#!/bin/sh
PREFIX=/etc/openvpn/ssl
CONFFILE=$PREFIX/openssl.cnf
OPENSSL=$(which openssl)
TIMESTAMP=$(/bin/date +"%s")
WWWDIR=/var/www/htdocs/vpn/ssl
if [ "$(id -u)" != "0" ]; then
echo "Please become root before running ${0##*/}!" >&2
echo >&2
echo "Press return to continue..." >&2
read REPLY
exit 1
fi
init() {
echo "Do you confirm ${0##*/} initialization?"
echo
echo "Press return to continue..."
read REPLY
echo
if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi
if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi
if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi
if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi
if [ ! -f $PREFIX/ca/index.txt ]; then touch $PREFIX/ca/index.txt; fi
if [ ! -f $PREFIX/files/ca/serial ]; then echo 01 > $PREFIX/ca/serial; fi
if [ ! -e "$CONFFILE" ]; then
echo "$CONFFILE is missing" >&2
echo >&2
echo "Press return to continue..." >&2
read REPLY
exit 1
fi
$OPENSSL dhparam -out $PREFIX/ca/dh2048.pem 2048
$OPENSSL genrsa -out $PREFIX/ca/private.key 2048
$OPENSSL req \
-config $CONFFILE \
-new -x509 -days 3650 \
-extensions v3_ca \
-keyout $PREFIX/ca/private.key \
-out $PREFIX/ca/cacert.pem
}
create() {
echo "Please enter your CN (Common Name)"
read cn
echo
echo "Your CN is '$cn'"
echo "Press return to continue..."
read REPLY
echo
if [ -e $PREFIX/certs/$cn.crt ]; then
echo "Please revoke actual $cn cert before creating one"
echo
echo "Press return to continue..."
read REPLY
exit 1
fi
DIR=$PREFIX/files/$cn-$TIMESTAMP
mkdir $DIR
# generate private key
echo -n "Should private key be protected by a passphrase? [y/N] "
read REPLY
if [ "$REPLY" = "y" ] || [ "REPLY" = "Y" ]; then
$OPENSSL genrsa -aes128 -out $DIR/$cn.key 2048
else
$OPENSSL genrsa -out $DIR/$cn.key 2048
fi
# generate csr req
$OPENSSL req \
-new \
-key $DIR/$cn.key \
-config $CONFFILE \
-out $DIR/$cn.csr
# ca sign and generate cert
$OPENSSL ca \
-config $CONFFILE \
-in $DIR/$cn.csr \
-out $DIR/$cn.crt
# pem cert style
cp $DIR/$cn.key $DIR/$cn.pem
cat $DIR/$cn.crt >> $DIR/$cn.pem
# copy to public certs dir
echo
echo "copy cert to public certs dir"
echo
cp -i $DIR/$cn.crt $PREFIX/certs/
cp -i $DIR/$cn.crt $WWWDIR/
cp -i $DIR/$cn.key $WWWDIR/
chown -R root:www $WWWDIR
chmod -R u=rwX,g=rwX,o= $WWWDIR
echo
# generate client configuration
if [ -e $PREFIX/template.conf ]; then
CA=/etc/openvpn/ssl/ca/cacert.pem
CERT=/var/www/htdocs/vpn/ssl/$cn.crt
KEY=/var/www/htdocs/vpn/ssl/$cn.key
REP=/tmp
cp $PREFIX/template.conf $REP/$cn.conf
echo "
$(cat $CA)
$(cat $CERT)
$(cat $KEY)
" >> $REP/$cn.conf
echo "The configuration file is available in $REP/$cn.conf"
fi
}
revoke() {
echo "Please enter CN (Common Name) to revoke"
read cn
echo
echo "CN '$cn' will be revoked"
echo "Press return to continue..."
read REPLY
echo
$OPENSSL ca \
-config $CONFFILE \
-revoke $PREFIX/certs/$cn.crt
rm -i $PREFIX/certs/$cn.crt
rm -i $WWWDIR/$cn.crt
rm -i $WWWDIR/$cn.key
}
fromcsr() {
echo "Please enter path for your CSR request file"
read path
echo
if [ ! -e $path ]; then
echo "Error in path..." >&2
echo >&2
echo "Press return to continue..." >&2
read REPLY
exit 1
fi
echo "Please enter the CN (Common Name)"
read cn
echo
echo "Your CN is '$cn'"
echo "Press return to continue..."
read REPLY
echo
DIR=$PREFIX/files/req_$cn-$TIMESTAMP
mkdir $DIR
cp $path $DIR
# ca sign and generate cert
$OPENSSL ca \
-config $CONFFILE \
-in $path \
-out $DIR/$cn.crt
# copy to public certs dir
echo
echo "copy cert to public certs dir"
echo
cp -i $DIR/$cn.crt $PREFIX/certs/
echo
}
crl() {
$OPENSSL ca -gencrl \
-config $CONFFILE \
-out crl.pem
# TODO : a voir pour l'importation pdts Mozilla, Apple et Microsoft
#openssl crl2pkcs7 -in crl.pem -certfile /etc/ssl/certs/cacert.pem -out p7.pem
}
case "$1" in
init)
init
;;
create)
create
;;
fromcsr)
fromcsr
;;
revoke)
revoke
;;
crl)
crl
;;
*)
echo "Usage: ${0##*/} {init|create|fromcsr|revoke|crl}" >&2
exit 1
;;
esac