2014-11-20 16:16:51 +00:00
|
|
|
#!/bin/sh
|
2013-10-26 00:49:38 +00:00
|
|
|
|
2014-11-20 17:04:39 +00:00
|
|
|
cd $(dirname "$0")
|
|
|
|
|
2015-01-13 16:04:35 +00:00
|
|
|
if [ -z "${PKI_BASEDIR}" ]; then
|
2015-01-13 16:58:33 +00:00
|
|
|
PKI_BASEDIR=$(dirname `pwd`) # equivalent to $(realpath `pwd`/..
|
2013-11-12 19:22:22 +00:00
|
|
|
fi
|
2013-10-26 00:49:38 +00:00
|
|
|
|
2015-01-13 16:58:33 +00:00
|
|
|
PKI_DIR=${PKI_BASEDIR}/PKI
|
2015-01-13 16:04:35 +00:00
|
|
|
SHARED_DIR=${PKI_BASEDIR}/shared
|
|
|
|
OPENSSL_CONF=`pwd`/openssl.cnf
|
2013-10-26 00:49:38 +00:00
|
|
|
|
2015-01-13 14:34:52 +00:00
|
|
|
CAKEY=${PKI_DIR}/private/cakey.key
|
|
|
|
CAREQ=${PKI_DIR}/careq.csr
|
2015-01-13 16:04:35 +00:00
|
|
|
CACRT=${SHARED_DIR}/cacert.crt
|
2014-01-21 02:07:52 +00:00
|
|
|
|
2015-01-13 16:04:35 +00:00
|
|
|
SRVKEY=${SHARED_DIR}/server.key
|
|
|
|
SRVREQ=${SHARED_DIR}/server.csr
|
|
|
|
SRVCRT=${SHARED_DIR}/server.crt
|
2014-11-21 14:55:38 +00:00
|
|
|
|
|
|
|
# Generate certificates valid for:
|
2014-01-21 02:07:52 +00:00
|
|
|
DAYS=2
|
2013-10-26 14:41:21 +00:00
|
|
|
|
2014-11-20 16:16:51 +00:00
|
|
|
if [ -z "$PS1" ]
|
|
|
|
then
|
|
|
|
GREEN="\033[1;32m"
|
|
|
|
RED="\033[1;31m"
|
|
|
|
COLOR_RST="\033[0m"
|
|
|
|
BOLD=""
|
|
|
|
END_BOLD=""
|
|
|
|
ECHO_OPTS="-e"
|
2014-11-20 17:04:39 +00:00
|
|
|
else
|
|
|
|
GREEN="<font color=green>"
|
|
|
|
RED="<font color=red>"
|
|
|
|
COLOR_RST="</font>"
|
|
|
|
BOLD="<strong>"
|
|
|
|
END_BOLD="</strong>"
|
|
|
|
ECHO_OPTS=""
|
2014-11-20 16:16:51 +00:00
|
|
|
fi
|
2013-10-26 14:41:21 +00:00
|
|
|
|
|
|
|
usage()
|
|
|
|
{
|
2014-11-20 17:04:39 +00:00
|
|
|
echo "Usage: $0 (-newca|-newserver|-revokeserver|-newclient NAME|-revoke NAME|-gencrl)"
|
2013-10-26 14:41:21 +00:00
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
2013-11-30 12:56:25 +00:00
|
|
|
clean()
|
|
|
|
{
|
|
|
|
if [ "$1" = "ca" ]; then
|
2015-01-13 16:04:35 +00:00
|
|
|
rm -rf ${PKI_DIR}/* ${SHARED_DIR}/*
|
|
|
|
mkdir -p ${PKI_DIR}/certs ${PKI_DIR}/crl ${PKI_DIR}/newcerts \
|
|
|
|
${PKI_DIR}/private ${PKI_DIR}/pkcs ${SHARED_DIR}
|
2015-01-13 14:34:52 +00:00
|
|
|
echo "01" > ${PKI_DIR}/crlnumber
|
2013-11-30 12:56:25 +00:00
|
|
|
elif [ "$1" = "client" ]; then
|
2015-01-13 14:34:52 +00:00
|
|
|
rm -rf ${PKI_DIR}/${2}.key ${PKI_DIR}/${2}.csr
|
2013-11-30 12:56:25 +00:00
|
|
|
fi
|
|
|
|
rm -rf $OUTPUT
|
|
|
|
}
|
|
|
|
|
2014-11-20 16:32:30 +00:00
|
|
|
gen_crl()
|
|
|
|
{
|
2014-11-21 14:55:38 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Generate shared/crl.pem${COLOR_RST}"
|
2015-01-13 16:04:35 +00:00
|
|
|
if ! openssl ca -config ${OPENSSL_CONF} -gencrl -out ${SHARED_DIR}/crl.pem > $OUTPUT 2>&1
|
2014-11-21 14:55:38 +00:00
|
|
|
then
|
|
|
|
echo $ECHO_OPTS "${RED}Generate shared/crl.pem failed"
|
2014-11-20 16:32:30 +00:00
|
|
|
cat $OUTPUT
|
|
|
|
exit 5
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2013-11-30 12:56:25 +00:00
|
|
|
[ $# -lt 1 ] && usage
|
|
|
|
|
|
|
|
OUTPUT=$(mktemp)
|
|
|
|
|
|
|
|
case $1 in
|
|
|
|
"-newca" )
|
2014-11-21 14:55:38 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Create the directories, take care this will delete the old directories ${COLOR_RST}"
|
2013-11-30 12:56:25 +00:00
|
|
|
|
|
|
|
clean "ca"
|
2015-01-13 14:34:52 +00:00
|
|
|
touch ${PKI_DIR}/index.txt
|
2013-10-26 14:41:21 +00:00
|
|
|
|
2015-01-13 14:34:52 +00:00
|
|
|
ESCAPED=$(echo "${PKI_DIR}" | sed 's/[\/\.]/\\&/g')
|
2013-11-12 19:22:22 +00:00
|
|
|
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Making CA key and csr${COLOR_RST}"
|
2014-11-05 16:46:18 +00:00
|
|
|
sed -i 's/=.*#COMMONNAME/= FIC CA #COMMONNAME/' $OPENSSL_CONF
|
2013-11-12 19:22:22 +00:00
|
|
|
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
|
2013-10-26 14:41:21 +00:00
|
|
|
|
2013-11-25 20:30:53 +00:00
|
|
|
type pwgen > /dev/null
|
2013-11-25 18:36:28 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
2013-11-25 20:30:53 +00:00
|
|
|
echo "command not found: pwgen"
|
2013-11-25 18:36:28 +00:00
|
|
|
exit 5
|
|
|
|
fi
|
2013-11-12 19:22:22 +00:00
|
|
|
|
2013-11-29 02:15:33 +00:00
|
|
|
pass=`pwgen -n -B -y 12 1`
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl req -batch -new -keyout ${CAKEY} \
|
|
|
|
-out ${CAREQ} -passout pass:$pass \
|
|
|
|
-config ${OPENSSL_CONF} -extensions CORE_CA > $OUTPUT 2>&1
|
|
|
|
then
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
|
|
|
clean "ca"
|
|
|
|
exit 4
|
|
|
|
fi
|
2013-10-26 14:41:21 +00:00
|
|
|
|
2013-11-12 21:20:58 +00:00
|
|
|
# This line deleted the passphase for the FIC 2014 automatisation
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl rsa -passin pass:$pass -in ${CAKEY} \
|
|
|
|
-out ${CAKEY} > $OUTPUT 2>&1
|
|
|
|
then
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
|
|
|
clean "ca"
|
|
|
|
exit 4
|
|
|
|
fi
|
2014-01-20 19:53:20 +00:00
|
|
|
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Self signes the CA certificate${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl ca -batch -create_serial -out ${CACRT} \
|
|
|
|
-days ${DAYS} -keyfile ${CAKEY} \
|
|
|
|
-selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
|
|
|
|
-infiles ${CAREQ} > $OUTPUT 2>&1
|
|
|
|
then
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
2014-01-20 19:53:20 +00:00
|
|
|
clean "ca"
|
2013-11-30 12:56:25 +00:00
|
|
|
exit 4
|
2014-01-20 19:53:20 +00:00
|
|
|
fi
|
2013-10-26 14:41:21 +00:00
|
|
|
;;
|
2014-11-20 16:32:30 +00:00
|
|
|
|
2013-10-26 14:41:21 +00:00
|
|
|
"-newserver" )
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Making the Server key and cert${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! [ -f ${CAKEY} ]; then
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
|
2013-10-26 14:41:21 +00:00
|
|
|
exit 2
|
|
|
|
fi
|
2014-01-21 02:07:52 +00:00
|
|
|
sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl req -batch -new -keyout ${SRVKEY} -out ${SRVREQ} \
|
|
|
|
-days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
|
|
|
|
then
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
|
|
|
exit 4
|
|
|
|
fi
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Signing the Server crt${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl ca -policy policy_match -config ${OPENSSL_CONF} \
|
|
|
|
-out ${SRVCRT} -extensions SERVER_SSL -infiles ${SRVREQ}
|
|
|
|
then
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${RED}Signing failed for new server${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
rm -f ${SRVKEY} ${SRVREQ} ${SRVCRT}
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
2013-10-26 14:41:21 +00:00
|
|
|
exit 3
|
|
|
|
else
|
2014-11-21 14:55:38 +00:00
|
|
|
rm ${SRVREQ}
|
|
|
|
echo $ECHO_OPTS "${GREEN}Signed certificate is in ${SRVCRT}${COLOR_RST}"
|
2013-10-26 14:41:21 +00:00
|
|
|
fi
|
2013-10-26 00:49:38 +00:00
|
|
|
;;
|
2014-11-20 16:32:46 +00:00
|
|
|
|
|
|
|
"-revokeserver" )
|
|
|
|
echo $ECHO_OPTS "${GREEN}Revocate server certificate${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! [ -f ${CAKEY} ]; then
|
2014-11-20 16:32:46 +00:00
|
|
|
echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
|
|
|
|
exit 2
|
|
|
|
fi
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl ca -revoke ${SRVCRT} -config ${OPENSSL_CONF} \
|
|
|
|
-keyfile ${CAKEY} -cert ${CACRT} > $OUTPUT 2>&1
|
|
|
|
then
|
2014-11-20 16:32:46 +00:00
|
|
|
echo $ECHO_OPTS "${RED}Server certificate revocation failed${COLOR_RST}"
|
|
|
|
cat $OUTPUT
|
|
|
|
exit 4
|
|
|
|
fi
|
2014-11-21 14:55:38 +00:00
|
|
|
rm ${SRVKEY} ${SRVCRT}
|
2014-11-20 16:32:46 +00:00
|
|
|
|
|
|
|
gen_crl
|
|
|
|
;;
|
|
|
|
|
2013-10-26 14:41:21 +00:00
|
|
|
"-newclient" )
|
2013-11-12 19:22:22 +00:00
|
|
|
if [ $# -ne 2 ]; then
|
|
|
|
echo "Usage: $0 -newclient NAME"
|
|
|
|
exit 1
|
|
|
|
fi
|
2014-11-21 14:55:38 +00:00
|
|
|
|
|
|
|
CLTNAM=$2
|
2015-01-13 14:34:52 +00:00
|
|
|
CLTREQ=${PKI_DIR}/${CLTNAM}.csr
|
|
|
|
CLTCRT=${PKI_DIR}/certs/${CLTNAM}.crt
|
|
|
|
CLTKEY=${PKI_DIR}/${CLTNAM}.key
|
|
|
|
CLTP12=${PKI_DIR}/pkcs/${CLTNAM}.p12
|
2014-11-21 14:55:38 +00:00
|
|
|
|
2013-11-30 12:56:25 +00:00
|
|
|
echo "=============================================================="
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}"
|
2013-10-26 14:41:21 +00:00
|
|
|
|
2015-01-13 14:34:52 +00:00
|
|
|
ESCAPED=$(echo "${PKI_DIR}" | sed 's/[\/\.]/\\&/g')
|
2014-01-20 17:34:18 +00:00
|
|
|
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
|
|
|
|
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! [ -f ${CAKEY} ]; then
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
|
2013-10-26 16:29:22 +00:00
|
|
|
exit 2
|
|
|
|
fi
|
2013-10-26 14:41:21 +00:00
|
|
|
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
|
|
|
|
|
2013-11-25 20:30:53 +00:00
|
|
|
type pwgen > /dev/null
|
2013-11-25 18:36:28 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
2013-11-25 20:30:53 +00:00
|
|
|
echo "command not found: pwgen"
|
2013-11-25 18:36:28 +00:00
|
|
|
exit 5
|
|
|
|
fi
|
2013-11-12 21:20:58 +00:00
|
|
|
|
2013-11-29 02:15:33 +00:00
|
|
|
pass=`pwgen -n -B -y 12 1`
|
2013-11-25 20:30:53 +00:00
|
|
|
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl req -batch -new -keyout "${CLTKEY}" -out "${CLTREQ}" \
|
|
|
|
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
|
|
|
|
then
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
2014-11-21 14:55:38 +00:00
|
|
|
clean "client" ${CLTNAM}
|
2013-11-30 12:56:25 +00:00
|
|
|
exit 4
|
|
|
|
fi
|
2013-11-12 19:22:22 +00:00
|
|
|
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Signing the Client crt${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl ca -batch -policy policy_match -out "${CLTCRT}" \
|
|
|
|
-config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles "${CLTREQ}" > $OUTPUT 2>&1
|
|
|
|
then
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${RED}Signing failed for $2 ${COLOR_RST}"
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
2014-11-21 14:55:38 +00:00
|
|
|
clean "client" ${CLTNAM}
|
2013-10-26 14:41:21 +00:00
|
|
|
exit 3
|
|
|
|
fi
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
|
2014-11-21 14:55:38 +00:00
|
|
|
if ! openssl pkcs12 -export -inkey "${CLTKEY}" -in "${CLTCRT}" -name ${2} \
|
|
|
|
-passin pass:$pass -out "${CLTP12}" \
|
|
|
|
-passout pass:$pass > $OUTPUT 2>&1
|
|
|
|
then
|
2014-11-20 16:16:51 +00:00
|
|
|
echo $ECHO_OPTS "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}"
|
2013-11-30 12:56:25 +00:00
|
|
|
cat $OUTPUT
|
2014-11-21 14:55:38 +00:00
|
|
|
clean "client" ${CLTNAM}
|
2013-10-26 14:41:21 +00:00
|
|
|
exit 4
|
|
|
|
else
|
2014-11-21 14:55:38 +00:00
|
|
|
echo $ECHO_OPTS "Exported pkcs12 file is ${CLTP12}"
|
2013-10-26 14:41:21 +00:00
|
|
|
fi
|
2015-01-13 14:34:52 +00:00
|
|
|
echo "$CLTNAM:$pass" >> ${PKI_DIR}/../teams.pass
|
2014-11-21 14:55:38 +00:00
|
|
|
echo "$CLTNAM:$pass"
|
|
|
|
clean "client" ${CLTNAM}
|
2013-10-26 00:49:38 +00:00
|
|
|
;;
|
2014-11-20 16:32:30 +00:00
|
|
|
|
2013-11-30 15:32:17 +00:00
|
|
|
"-revoke" )
|
|
|
|
if [ $# -ne 2 ]; then
|
|
|
|
echo "Usage: $0 -revoke NAME"
|
|
|
|
exit 1
|
|
|
|
fi
|
2014-11-21 14:55:38 +00:00
|
|
|
|
|
|
|
CLTNAM=$2
|
2015-01-13 14:34:52 +00:00
|
|
|
CLTCRT=${PKI_DIR}/certs/${CLTNAM}.crt
|
|
|
|
CLTP12=${PKI_DIR}/pkcs/${CLTNAM}.p12
|
2014-11-21 14:55:38 +00:00
|
|
|
|
|
|
|
echo $ECHO_OPTS "${GREEN}Revocate ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}"
|
2014-11-21 22:07:01 +00:00
|
|
|
if ! openssl ca -revoke "${CLTCRT}" -config "${OPENSSL_CONF}" \
|
|
|
|
-keyfile "${CAKEY}" -cert "${CACRT}" > $OUTPUT 2>&1
|
2014-11-21 14:55:38 +00:00
|
|
|
then
|
|
|
|
echo $ECHO_OPTS "${RED}Revocation failed for ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}"
|
2013-11-30 15:32:17 +00:00
|
|
|
cat $OUTPUT
|
|
|
|
exit 4
|
|
|
|
fi
|
2014-11-21 14:55:38 +00:00
|
|
|
rm "${CLTCRT}" "${CLTP12}"
|
2013-12-11 17:11:32 +00:00
|
|
|
|
2014-11-20 16:32:30 +00:00
|
|
|
gen_crl
|
2013-11-30 15:32:17 +00:00
|
|
|
;;
|
2014-11-20 16:32:30 +00:00
|
|
|
|
2013-12-11 17:11:32 +00:00
|
|
|
"-gencrl" )
|
2014-11-20 16:32:30 +00:00
|
|
|
gen_crl
|
2013-12-11 17:11:32 +00:00
|
|
|
;;
|
2014-11-20 16:32:30 +00:00
|
|
|
|
2013-10-26 14:41:21 +00:00
|
|
|
* )
|
|
|
|
usage
|
2013-10-26 00:49:38 +00:00
|
|
|
;;
|
|
|
|
esac
|