Extract variables for files
This commit is contained in:
parent
7506003f53
commit
165c96ca55
|
@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
* verify_ca_password() looks for a previously set password and verifies it
|
* verify_ca_password() looks for a previously set password and verifies it
|
||||||
* Extract cert_end_date() function
|
* Extract cert_end_date() function
|
||||||
* Extract is_user() and is_group() functions
|
* Extract is_user() and is_group() functions
|
||||||
|
* Extract variables for files
|
||||||
|
|
||||||
### Deprecated
|
### Deprecated
|
||||||
|
|
||||||
|
|
91
shellpki
91
shellpki
|
@ -98,6 +98,7 @@ ocsp() {
|
||||||
show_usage >&2
|
show_usage >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
ocsp_csr_file="${CSR_DIR}/ocsp.csr"
|
||||||
|
|
||||||
url=$(echo "${ocsp_uri}" | cut -d':' -f1)
|
url=$(echo "${ocsp_uri}" | cut -d':' -f1)
|
||||||
port=$(echo "${ocsp_uri}" | cut -d':' -f2)
|
port=$(echo "${ocsp_uri}" | cut -d':' -f2)
|
||||||
|
@ -113,7 +114,7 @@ ocsp() {
|
||||||
-batch \
|
-batch \
|
||||||
-new \
|
-new \
|
||||||
-key "${OCSP_KEY}" \
|
-key "${OCSP_KEY}" \
|
||||||
-out "${CSR_DIR}/ocsp.csr" \
|
-out "${ocsp_csr_file}" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONF_FILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${url}
|
commonName_default = ${url}
|
||||||
|
@ -128,7 +129,7 @@ EOF
|
||||||
if [ ! -f "${OCSP_CERT}" ]; then
|
if [ ! -f "${OCSP_CERT}" ]; then
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-extensions v3_ocsp \
|
-extensions v3_ocsp \
|
||||||
-in "${CSR_DIR}/ocsp.csr" \
|
-in "${ocsp_csr_file}" \
|
||||||
-out "${OCSP_CERT}" \
|
-out "${OCSP_CERT}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-config "${CONF_FILE}"
|
-config "${CONF_FILE}"
|
||||||
|
@ -357,6 +358,8 @@ create() {
|
||||||
warning "Warning: --password-file is ignored with -f|--file|--crt-file"
|
warning "Warning: --password-file is ignored with -f|--file|--crt-file"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
crt_file="${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
# ask for CA passphrase
|
# ask for CA passphrase
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
|
||||||
|
@ -401,18 +404,23 @@ create() {
|
||||||
-config "${CONF_FILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-in "${csr_file}" \
|
-in "${csr_file}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-out "${CRT_DIR}/${cn}.crt" \
|
-out "${crt_file}" \
|
||||||
${crt_expiration_arg}
|
${crt_expiration_arg}
|
||||||
|
|
||||||
echo "The CRT file is available in ${CRT_DIR}/${cn}.crt"
|
echo "The CRT file is available in ${crt_file}"
|
||||||
else
|
else
|
||||||
if [ -z "${cn}" ]; then
|
if [ -z "${cn}" ]; then
|
||||||
show_usage >&2
|
show_usage >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
csr_file="${CSR_DIR}/${cn}-${SUFFIX}.csr"
|
||||||
|
crt_file="${CRT_DIR}/${cn}.crt"
|
||||||
|
key_file="${KEY_DIR}/${cn}-${SUFFIX}.key"
|
||||||
|
ovpn_file="${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
|
||||||
|
pkcs12_file="${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
||||||
|
|
||||||
# check if CN already exist
|
# check if CN already exist
|
||||||
if [ -f "${CRT_DIR}/${cn}.crt" ]; then
|
if [ -f "${crt_file}" ]; then
|
||||||
printf "%s already exists, do you revoke and recreate it ? [y/N] " "${cn}"
|
printf "%s already exists, do you revoke and recreate it ? [y/N] " "${cn}"
|
||||||
read -r REPLY
|
read -r REPLY
|
||||||
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||||
|
@ -449,12 +457,12 @@ create() {
|
||||||
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \
|
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \
|
||||||
-aes256 \
|
-aes256 \
|
||||||
-passout env:PASSWORD \
|
-passout env:PASSWORD \
|
||||||
-out "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
-out "${key_file}" \
|
||||||
${KEY_LENGTH} \
|
${KEY_LENGTH} \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
else
|
else
|
||||||
"${OPENSSL_BIN}" genrsa \
|
"${OPENSSL_BIN}" genrsa \
|
||||||
-out "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
-out "${key_file}" \
|
||||||
${KEY_LENGTH} \
|
${KEY_LENGTH} \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
|
@ -464,9 +472,9 @@ create() {
|
||||||
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \
|
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \
|
||||||
-batch \
|
-batch \
|
||||||
-new \
|
-new \
|
||||||
-key "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
-key "${key_file}" \
|
||||||
-passin env:PASSWORD \
|
-passin env:PASSWORD \
|
||||||
-out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
|
-out "${csr_file}" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONF_FILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${cn}
|
commonName_default = ${cn}
|
||||||
|
@ -476,8 +484,8 @@ EOF
|
||||||
"${OPENSSL_BIN}" req \
|
"${OPENSSL_BIN}" req \
|
||||||
-batch \
|
-batch \
|
||||||
-new \
|
-new \
|
||||||
-key "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
-key "${key_file}" \
|
||||||
-out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
|
-out "${csr_file}" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONF_FILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${cn}
|
commonName_default = ${cn}
|
||||||
|
@ -488,27 +496,26 @@ EOF
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONF_FILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-in "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
|
-in "${csr_file}" \
|
||||||
-out "${CRT_DIR}/${cn}.crt" \
|
-out "${crt_file}" \
|
||||||
${crt_expiration_arg}
|
${crt_expiration_arg}
|
||||||
|
|
||||||
# check if CRT is a valid
|
# check if CRT is a valid
|
||||||
"${OPENSSL_BIN}" x509 \
|
"${OPENSSL_BIN}" x509 \
|
||||||
-noout \
|
-noout \
|
||||||
-subject \
|
-subject \
|
||||||
-in "${CRT_DIR}/${cn}.crt" \
|
-in "${crt_file}" \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
if [ "$?" -ne 0 ]; then
|
if [ "$?" -ne 0 ]; then
|
||||||
rm -f "${CRT_DIR}/${cn}.crt"
|
rm -f "${crt_file}"
|
||||||
fi
|
fi
|
||||||
|
if [ ! -f "${crt_file}" ]; then
|
||||||
if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
|
|
||||||
error "Error in CSR creation"
|
error "Error in CSR creation"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chmod 640 "${CRT_DIR}/${cn}.crt"
|
chmod 640 "${crt_file}"
|
||||||
|
|
||||||
echo "The CRT file is available in ${CRT_DIR}/${cn}.crt"
|
echo "The CRT file is available in ${crt_file}"
|
||||||
|
|
||||||
# generate pkcs12 format
|
# generate pkcs12 format
|
||||||
if [ -n "${PASSWORD}" ]; then
|
if [ -n "${PASSWORD}" ]; then
|
||||||
|
@ -517,39 +524,39 @@ EOF
|
||||||
-nodes \
|
-nodes \
|
||||||
-passin env:PASSWORD \
|
-passin env:PASSWORD \
|
||||||
-passout env:PASSWORD \
|
-passout env:PASSWORD \
|
||||||
-inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
-inkey "${key_file}" \
|
||||||
-in "${CRT_DIR}/${cn}.crt" \
|
-in "${crt_file}" \
|
||||||
-out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
-out "${pkcs12_file}"
|
||||||
else
|
else
|
||||||
"${OPENSSL_BIN}" pkcs12 \
|
"${OPENSSL_BIN}" pkcs12 \
|
||||||
-export \
|
-export \
|
||||||
-nodes \
|
-nodes \
|
||||||
-passout pass: \
|
-passout pass: \
|
||||||
-inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
-inkey "${key_file}" \
|
||||||
-in "${CRT_DIR}/${cn}.crt" \
|
-in "${crt_file}" \
|
||||||
-out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
-out "${pkcs12_file}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chmod 640 "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
chmod 640 "${pkcs12_file}"
|
||||||
echo "The PKCS12 config file is available in ${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
echo "The PKCS12 config file is available in ${pkcs12_file}"
|
||||||
|
|
||||||
# generate openvpn format
|
# generate openvpn format
|
||||||
if [ -e "${CA_DIR}/ovpn.conf" ]; then
|
if [ -e "${CA_DIR}/ovpn.conf" ]; then
|
||||||
cat "${CA_DIR}/ovpn.conf" - > "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" <<EOF
|
cat "${CA_DIR}/ovpn.conf" - > "${ovpn_file}" <<EOF
|
||||||
<ca>
|
<ca>
|
||||||
$(cat "${CA_CERT}")
|
$(cat "${CA_CERT}")
|
||||||
</ca>
|
</ca>
|
||||||
|
|
||||||
<cert>
|
<cert>
|
||||||
$(cat "${CRT_DIR}/${cn}.crt")
|
$(cat "${crt_file}")
|
||||||
</cert>
|
</cert>
|
||||||
|
|
||||||
<key>
|
<key>
|
||||||
$(cat "${KEY_DIR}/${cn}-${SUFFIX}.key")
|
$(cat "${key_file}")
|
||||||
</key>
|
</key>
|
||||||
EOF
|
EOF
|
||||||
chmod 640 "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
|
chmod 640 "${ovpn_file}"
|
||||||
echo "The OpenVPN config file is available in ${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
|
echo "The OpenVPN config file is available in ${ovpn_file}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -559,39 +566,43 @@ revoke() {
|
||||||
show_usage >&2
|
show_usage >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
crt_file="${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
# get CN from param
|
# get CN from param
|
||||||
cn="${1}"
|
cn="${1}"
|
||||||
|
|
||||||
# check if CRT exists
|
# check if CRT exists
|
||||||
if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
|
if [ ! -f "${crt_file}" ]; then
|
||||||
error "Unknow CN : ${cn}"
|
error "Unknow CN : ${cn} (\`${crt_file}' not found)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check if CRT is a valid
|
# check if CRT is a valid
|
||||||
"${OPENSSL_BIN}" x509 \
|
"${OPENSSL_BIN}" x509 \
|
||||||
-noout \
|
-noout \
|
||||||
-subject \
|
-subject \
|
||||||
-in "${CRT_DIR}/${cn}.crt" \
|
-in "${crt_file}" \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
if [ "$?" -ne 0 ]; then
|
if [ "$?" -ne 0 ]; then
|
||||||
error "${CRT_DIR}/${cn}.crt is not a valid CRT, you must delete it !"
|
error "${crt_file} is not a valid CRT, you must delete it !"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ask for CA passphrase
|
# ask for CA passphrase
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
|
||||||
echo "Revoke certificate ${CRT_DIR}/${cn}.crt :"
|
echo "Revoke certificate ${crt_file} :"
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONF_FILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-revoke "${CRT_DIR}/${cn}.crt" \
|
-revoke "${crt_file}"
|
||||||
&& rm "${CRT_DIR}/${cn}.crt"
|
if [ "$?" -eq 0 ]; then
|
||||||
|
rm "${crt_file}"
|
||||||
|
fi
|
||||||
|
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONF_FILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-gencrl -out "${CRL}"
|
-gencrl \
|
||||||
|
-out "${CRL}"
|
||||||
}
|
}
|
||||||
|
|
||||||
list() {
|
list() {
|
||||||
|
|
Loading…
Reference in a new issue