Retrieve vars from openssl.cnf file
This commit is contained in:
parent
8a4b52d1b5
commit
690c436dd6
2 changed files with 70 additions and 58 deletions
|
@ -2,14 +2,14 @@
|
|||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
dir = /etc/shellpki/ca
|
||||
dir = /etc/shellpki
|
||||
certs = $dir/certs
|
||||
new_certs_dir = $dir/tmp
|
||||
database = $dir/index.txt
|
||||
certificate = $dir/cacert.pem
|
||||
serial = $dir/serial
|
||||
crl = $dir/crl.pem
|
||||
private_key = $dir/private.key
|
||||
private_key = $dir/cakey.key
|
||||
RANDFILE = $dir/.rand
|
||||
default_days = 365
|
||||
default_crl_days= 365
|
||||
|
|
124
shellpki.sh
124
shellpki.sh
|
@ -8,25 +8,24 @@ set -eu
|
|||
init() {
|
||||
umask 0177
|
||||
|
||||
if [ -f "${CADIR}/private.key" ]; then
|
||||
echo "${CADIR}/private.key already exists, do you really want to erase it ?\n"
|
||||
if [ -f "${CAKEY}" ]; then
|
||||
echo "${CAKEY} already exists, do you really want to erase it ?\n"
|
||||
echo "Press return to continue..."
|
||||
read -r REPLY
|
||||
fi
|
||||
|
||||
[ -d "${CADIR}" ] || mkdir -pm 0700 "${CADIR}"
|
||||
[ -d "${CADIR}/certs" ] || mkdir -m 0777 "${CADIR}/certs"
|
||||
[ -d "${CADIR}/tmp" ] || mkdir -m 0700 "${CADIR}/tmp"
|
||||
[ -f "${CADIR}/index.txt" ] || touch "${CADIR}/index.txt"
|
||||
[ -f "${CADIR}/serial" ] || echo "01" > "${CADIR}/serial"
|
||||
[ -d "${CADIR}" ] || mkdir -m 0750 "${CADIR}"
|
||||
[ -d "${CRTDIR}" ] || mkdir -m 0750 "${CRTDIR}"
|
||||
[ -f "${INDEX}" ] || touch "${INDEX}"
|
||||
[ -f "${SERIAL}" ] || echo "01" > "${SERIAL}"
|
||||
|
||||
"${OPENSSL}" req \
|
||||
-config "${CONFFILE}" \
|
||||
-newkey rsa:4096 -sha512 \
|
||||
-x509 -days 3650 \
|
||||
-extensions v3_ca \
|
||||
-keyout "${CADIR}/private.key" \
|
||||
-out "${CADIR}/cacert.pem"
|
||||
-keyout "${CAKEY}" \
|
||||
-out "${CACERT}"
|
||||
}
|
||||
|
||||
usage() {
|
||||
|
@ -67,7 +66,7 @@ warning() {
|
|||
}
|
||||
|
||||
ask_ca_password() {
|
||||
[ ! -f "${CADIR}/private.key" ] && error "You must initialize your's PKI with shellpki init !"
|
||||
[ ! -f "${CAKEY}" ] && error "You must initialize your's PKI with shellpki init !"
|
||||
attempt=$((${1} + 1))
|
||||
[ "${attempt}" -gt 1 ] && warning "Invalid password, retry."
|
||||
trap 'unset CA_PASSWORD' 0
|
||||
|
@ -78,7 +77,7 @@ ask_ca_password() {
|
|||
printf "\n"
|
||||
[ "${CA_PASSWORD}" != "" ] || ask_ca_password "${attempt}"
|
||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" rsa \
|
||||
-in "${CADIR}/private.key" \
|
||||
-in "${CAKEY}" \
|
||||
-passin env:CA_PASSWORD \
|
||||
>/dev/null 2>&1 \
|
||||
|| ask_ca_password "${attempt}"
|
||||
|
@ -132,19 +131,21 @@ create() {
|
|||
cn=$("${OPENSSL}" req -noout -subject -in "${csr_file}"|grep -Eo "CN\s*=[^,/]*"|cut -d'=' -f2|xargs)
|
||||
|
||||
# check if CN already exist
|
||||
[ -f "${CADIR}/certs/${cn}.crt" ] && error "${cn} already used !"
|
||||
[ -f "${CRTDIR}/${cn}.crt" ] && error "${cn} already used !"
|
||||
|
||||
# ca sign and generate cert
|
||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
||||
-config "${CONFFILE}" \
|
||||
-in "${csr_file}" \
|
||||
-passin env:CA_PASSWORD \
|
||||
-out "${CADIR}/certs/${cn}.crt"
|
||||
-out "${CRTDIR}/${cn}.crt"
|
||||
|
||||
echo "The CRT file is available in ${CRTDIR}/${cn}.crt"
|
||||
else
|
||||
[ -z "${cn}" ] && usage >&2 && exit 1
|
||||
|
||||
# check if CN already exist
|
||||
[ -f "${CADIR}/certs/${cn}.crt" ] && error "${cn} already used !"
|
||||
[ -f "${CRTDIR}/${cn}.crt" ] && error "${cn} already used !"
|
||||
|
||||
# ask for client key passphrase
|
||||
if [ "${with_pass}" -eq 0 ]; then
|
||||
|
@ -199,43 +200,48 @@ EOF
|
|||
-config "${CONFFILE}" \
|
||||
-passin env:CA_PASSWORD \
|
||||
-in "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
||||
-out "${CADIR}/certs/${cn}.crt"
|
||||
-out "${CRTDIR}/${cn}.crt"
|
||||
|
||||
# check if CRT is a valid
|
||||
"${OPENSSL}" x509 \
|
||||
-noout -subject \
|
||||
-in "${CADIR}/certs/${cn}.crt" \
|
||||
-in "${CRTDIR}/${cn}.crt" \
|
||||
>/dev/null 2>&1 \
|
||||
|| rm -f "${CADIR}/certs/${cn}.crt"
|
||||
|| rm -f "${CRTDIR}/${cn}.crt"
|
||||
|
||||
[ -f "${CADIR}/certs/${cn}.crt" ] || error "Error in CSR creation"
|
||||
[ -f "${CRTDIR}/${cn}.crt" ] || error "Error in CSR creation"
|
||||
|
||||
# generate pem format
|
||||
cat "${CADIR}/certs/${cn}.crt" "${CADIR}/cacert.pem" "${KEYDIR}/${cn}-${TIMESTAMP}.key" >> "${PEMDIR}/${cn}-${TIMESTAMP}.pem"
|
||||
chmod 640 "${CRTDIR}/${cn}.crt"
|
||||
|
||||
echo "The CRT file is available in ${CRTDIR}/${cn}.crt"
|
||||
|
||||
# generate pkcs12 format
|
||||
if [ "${with_pass}" -eq 0 ]; then
|
||||
PASSWORD="${PASSWORD}" "${OPENSSL}" pkcs12 -export -nodes -passin env:PASSWORD -passout env:PASSWORD -inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" -in "${CADIR}/certs/${cn}.crt" -out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
||||
PASSWORD="${PASSWORD}" "${OPENSSL}" pkcs12 -export -nodes -passin env:PASSWORD -passout env:PASSWORD -inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" -in "${CRTDIR}/${cn}.crt" -out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
||||
else
|
||||
"${OPENSSL}" pkcs12 -export -nodes -passout pass: -inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" -in "${CADIR}/certs/${cn}.crt" -out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
||||
"${OPENSSL}" pkcs12 -export -nodes -passout pass: -inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" -in "${CRTDIR}/${cn}.crt" -out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
||||
fi
|
||||
|
||||
chmod 640 "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
||||
echo "The PKCS12 config file is available in ${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
||||
|
||||
# generate openvpn format
|
||||
if [ -e "${PREFIX}/ovpn.conf" ]; then
|
||||
cat "${PREFIX}/ovpn.conf" > "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn" <<EOF
|
||||
if [ -e "${CADIR}/ovpn.conf" ]; then
|
||||
cat "${CADIR}/ovpn.conf" > "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn" <<EOF
|
||||
<ca>
|
||||
$(cat "${CADIR}/cacert.pem")
|
||||
$(cat "${CACERT}")
|
||||
</ca>
|
||||
|
||||
<cert>
|
||||
$(cat "${CADIR}/certs/${cn}.crt")
|
||||
$(cat "${CRTDIR}/${cn}.crt")
|
||||
</cert>
|
||||
|
||||
<key>
|
||||
$(cat "${KEYDIR}/${cn}-${TIMESTAMP}.key")
|
||||
</key>
|
||||
EOF
|
||||
echo "The configuration file is available in ${OVPNDIR}/${cn}.ovpn"
|
||||
chmod 640 "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn"
|
||||
echo "The OpenVPN config file is available in ${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
@ -247,29 +253,29 @@ revoke() {
|
|||
cn="${1}"
|
||||
|
||||
# check if CRT exists
|
||||
[ ! -f "${CADIR}/certs/${cn}.crt" ] && error "Unknow CN : ${cn}"
|
||||
[ ! -f "${CRTDIR}/${cn}.crt" ] && error "Unknow CN : ${cn}"
|
||||
|
||||
# check if CRT is a valid
|
||||
"${OPENSSL}" x509 -noout -subject -in "${CADIR}/certs/${cn}.crt" >/dev/null 2>&1 || error "${CADIR}/certs/${cn}.crt is not a valid CRT, you msust delete it !"
|
||||
"${OPENSSL}" x509 -noout -subject -in "${CRTDIR}/${cn}.crt" >/dev/null 2>&1 || error "${CRTDIR}/${cn}.crt is not a valid CRT, you msust delete it !"
|
||||
|
||||
# ask for CA passphrase
|
||||
ask_ca_password 0
|
||||
|
||||
echo "Revoke certificate ${CADIR}/certs/${cn}.crt :"
|
||||
echo "Revoke certificate ${CRTDIR}/${cn}.crt :"
|
||||
CA_PASSWORD="${CA_PASSWORD}" "$OPENSSL" ca \
|
||||
-config "${CONFFILE}" \
|
||||
-passin env:CA_PASSWORD \
|
||||
-revoke "${CADIR}/certs/${cn}.crt" \
|
||||
&& rm "${CADIR}/certs/${cn}.crt"
|
||||
-revoke "${CRTDIR}/${cn}.crt" \
|
||||
&& rm "${CRTDIR}/${cn}.crt"
|
||||
|
||||
CA_PASSWORD="${CA_PASSWORD}" "$OPENSSL" ca \
|
||||
-config "${CONFFILE}" \
|
||||
-passin env:CA_PASSWORD \
|
||||
-gencrl -out "${CADIR}/crl.pem"
|
||||
-gencrl -out "${CRL}"
|
||||
}
|
||||
|
||||
list() {
|
||||
[ -f /etc/shellpki/ca/index.txt ] || exit 0
|
||||
[ -f "${INDEX}" ] || exit 0
|
||||
|
||||
list_valid=0
|
||||
list_revoked=1
|
||||
|
@ -291,11 +297,11 @@ list() {
|
|||
esac
|
||||
done
|
||||
|
||||
[ "${list_valid}" -eq 0 ] && certs=$(grep "^V" "${CADIR}/index.txt")
|
||||
[ "${list_valid}" -eq 0 ] && certs=$(grep "^V" "${INDEX}")
|
||||
|
||||
[ "${list_revoked}" -eq 0 ] && certs=$(grep "^R" "${CADIR}/index.txt")
|
||||
[ "${list_revoked}" -eq 0 ] && certs=$(grep "^R" "${INDEX}")
|
||||
|
||||
[ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ] && certs=$(cat "${CADIR}/index.txt")
|
||||
[ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ] && certs=$(cat "${INDEX}")
|
||||
|
||||
echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1
|
||||
}
|
||||
|
@ -303,19 +309,28 @@ list() {
|
|||
main() {
|
||||
[ "$(id -u)" -eq 0 ] || error "Please become root before running ${0} !"
|
||||
|
||||
# main vars
|
||||
PREFIX="/etc/shellpki"
|
||||
# default config
|
||||
# TODO : override with /etc/default/shellpki
|
||||
CONFFILE="/etc/shellpki/openssl.cnf"
|
||||
PKIUSER="shellpki"
|
||||
CONFFILE="${PREFIX}/openssl.cnf"
|
||||
|
||||
# retrieve CA path from config file
|
||||
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1)
|
||||
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||
SERIAL=$(grep -E "^serial" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||
CRL=$(grep -E "^crl" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||
|
||||
# directories for clients key, csr, crt
|
||||
KEYDIR="${CADIR}/private"
|
||||
CSRDIR="${CADIR}/requests"
|
||||
PKCS12DIR="${CADIR}/pkcs12"
|
||||
OVPNDIR="${CADIR}/openvpn"
|
||||
|
||||
OPENSSL=$(command -v openssl)
|
||||
TIMESTAMP=$(/bin/date +"%s")
|
||||
# directories for clients key, csr, crt
|
||||
KEYDIR="${PREFIX}/private"
|
||||
CSRDIR="${PREFIX}/requests"
|
||||
PEMDIR="${PREFIX}/pem"
|
||||
PKCS12DIR="${PREFIX}/pkcs12"
|
||||
OVPNDIR="${PREFIX}/openvpn"
|
||||
|
||||
if ! getent passwd "${PKIUSER}" >/dev/null || ! getent group "${PKIUSER}" >/dev/null; then
|
||||
error "You must create ${PKIUSER} user and group !"
|
||||
|
@ -323,16 +338,7 @@ main() {
|
|||
|
||||
[ -e "${CONFFILE}" ] || error "${CONFFILE} is missing"
|
||||
|
||||
# create needed dir
|
||||
[ -d "${PREFIX}" ] || mkdir -p "${PREFIX}"
|
||||
[ -d "${KEYDIR}" ] || mkdir -m 0750 "${KEYDIR}"
|
||||
[ -d "${CSRDIR}" ] || mkdir -m 0755 "${CSRDIR}"
|
||||
[ -d "${PEMDIR}" ] || mkdir -m 0750 "${PEMDIR}"
|
||||
[ -d "${PKCS12DIR}" ] || mkdir -m 0750 "${PKCS12DIR}"
|
||||
[ -d "${OVPNDIR}" ] || mkdir -m 0750 "${OVPNDIR}"
|
||||
|
||||
# fix right
|
||||
find "${PREFIX}" ! -path "${CADIR}" -exec chown "${PKIUSER}":"${PKIUSER}" {} \; -exec chmod u=rwX,g=rX,o= {} \;
|
||||
mkdir -p "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}"
|
||||
|
||||
command=${1:-help}
|
||||
|
||||
|
@ -362,6 +368,12 @@ main() {
|
|||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# fix right
|
||||
chown -R "${PKIUSER}":"${PKIUSER}" "${CADIR}"
|
||||
chmod 750 "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}"
|
||||
chmod 600 "${INDEX}"* "${SERIAL}"* "${CAKEY}" "${CRL}"
|
||||
chmod 640 "${CACERT}"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
Loading…
Add table
Reference in a new issue