server/misc/CA.sh

# TODO key usage

if [[ -z "${TOP_DIR}" ]]; then
    TOP_DIR=pki
fi

if [[ -z "${OPENSSL_CONF}" ]]; then
    OPENSSL_CONF=openssl.cnf
fi

CAKEY=./cakey.key
CAREQ=./careq.csr
CACERT=./cacert.crt
DAYS=365

GREEN="\033[1;32m"
RED="\033[1;31m"
COLOR_RST="\033[0m"

usage()
{
    echo "Usage: $0 (-newca|-newserver|-newclient NAME)"
    exit 1
}

[ $# -lt 1 ] && usage

case $1 in
    "-newca" )
#        echo -e -n "${GREEN}Create the directories, take care this will delete"
#        echo -e "the old directories ${COLOR_RST}"
#        sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"

        rm -rf ${TOP_DIR}
        mkdir -p ${TOP_DIR}/certs
        mkdir -p ${TOP_DIR}/crl
        mkdir -p ${TOP_DIR}/newcerts
        mkdir -p ${TOP_DIR}/private
        touch ${TOP_DIR}/index.txt

        ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g')

#        echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
            echo "command not found: pwgen"
            exit 5
        fi

        pass=`pwgen -n -B -y 12 1`

        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}         \
                    -out ${TOP_DIR}/${CAREQ} -passout pass:$pass            \
                    -config $OPENSSL_CONF

        # This line deleted the passphase for the FIC 2014 automatisation
        openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY}      \
                    -out ${TOP_DIR}/private/${CAKEY}

#        echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
        openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT}          \
                -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY}          \
                -selfsign -extensions v3_ca -config ${OPENSSL_CONF}         \
                -infiles ${TOP_DIR}/${CAREQ}
        ;;
    "-newserver" )
        echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
        sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
        openssl req -batch -new -keyout server.key -out server.csr          \
                    -days ${DAYS} -config ${OPENSSL_CONF}
        echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
        openssl ca -policy policy_match -config ${OPENSSL_CONF}             \
                   -out server.crt -infiles server.csr
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed for new server${COLOR_RST}"
            rm -rf server.key server.crt server.csr
            exit 3
        else
            rm server.csr # remove ?
            echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
        fi
        ;;
    "-newclient" )
        if [ $# -ne 2 ]; then
            echo "Usage: $0 -newclient NAME"
            exit 1
        fi
#        echo -e "${GREEN}Making the client key and csr${COLOR_RST}"

        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
        sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
            echo "command not found: pwgen"
            exit 5
        fi

        pass=`pwgen -n -B -y 12 1`

        openssl req -batch -new -keyout ${2}.key -out ${2}.csr              \
                    -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS}

#        echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
        openssl ca -batch -policy policy_match -out ${2}.crt                \
                   -config ${OPENSSL_CONF} -infiles ${2}.csr
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed for $2 ${COLOR_RST}"
            exit 3
        fi
#        echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
        openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2}      \
                       -passin pass:$pass -out ${2}.p12 -passout pass:$pass
        if [ $? -ne 0 ]; then
            echo -e "${RED}pkcs12 export failed${COLOR_RST} for $2"
            exit 4
        else
            echo -e "Exported pkcs12 file is ${2}.p12"
        fi
#       TODO handle this file
        echo "$2:$pass" >> teams.pass
        rm -rf ${2}.key ${2}.csr ${2}.crt
        ;;
    * )
        usage
        ;;
esac
CA script done 2013-10-26 14:41:21 +00:00			`# TODO key usage`
Add script for certs 2013-10-26 00:49:38 +00:00
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`if [[ -z "${TOP_DIR}" ]]; then`
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			`TOP_DIR=pki`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`fi`
Add script for certs 2013-10-26 00:49:38 +00:00
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`if [[ -z "${OPENSSL_CONF}" ]]; then`
			`OPENSSL_CONF=openssl.cnf`
			`fi`
Add script for certs 2013-10-26 00:49:38 +00:00
CA script done 2013-10-26 14:41:21 +00:00			`CAKEY=./cakey.key`
			`CAREQ=./careq.csr`
			`CACERT=./cacert.crt`
			`DAYS=365`

			`GREEN="\033[1;32m"`
			`RED="\033[1;31m"`
			`COLOR_RST="\033[0m"`

			`usage()`
			`{`
			`echo "Usage: $0 (-newca\|-newserver\|-newclient NAME)"`
			`exit 1`
			`}`

			`[ $# -lt 1 ] && usage`

Add script for certs 2013-10-26 00:49:38 +00:00			`case $1 in`
CA script done 2013-10-26 14:41:21 +00:00			`"-newca" )`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`# echo -e -n "${GREEN}Create the directories, take care this will delete"`
			`# echo -e "the old directories ${COLOR_RST}"`
			`# sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"`
CA script done 2013-10-26 14:41:21 +00:00
			`rm -rf ${TOP_DIR}`
			`mkdir -p ${TOP_DIR}/certs`
			`mkdir -p ${TOP_DIR}/crl`
			`mkdir -p ${TOP_DIR}/newcerts`
			`mkdir -p ${TOP_DIR}/private`
			`touch ${TOP_DIR}/index.txt`

CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`ESCAPED=$(echo "${TOP_DIR}" \| sed 's/[\/\.]/\\&/g')`

CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# echo -e "${GREEN}Making CA key and csr${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF`
CA script done 2013-10-26 14:41:21 +00:00			`sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF`

Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`type pwgen > /dev/null`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`if [ $? -ne 0 ]; then`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`echo "command not found: pwgen"`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`exit 5`
			`fi`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			pass=`pwgen -n -B -y 12 1`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00
CA script done 2013-10-26 14:41:21 +00:00			`openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`-out ${TOP_DIR}/${CAREQ} -passout pass:$pass \`
			`-config $OPENSSL_CONF`
CA script done 2013-10-26 14:41:21 +00:00
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# This line deleted the passphase for the FIC 2014 automatisation`
			`openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY} \`
			`-out ${TOP_DIR}/private/${CAKEY}`

			`# echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \`
			`-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`-selfsign -extensions v3_ca -config ${OPENSSL_CONF} \`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`-infiles ${TOP_DIR}/${CAREQ}`
CA script done 2013-10-26 14:41:21 +00:00			`;;`
			`"-newserver" )`
CA: add a error check 2013-10-26 16:29:22 +00:00			`echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then`
			`echo -e "${RED}Can not found the CA's key${COLOR_RST}"`
			`exit 2`
			`fi`
			`sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF`
CA.sh newserver: change the type 2013-11-29 02:41:07 +00:00			`sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF`
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			`openssl req -batch -new -keyout server.key -out server.csr \`
CA.sh newserver: change the type 2013-11-29 02:41:07 +00:00			`-days ${DAYS} -config ${OPENSSL_CONF}`
CA script done 2013-10-26 14:41:21 +00:00			`echo -e "${GREEN}Signing the Server crt${COLOR_RST}"`
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			`openssl ca -policy policy_match -config ${OPENSSL_CONF} \`
			`-out server.crt -infiles server.csr`
CA script done 2013-10-26 14:41:21 +00:00			`if [ $? -ne 0 ]; then`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`echo -e "${RED}Signing failed for new server${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`rm -rf server.key server.crt server.csr`
			`exit 3`
			`else`
			`rm server.csr # remove ?`
			`echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"`
			`fi`
Add script for certs 2013-10-26 00:49:38 +00:00			`;;`
CA script done 2013-10-26 14:41:21 +00:00			`"-newclient" )`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`if [ $# -ne 2 ]; then`
			`echo "Usage: $0 -newclient NAME"`
			`exit 1`
			`fi`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# echo -e "${GREEN}Making the client key and csr${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00
CA: add a error check 2013-10-26 16:29:22 +00:00			`if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then`
			`echo -e "${RED}Can not found the CA's key${COLOR_RST}"`
			`exit 2`
			`fi`
CA script done 2013-10-26 14:41:21 +00:00			`sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF`
			`sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF`

Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`type pwgen > /dev/null`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`if [ $? -ne 0 ]; then`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`echo "command not found: pwgen"`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`exit 5`
			`fi`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			pass=`pwgen -n -B -y 12 1`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`openssl req -batch -new -keyout ${2}.key -out ${2}.csr \`
			`-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS}`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# echo -e "${GREEN}Signing the Client crt${COLOR_RST}"`
			`openssl ca -batch -policy policy_match -out ${2}.crt \`
			`-config ${OPENSSL_CONF} -infiles ${2}.csr`
CA script done 2013-10-26 14:41:21 +00:00			`if [ $? -ne 0 ]; then`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`echo -e "${RED}Signing failed for $2 ${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`exit 3`
			`fi`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"`
			`openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2} \`
			`-passin pass:$pass -out ${2}.p12 -passout pass:$pass`
CA script done 2013-10-26 14:41:21 +00:00			`if [ $? -ne 0 ]; then`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`echo -e "${RED}pkcs12 export failed${COLOR_RST} for $2"`
CA script done 2013-10-26 14:41:21 +00:00			`exit 4`
			`else`
			`echo -e "Exported pkcs12 file is ${2}.p12"`
			`fi`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# TODO handle this file`
			`echo "$2:$pass" >> teams.pass`
CA script done 2013-10-26 14:41:21 +00:00			`rm -rf ${2}.key ${2}.csr ${2}.crt`
Add script for certs 2013-10-26 00:49:38 +00:00			`;;`
CA script done 2013-10-26 14:41:21 +00:00			`* )`
			`usage`
Add script for certs 2013-10-26 00:49:38 +00:00			`;;`
			`esac`