc/openvpn/ssl/ca
+certs           = /etc/openvpn/ssl/certs
+new_certs_dir   = /etc/openvpn/ssl/ca/tmp
+database        = $dir/index.txt
+certificate     = $dir/cacert.pem
+serial          = $dir/serial
+crl             = /etc/openvpn/ssl/crl.pem
+private_key     = $dir/private.key
+RANDFILE        = $dir/.rand
+default_days    = 365
+default_crl_days= 365
+default_md      = md5
+preserve        = no
+policy          = policy_match
+
+[ policy_match ]
+countryName             = supplied
+stateOrProvinceName     = supplied
+organizationName        = supplied
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = supplied
+
+[ req ]
+default_bits            = 1024
+distinguished_name      = req_distinguished_name
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = FR
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province
+stateOrProvinceName_default     = 13
+localityName                    = Locality Name (eg, city)
+localityName_default            = Marseille
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Evolix
+organizationalUnitName          = Organizational Unit Name (eg, section)
+commonName                      = Common Name (eg, your name or your server\'s hostname)
+commonName_max                  = 64
+emailAddress                    = Email Address
+emailAddress_default            = security@evolix.net
+emailAddress_max                = 40
+
+
--- a/shellpki.sh
+++ b/shellpki.sh
@ -0,0 +1,196 @@
+#!/bin/sh
+
+PREFIX=/etc/openvpn/ssl
+CONFFILE=$PREFIX/openssl.cnf
+OPENSSL=`which openssl`
+TIMESTAMP=$(/bin/date +"%s")
+WWWDIR=/var/www/htdocs/vpn/ssl
+
+
+if [ "`id -u`" != "0" ]; then
+    echo "Please become root before running shellpki!"
+    echo
+    echo "Press return to continue..."
+    read
+    exit 1
+fi
+
+init() {
+    echo "Do you confirm shellpki initialization?"
+    echo
+    echo "Press return to continue..."
+    read
+    echo
+
+    if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi
+    if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi
+    if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi
+    if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi
+    if [ ! -f $PREFIX/ca/index.txt ]; then touch $PREFIX/ca/index.txt; fi
+    if [ ! -f $PREFIX/files/ca/serial ]; then echo 01 > $PREFIX/ca/serial; fi
+
+$OPENSSL dhparam -out $PREFIX/ca/dh1024.pem 1024
+$OPENSSL genrsa  -out $PREFIX/ca/private.key 1024
+
+$OPENSSL req            	    \
+    -config $CONFFILE		    \
+    -new -x509 -days 3650      	    \
+    -keyout $PREFIX/ca/private.key  \
+    -out $PREFIX/ca/cacert.pem
+
+}
+
+create() {
+    echo "Please enter your CN (Common Name)"
+    read cn
+    echo
+    echo "Your CN is '$cn'"
+    echo "Press return to continue..."
+    read
+    echo
+
+    if [ -e $PREFIX/certs/$cn.crt ]; then
+        echo "Please revoke actual $cn cert before creating one"
+	echo
+	echo "Press return to continue..."
+	read
+	exit 1
+    fi
+
+    DIR=$PREFIX/files/$cn-$TIMESTAMP
+    mkdir $DIR
+
+# generate private key
+$OPENSSL genrsa -out $DIR/$cn.key 1024
+
+# generate csr req
+$OPENSSL req 		\
+    -new -days 1000 	\
+    -config $CONFFILE 	\
+    -newkey rsa:1024 	\
+    -nodes 		\
+    -keyout $DIR/$cn.key \
+    -out $DIR/$cn.csr
+
+# ca sign and generate cert
+$OPENSSL ca 		\
+    -config $CONFFILE 	\
+    -in $DIR/$cn.csr 	\
+    -out $DIR/$cn.crt
+
+# pem cert style 
+cp $DIR/$cn.key $DIR/$cn.pem
+cat $DIR/$cn.crt >> $DIR/$cn.pem
+
+# copy to public certs dir
+echo
+echo "copy cert to public certs dir"
+echo
+cp -i $DIR/$cn.crt $PREFIX/certs/
+cp -i $DIR/$cn.{crt,key} $WWWDIR/
+chown -R root:www $WWWDIR
+chmod -R u=rwX,g=rwX,o= $WWWDIR
+echo
+
+}
+
+
+revoke() {
+    echo "Please enter CN (Common Name) to revoke"
+    read cn
+    echo
+    echo "CN '$cn' will be revoked"
+    echo "Press return to continue..."
+    read
+    echo
+
+$OPENSSL ca \
+    -config $CONFFILE \
+    -revoke $PREFIX/certs/$cn.crt	
+
+rm -i $PREFIX/certs/$cn.crt
+rm -i $WWWDIR/$cn.crt
+rm -i $WWWDIR/$cn.key
+
+}
+
+fromcsr() {
+    echo "Please enter path for your CSR request file"
+    read path
+    echo
+
+    if [ ! -e $path ]; then
+        echo "Error in path..."
+	echo
+	echo "Press return to continue..."
+	read
+	exit 1
+    fi
+
+    echo "Please enter the CN (Common Name)"
+    read cn
+    echo
+    echo "Your CN is '$cn'"
+    echo "Press return to continue..."
+    read
+    echo
+
+    DIR=$PREFIX/files/req_$cn-$TIMESTAMP
+    mkdir $DIR
+
+    cp $path $DIR
+
+# ca sign and generate cert
+$OPENSSL ca 		\
+    -config $CONFFILE 	\
+    -in $path 	\
+    -out $DIR/$cn.crt
+
+# copy to public certs dir
+echo
+echo "copy cert to public certs dir"
+echo
+cp -i $DIR/$cn.crt $PREFIX/certs/
+echo
+
+}
+
+
+crl() {
+    
+$OPENSSL ca -gencrl \
+    -config $CONFFILE \
+    -out crl.pem
+
+# TODO : a voir pour l'importation pdts Mozilla, Apple et Microsoft
+#openssl crl2pkcs7 -in crl.pem -certfile /etc/ssl/certs/cacert.pem -out p7.pem
+
+}
+
+case "$1" in
+    init)
+	init
+	;;
+
+    create)
+	create
+	;;
+
+    fromcsr)
+    	fromcsr
+	;;
+
+    revoke)
+    	revoke
+	;;
+	
+    crl)
+    	crl
+	;;
+
+    *)
+	echo "Usage: shellpki.sh {init|create|fromcsr|revoke|crl}"
+	exit 1
+	;;
+esac
+