server/misc/CA.sh

#! /bin/sh

if [[ -z "${TOP_DIR}" ]]; then
    TOP_DIR=pki
fi

if [[ -z "${OPENSSL_CONF}" ]]; then
    OPENSSL_CONF=openssl.cnf
fi

CAKEY=./cakey.key
CAREQ=./careq.csr
CACERT=./cacert.crt
DAYS=365

#GREEN="\033[1;32m"
#RED="\033[1;31m"
#COLOR_RST="\033[0m"

GREEN="<font color=green>"
RED="<font color=red>"
COLOR_RST="</font>"
BOLD="<b>"
END_BOLD="</b>"

usage()
{
    echo "Usage: $0 (-newca|-newserver|-newclient NAME|-revoke NAME)"
    exit 1
}

clean()
{
    if [ "$1" = "ca" ]; then
        rm -rf ${TOP_DIR}
        mkdir -p ${TOP_DIR}/certs
        mkdir -p ${TOP_DIR}/crl
        mkdir -p ${TOP_DIR}/newcerts
        mkdir -p ${TOP_DIR}/private
        mkdir -p ${TOP_DIR}/pkcs
    elif [ "$1" = "client" ]; then
        rm -rf ${2}.key ${2}.csr
    fi
    rm -rf $OUTPUT
}

[ $# -lt 1 ] && usage

OUTPUT=$(mktemp)

case $1 in
    "-newca" )
        echo -e -n "${GREEN}Create the directories, take care this will delete"
        echo -e "the old directories ${COLOR_RST}"
#        sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"

        clean "ca"
        touch ${TOP_DIR}/index.txt

        ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g')

        echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
            echo "command not found: pwgen"
            exit 5
        fi

        pass=`pwgen -n -B -y 12 1`

        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}         \
                    -out ${TOP_DIR}/${CAREQ} -passout pass:$pass            \
                    -config $OPENSSL_CONF > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            clean "ca"
            exit 4
        fi

        # This line deleted the passphase for the FIC 2014 automatisation
        openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY}      \
                    -out ${TOP_DIR}/private/${CAKEY} > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            clean "ca"
            exit 4
        fi

        echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
        openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT}          \
                -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY}          \
                -selfsign -extensions v3_ca -config ${OPENSSL_CONF}         \
                -infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            clean "ca"
            exit 4
        fi
        ;;
    "-newserver" )
        echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
        sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
        openssl req -batch -new -keyout server.key -out server.csr          \
                    -days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            exit 4
        fi
        echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
        openssl ca -policy policy_match -config ${OPENSSL_CONF}             \
                   -out server.crt -infiles server.csr > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed for new server${COLOR_RST}"
            rm -rf server.key server.crt server.csr
            cat $OUTPUT
            exit 3
        else
            rm server.csr # remove ?
            echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
        fi
        ;;
    "-newclient" )
        if [ $# -ne 2 ]; then
            echo "Usage: $0 -newclient NAME"
            exit 1
        fi
        echo "=============================================================="
        echo -e "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}"

        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
        sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
            echo "command not found: pwgen"
            exit 5
        fi

        pass=`pwgen -n -B -y 12 1`

        openssl req -batch -new -keyout ${2}.key -out ${2}.csr              \
                    -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            clean "client" $2
            exit 4
        fi

        echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
        openssl ca -batch -policy policy_match -out ${2}.crt                \
                   -config ${OPENSSL_CONF} -infiles ${2}.csr > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed for $2 ${COLOR_RST}"
            cat $OUTPUT
            clean "client" $2
            exit 3
        fi
        echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
        openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2}      \
                       -passin pass:$pass -out ${TOP_DIR}/pkcs/${2}.p12     \
                       -passout pass:$pass > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            echo -e "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}"
            cat $OUTPUT
            clean "client" $2
            exit 4
        else
            echo -e "Exported pkcs12 file is ${2}.p12"
        fi
        mv ${2}.crt ${TOP_DIR}/certs
        echo "$2:$pass" >> ${TOP_DIR}/../teams.pass
        clean "client" $2
        ;;
    "-revoke" )
        if [ $# -ne 2 ]; then
            echo "Usage: $0 -revoke NAME"
            exit 1
        fi
        echo -e "${GREEN}Revocate ${BOLD}${2}${END_BOLD}${COLOR_RST}"
        openssl ca -revoke ${TOP_DIR}/certs/${2}.crt -config ${OPENSSL_CONF}\
                   -keyfile ${TOP_DIR}/private/${CAKEY}                     \
                   -cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            echo -e "${RED}Revocation failed for ${BOLD}${2}${END_BOLD}${COLOR_RST}"
            cat $OUTPUT
            exit 4
        fi
        rm ${TOP_DIR}/certs/${2}.crt
        rm ${TOP_DIR}/pkcs/${2}.p12
        ;;
    * )
        usage
        ;;
esac
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`#! /bin/sh`
Add script for certs 2013-10-26 00:49:38 +00:00
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`if [[ -z "${TOP_DIR}" ]]; then`
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			`TOP_DIR=pki`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`fi`
Add script for certs 2013-10-26 00:49:38 +00:00
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`if [[ -z "${OPENSSL_CONF}" ]]; then`
			`OPENSSL_CONF=openssl.cnf`
			`fi`
Add script for certs 2013-10-26 00:49:38 +00:00
CA script done 2013-10-26 14:41:21 +00:00			`CAKEY=./cakey.key`
			`CAREQ=./careq.csr`
			`CACERT=./cacert.crt`
			`DAYS=365`

CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`#GREEN="\033[1;32m"`
			`#RED="\033[1;31m"`
			`#COLOR_RST="\033[0m"`

			`GREEN="<font color=green>"`
			`RED="<font color=red>"`
			`COLOR_RST="</font>"`
			`BOLD="<b>"`
			`END_BOLD="</b>"`
CA script done 2013-10-26 14:41:21 +00:00
			`usage()`
			`{`
CA.sh: add revocation 2013-11-30 15:32:17 +00:00			`echo "Usage: $0 (-newca\|-newserver\|-newclient NAME\|-revoke NAME)"`
CA script done 2013-10-26 14:41:21 +00:00			`exit 1`
			`}`

CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`clean()`
			`{`
			`if [ "$1" = "ca" ]; then`
CA script done 2013-10-26 14:41:21 +00:00			`rm -rf ${TOP_DIR}`
			`mkdir -p ${TOP_DIR}/certs`
			`mkdir -p ${TOP_DIR}/crl`
			`mkdir -p ${TOP_DIR}/newcerts`
			`mkdir -p ${TOP_DIR}/private`
CA.sh: change the output dir of p12 files to pki/pkcs 2013-11-29 03:03:41 +00:00			`mkdir -p ${TOP_DIR}/pkcs`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`elif [ "$1" = "client" ]; then`
CA.sh: add revocation 2013-11-30 15:32:17 +00:00			`rm -rf ${2}.key ${2}.csr`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`fi`
			`rm -rf $OUTPUT`
			`}`

			`[ $# -lt 1 ] && usage`

			`OUTPUT=$(mktemp)`

			`case $1 in`
			`"-newca" )`
			`echo -e -n "${GREEN}Create the directories, take care this will delete"`
			`echo -e "the old directories ${COLOR_RST}"`
			`# sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"`

			`clean "ca"`
CA script done 2013-10-26 14:41:21 +00:00			`touch ${TOP_DIR}/index.txt`

CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`ESCAPED=$(echo "${TOP_DIR}" \| sed 's/[\/\.]/\\&/g')`

CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`echo -e "${GREEN}Making CA key and csr${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF`
CA.sh: change the CA type to objsign 2013-11-29 02:48:00 +00:00			`sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF`
CA script done 2013-10-26 14:41:21 +00:00
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`type pwgen > /dev/null`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`if [ $? -ne 0 ]; then`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`echo "command not found: pwgen"`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`exit 5`
			`fi`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			pass=`pwgen -n -B -y 12 1`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00
CA script done 2013-10-26 14:41:21 +00:00			`openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`-out ${TOP_DIR}/${CAREQ} -passout pass:$pass \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-config $OPENSSL_CONF > $OUTPUT 2>&1`
			`if [ $? -ne 0 ]; then`
			`cat $OUTPUT`
			`clean "ca"`
			`exit 4`
			`fi`
CA script done 2013-10-26 14:41:21 +00:00
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`# This line deleted the passphase for the FIC 2014 automatisation`
			`openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY} \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-out ${TOP_DIR}/private/${CAKEY} > $OUTPUT 2>&1`
			`if [ $? -ne 0 ]; then`
			`cat $OUTPUT`
			`clean "ca"`
			`exit 4`
			`fi`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \`
			`-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`-selfsign -extensions v3_ca -config ${OPENSSL_CONF} \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1`
			`if [ $? -ne 0 ]; then`
			`cat $OUTPUT`
			`clean "ca"`
			`exit 4`
			`fi`
CA script done 2013-10-26 14:41:21 +00:00			`;;`
			`"-newserver" )`
CA: add a error check 2013-10-26 16:29:22 +00:00			`echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then`
			`echo -e "${RED}Can not found the CA's key${COLOR_RST}"`
			`exit 2`
			`fi`
			`sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF`
CA.sh newserver: change the type 2013-11-29 02:41:07 +00:00			`sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF`
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			`openssl req -batch -new -keyout server.key -out server.csr \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1`
			`if [ $? -ne 0 ]; then`
			`cat $OUTPUT`
			`exit 4`
			`fi`
CA script done 2013-10-26 14:41:21 +00:00			`echo -e "${GREEN}Signing the Server crt${COLOR_RST}"`
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			`openssl ca -policy policy_match -config ${OPENSSL_CONF} \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-out server.crt -infiles server.csr > $OUTPUT 2>&1`
CA script done 2013-10-26 14:41:21 +00:00			`if [ $? -ne 0 ]; then`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`echo -e "${RED}Signing failed for new server${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00			`rm -rf server.key server.crt server.csr`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`cat $OUTPUT`
CA script done 2013-10-26 14:41:21 +00:00			`exit 3`
			`else`
			`rm server.csr # remove ?`
			`echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"`
			`fi`
Add script for certs 2013-10-26 00:49:38 +00:00			`;;`
CA script done 2013-10-26 14:41:21 +00:00			`"-newclient" )`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00			`if [ $# -ne 2 ]; then`
			`echo "Usage: $0 -newclient NAME"`
			`exit 1`
			`fi`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`echo "=============================================================="`
			`echo -e "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}"`
CA script done 2013-10-26 14:41:21 +00:00
CA: add a error check 2013-10-26 16:29:22 +00:00			`if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then`
			`echo -e "${RED}Can not found the CA's key${COLOR_RST}"`
			`exit 2`
			`fi`
CA script done 2013-10-26 14:41:21 +00:00			`sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF`
			`sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF`

Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`type pwgen > /dev/null`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`if [ $? -ne 0 ]; then`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00			`echo "command not found: pwgen"`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`exit 5`
			`fi`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00
CA.sh: fixed newserver 2013-11-29 02:15:33 +00:00			pass=`pwgen -n -B -y 12 1`
Fixed error ouput when pwgen was not found 2013-11-25 20:30:53 +00:00
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`openssl req -batch -new -keyout ${2}.key -out ${2}.csr \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} > $OUTPUT 2>&1`
			`if [ $? -ne 0 ]; then`
			`cat $OUTPUT`
			`clean "client" $2`
			`exit 4`
			`fi`
CA.sh: disable the timer, fixed some bug 2013-11-12 19:22:22 +00:00
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`echo -e "${GREEN}Signing the Client crt${COLOR_RST}"`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`openssl ca -batch -policy policy_match -out ${2}.crt \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-config ${OPENSSL_CONF} -infiles ${2}.csr > $OUTPUT 2>&1`
CA script done 2013-10-26 14:41:21 +00:00			`if [ $? -ne 0 ]; then`
Add a textarea to show the output of the CA.sh 2013-11-25 18:36:28 +00:00			`echo -e "${RED}Signing failed for $2 ${COLOR_RST}"`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`cat $OUTPUT`
			`clean "client" $2`
CA script done 2013-10-26 14:41:21 +00:00			`exit 3`
			`fi`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"`
CA.sh: automatization of newclient 2013-11-12 21:20:58 +00:00			`openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2} \`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`-passin pass:$pass -out ${TOP_DIR}/pkcs/${2}.p12 \`
			`-passout pass:$pass > $OUTPUT 2>&1`
CA script done 2013-10-26 14:41:21 +00:00			`if [ $? -ne 0 ]; then`
CA.sh: add revocation 2013-11-30 15:32:17 +00:00			`echo -e "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}"`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`cat $OUTPUT`
			`clean "client" $2`
CA script done 2013-10-26 14:41:21 +00:00			`exit 4`
			`else`
			`echo -e "Exported pkcs12 file is ${2}.p12"`
			`fi`
CA.sh: add revocation 2013-11-30 15:32:17 +00:00			`mv ${2}.crt ${TOP_DIR}/certs`
Fixed multiple team->update in import_users Show the pass at the end of import 2013-12-01 00:08:40 +00:00			`echo "$2:$pass" >> ${TOP_DIR}/../teams.pass`
CA.sh: show all output add some color 2013-11-30 12:56:25 +00:00			`clean "client" $2`
Add script for certs 2013-10-26 00:49:38 +00:00			`;;`
CA.sh: add revocation 2013-11-30 15:32:17 +00:00			`"-revoke" )`
			`if [ $# -ne 2 ]; then`
			`echo "Usage: $0 -revoke NAME"`
			`exit 1`
			`fi`
			`echo -e "${GREEN}Revocate ${BOLD}${2}${END_BOLD}${COLOR_RST}"`
			`openssl ca -revoke ${TOP_DIR}/certs/${2}.crt -config ${OPENSSL_CONF}\`
			`-keyfile ${TOP_DIR}/private/${CAKEY} \`
			`-cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1`
			`if [ $? -ne 0 ]; then`
			`echo -e "${RED}Revocation failed for ${BOLD}${2}${END_BOLD}${COLOR_RST}"`
			`cat $OUTPUT`
			`exit 4`
			`fi`
			`rm ${TOP_DIR}/certs/${2}.crt`
			`rm ${TOP_DIR}/pkcs/${2}.p12`
			`;;`
CA script done 2013-10-26 14:41:21 +00:00			`* )`
			`usage`
Add script for certs 2013-10-26 00:49:38 +00:00			`;;`
			`esac`