CA script done
This commit is contained in:
parent
8d55d30550
commit
fa6fc60759
128
misc/CA.sh
128
misc/CA.sh
@ -1,49 +1,99 @@
|
||||
# Create CA for client
|
||||
#openssl genrsa -des3 -out ca.key 4096
|
||||
#openssl req -new -x509 -days 365 -key ca.key -out ca.crt
|
||||
#
|
||||
## Server cert
|
||||
#openssl genrsa -des3 -out server.key 2028
|
||||
#openssl req -new -key server.key -out server.csr
|
||||
#
|
||||
## Self sign ??
|
||||
#openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
|
||||
# TODO key usage
|
||||
|
||||
# TODO serial
|
||||
# TODO common name
|
||||
OPENSSL_CONF=$(pwd)/openssl.cnf
|
||||
|
||||
OPENSSL_CONF=openssl.cnf
|
||||
TOP_DIR=fic_pki
|
||||
|
||||
[ $# -ne 1 ] && echo "Usage: $0 init
|
||||
client NAME"
|
||||
CAKEY=./cakey.key
|
||||
CAREQ=./careq.csr
|
||||
CACERT=./cacert.crt
|
||||
DAYS=365
|
||||
|
||||
GREEN="\033[1;32m"
|
||||
RED="\033[1;31m"
|
||||
COLOR_RST="\033[0m"
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "Usage: $0 (-newca|-newserver|-newclient NAME)"
|
||||
exit 1
|
||||
}
|
||||
|
||||
[ $# -lt 1 ] && usage
|
||||
|
||||
export OPENSSL_CONF=${OPENSSL_CONF}
|
||||
|
||||
case $1 in
|
||||
"init" )
|
||||
echo "Create CA for signing client certs"
|
||||
openssl genrsa -des3 -out ca.key 4096
|
||||
sed -i 's/=.*#CommonName/= FIC2014 CA#CommonNameEnd/' $OPENSSL_CONF
|
||||
openssl req -batch -new -x509 -days 365 -key ca.key -out ca.crt
|
||||
"-newca" )
|
||||
echo -e -n "${GREEN}Create the directories, take care this will delete"
|
||||
echo -e "the old directories ${COLOR_RST}"
|
||||
sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"
|
||||
|
||||
echo "Create server cert"
|
||||
openssl genrsa -des3 -out server.key 2048
|
||||
sed -i 's/=.*#CommonNameEnd/= FIC2014 Server#CommonNameEnd/' $OPENSSL_CONF
|
||||
openssl req -batch -new -key server.key -out server.csr
|
||||
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
|
||||
rm server.csr
|
||||
;;
|
||||
"client" )
|
||||
[ $# -ne 2 ] && "client Usage"
|
||||
openssl genrsa -des3 -out client.key 2048
|
||||
sed -i "s/=.*#CommonNameEnd/= $2#CommonNameEnd/" $OPENSSL_CONF
|
||||
openssl req -batch -new -key client.key -out client.csr
|
||||
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
|
||||
openssl pkcs12 -export -inkey client.key -in client.crt -name $2 -out ${2}.p12
|
||||
rm -rf ${TOP_DIR}
|
||||
mkdir -p ${TOP_DIR}/certs
|
||||
mkdir -p ${TOP_DIR}/crl
|
||||
mkdir -p ${TOP_DIR}/newcerts
|
||||
mkdir -p ${TOP_DIR}/private
|
||||
touch ${TOP_DIR}/index.txt
|
||||
|
||||
rm client.key
|
||||
rm client.csr
|
||||
rm client.crt
|
||||
echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
|
||||
sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
|
||||
sed -i "s/=.*#DIR/= ${TOP_DIR} #DIR/" $OPENSSL_CONF
|
||||
sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
|
||||
|
||||
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
|
||||
-out ${TOP_DIR}/${CAREQ}
|
||||
|
||||
echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
|
||||
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
|
||||
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
|
||||
-selfsign -extensions v3_ca -infiles ${TOP_DIR}/${CAREQ}
|
||||
;;
|
||||
"*" )
|
||||
echo "*"
|
||||
"-newserver" )
|
||||
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
|
||||
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
|
||||
exit 2
|
||||
fi
|
||||
echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
|
||||
sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
|
||||
openssl req -batch -new -keyout server.key -out server.csr -days ${DAYS}
|
||||
echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
|
||||
openssl ca -policy policy_match -out server.crt -infiles server.csr
|
||||
if [ $? -ne 0 ]; then
|
||||
echo -e "${RED}Signing failed${COLOR_RST}"
|
||||
rm -rf server.key server.crt server.csr
|
||||
exit 3
|
||||
else
|
||||
rm server.csr # remove ?
|
||||
echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
|
||||
fi
|
||||
;;
|
||||
"-newclient" )
|
||||
[ $# -ne 2 ] && "Usage: $0 -newclient NAME"
|
||||
echo -e "${GREEN}Making the client key and csr${COLOR_RST}"
|
||||
|
||||
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
|
||||
sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF
|
||||
|
||||
openssl req -batch -new -keyout ${2}.key -out ${2}.csr -days ${DAYS}
|
||||
echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
|
||||
openssl ca -policy policy_match -out ${2}.crt -infiles ${2}.csr
|
||||
if [ $? -ne 0 ]; then
|
||||
echo -e "${RED}Signing failed${COLOR_RST}"
|
||||
exit 3
|
||||
fi
|
||||
echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
|
||||
openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2} -out ${2}.p12
|
||||
if [ $? -ne 0 ]; then
|
||||
echo -e "${RED}pkcs12 export failed${COLOR_RST}"
|
||||
exit 4
|
||||
else
|
||||
echo -e "Exported pkcs12 file is ${2}.p12"
|
||||
fi
|
||||
|
||||
rm -rf ${2}.key ${2}.csr ${2}.crt
|
||||
;;
|
||||
* )
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
|
@ -39,7 +39,7 @@ default_ca = CA_default # The default ca section
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = /etc/ssl # Where everything is kept
|
||||
dir = fic_pki #DIR # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
@ -47,12 +47,12 @@ database = $dir/index.txt # database index file.
|
||||
# several ctificates with same subject.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
|
||||
certificate = $dir/cacert.pem # The CA certificate
|
||||
certificate = $dir/cacert.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem# The private key
|
||||
private_key = $dir/private/cakey.key # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
@ -147,11 +147,12 @@ organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = SRS
|
||||
|
||||
commonName = Common Name (e.g. server FQDN or YOUR name)
|
||||
commonName_default = tata#CommonNameEndEndEndEndEnd
|
||||
commonName_default = toto#COMMONNAME
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
emailAddress_default = root@srs.epita.fr
|
||||
|
||||
# SET-ex3 = SET extension number 3
|
||||
|
||||
@ -175,7 +176,7 @@ basicConstraints=CA:FALSE
|
||||
# the certificate can be used for anything *except* object signing.
|
||||
|
||||
# This is OK for an SSL server.
|
||||
# nsCertType = server
|
||||
nsCertType = client #CERTTYPE
|
||||
|
||||
# For an object signing certificate this would be used.
|
||||
# nsCertType = objsign
|
||||
@ -190,7 +191,7 @@ basicConstraints=CA:FALSE
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# This will be displayed in Netscape's comment listbox.
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
nsComment = "FIC 2014 generated certificates"
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
|
Loading…
Reference in New Issue
Block a user