From 0d497b10e27529cba8e023e0d49dee4067a6ccd4 Mon Sep 17 00:00:00 2001 From: Thomas Martin Date: Wed, 6 Oct 2010 17:34:30 +0200 Subject: [PATCH] initial import --- openssl.cnf | 50 ++++++++++++++ shellpki.sh | 196 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 246 insertions(+) create mode 100644 openssl.cnf create mode 100755 shellpki.sh diff --git a/openssl.cnf b/openssl.cnf new file mode 100644 index 0000000..d0df2b6 --- /dev/null +++ b/openssl.cnf @@ -0,0 +1,50 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = /etc/openvpn/ssl/ca +certs = /etc/openvpn/ssl/certs +new_certs_dir = /etc/openvpn/ssl/ca/tmp +database = $dir/index.txt +certificate = $dir/cacert.pem +serial = $dir/serial +crl = /etc/openvpn/ssl/crl.pem +private_key = $dir/private.key +RANDFILE = $dir/.rand +default_days = 365 +default_crl_days= 365 +default_md = md5 +preserve = no +policy = policy_match + +[ policy_match ] +countryName = supplied +stateOrProvinceName = supplied +organizationName = supplied +organizationalUnitName = optional +commonName = supplied +emailAddress = supplied + +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = FR +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province +stateOrProvinceName_default = 13 +localityName = Locality Name (eg, city) +localityName_default = Marseille +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Evolix +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 +emailAddress = Email Address +emailAddress_default = security@evolix.net +emailAddress_max = 40 + + diff --git a/shellpki.sh b/shellpki.sh new file mode 100755 index 0000000..a4b8e34 --- /dev/null +++ b/shellpki.sh @@ -0,0 +1,196 @@ +#!/bin/sh + +PREFIX=/etc/openvpn/ssl +CONFFILE=$PREFIX/openssl.cnf +OPENSSL=`which openssl` +TIMESTAMP=$(/bin/date +"%s") +WWWDIR=/var/www/htdocs/vpn/ssl + + +if [ "`id -u`" != "0" ]; then + echo "Please become root before running shellpki!" + echo + echo "Press return to continue..." + read + exit 1 +fi + +init() { + echo "Do you confirm shellpki initialization?" + echo + echo "Press return to continue..." + read + echo + + if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi + if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi + if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi + if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi + if [ ! -f $PREFIX/ca/index.txt ]; then touch $PREFIX/ca/index.txt; fi + if [ ! -f $PREFIX/files/ca/serial ]; then echo 01 > $PREFIX/ca/serial; fi + +$OPENSSL dhparam -out $PREFIX/ca/dh1024.pem 1024 +$OPENSSL genrsa -out $PREFIX/ca/private.key 1024 + +$OPENSSL req \ + -config $CONFFILE \ + -new -x509 -days 3650 \ + -keyout $PREFIX/ca/private.key \ + -out $PREFIX/ca/cacert.pem + +} + +create() { + echo "Please enter your CN (Common Name)" + read cn + echo + echo "Your CN is '$cn'" + echo "Press return to continue..." + read + echo + + if [ -e $PREFIX/certs/$cn.crt ]; then + echo "Please revoke actual $cn cert before creating one" + echo + echo "Press return to continue..." + read + exit 1 + fi + + DIR=$PREFIX/files/$cn-$TIMESTAMP + mkdir $DIR + +# generate private key +$OPENSSL genrsa -out $DIR/$cn.key 1024 + +# generate csr req +$OPENSSL req \ + -new -days 1000 \ + -config $CONFFILE \ + -newkey rsa:1024 \ + -nodes \ + -keyout $DIR/$cn.key \ + -out $DIR/$cn.csr + +# ca sign and generate cert +$OPENSSL ca \ + -config $CONFFILE \ + -in $DIR/$cn.csr \ + -out $DIR/$cn.crt + +# pem cert style +cp $DIR/$cn.key $DIR/$cn.pem +cat $DIR/$cn.crt >> $DIR/$cn.pem + +# copy to public certs dir +echo +echo "copy cert to public certs dir" +echo +cp -i $DIR/$cn.crt $PREFIX/certs/ +cp -i $DIR/$cn.{crt,key} $WWWDIR/ +chown -R root:www $WWWDIR +chmod -R u=rwX,g=rwX,o= $WWWDIR +echo + +} + + +revoke() { + echo "Please enter CN (Common Name) to revoke" + read cn + echo + echo "CN '$cn' will be revoked" + echo "Press return to continue..." + read + echo + +$OPENSSL ca \ + -config $CONFFILE \ + -revoke $PREFIX/certs/$cn.crt + +rm -i $PREFIX/certs/$cn.crt +rm -i $WWWDIR/$cn.crt +rm -i $WWWDIR/$cn.key + +} + +fromcsr() { + echo "Please enter path for your CSR request file" + read path + echo + + if [ ! -e $path ]; then + echo "Error in path..." + echo + echo "Press return to continue..." + read + exit 1 + fi + + echo "Please enter the CN (Common Name)" + read cn + echo + echo "Your CN is '$cn'" + echo "Press return to continue..." + read + echo + + DIR=$PREFIX/files/req_$cn-$TIMESTAMP + mkdir $DIR + + cp $path $DIR + +# ca sign and generate cert +$OPENSSL ca \ + -config $CONFFILE \ + -in $path \ + -out $DIR/$cn.crt + +# copy to public certs dir +echo +echo "copy cert to public certs dir" +echo +cp -i $DIR/$cn.crt $PREFIX/certs/ +echo + +} + + +crl() { + +$OPENSSL ca -gencrl \ + -config $CONFFILE \ + -out crl.pem + +# TODO : a voir pour l'importation pdts Mozilla, Apple et Microsoft +#openssl crl2pkcs7 -in crl.pem -certfile /etc/ssl/certs/cacert.pem -out p7.pem + +} + +case "$1" in + init) + init + ;; + + create) + create + ;; + + fromcsr) + fromcsr + ;; + + revoke) + revoke + ;; + + crl) + crl + ;; + + *) + echo "Usage: shellpki.sh {init|create|fromcsr|revoke|crl}" + exit 1 + ;; +esac +