CA script done

2013-10-26 16:41:21 +02:00 · 2013-10-26 16:41:21 +02:00 · fa6fc60759
commit fa6fc60759
parent 8d55d30550
2 changed files with 96 additions and 45 deletions
--- a/misc/CA.sh
+++ b/misc/CA.sh
@ -1,49 +1,99 @@
-# Create CA for client
-#openssl genrsa -des3 -out ca.key 4096
-#openssl req -new -x509 -days 365 -key ca.key -out ca.crt
-#
-## Server cert
-#openssl genrsa -des3 -out server.key 2028
-#openssl req -new -key server.key -out server.csr
-#
-## Self sign ??
-#openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
+# TODO key usage

-# TODO serial
-# TODO common name
+OPENSSL_CONF=$(pwd)/openssl.cnf

-OPENSSL_CONF=openssl.cnf
+TOP_DIR=fic_pki

-[ $# -ne 1 ] && echo "Usage: $0 init
-                                client NAME"
+CAKEY=./cakey.key
+CAREQ=./careq.csr
+CACERT=./cacert.crt
+DAYS=365
+
+GREEN="\033[1;32m"
+RED="\033[1;31m"
+COLOR_RST="\033[0m"
+
+usage()
+{
+    echo "Usage: $0 (-newca|-newserver|-newclient NAME)"
+    exit 1
+}
+
+[ $# -lt 1 ] && usage
+
+export OPENSSL_CONF=${OPENSSL_CONF}

 case $1 in
-    "init" )
-        echo "Create CA for signing client certs"
-        openssl genrsa -des3 -out ca.key 4096
-        sed -i 's/=.*#CommonName/= FIC2014 CA#CommonNameEnd/' $OPENSSL_CONF
-        openssl req -batch -new -x509 -days 365 -key ca.key -out ca.crt
+    "-newca" )
+        echo -e -n "${GREEN}Create the directories, take care this will delete"
+        echo -e "the old directories ${COLOR_RST}"
+        sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"

-        echo "Create server cert"
-        openssl genrsa -des3 -out server.key 2048
-        sed -i 's/=.*#CommonNameEnd/= FIC2014 Server#CommonNameEnd/' $OPENSSL_CONF
-        openssl req -batch -new -key server.key -out server.csr
-        openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
-        rm server.csr
-        ;;
-    "client" )
-        [ $# -ne 2 ] && "client Usage"
-        openssl genrsa -des3 -out client.key 2048
-        sed -i "s/=.*#CommonNameEnd/= $2#CommonNameEnd/" $OPENSSL_CONF
-        openssl req -batch -new -key client.key -out client.csr
-        openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
-        openssl pkcs12 -export -inkey client.key  -in client.crt -name $2 -out ${2}.p12
+        rm -rf ${TOP_DIR}
+        mkdir -p ${TOP_DIR}/certs
+        mkdir -p ${TOP_DIR}/crl
+        mkdir -p ${TOP_DIR}/newcerts
+        mkdir -p ${TOP_DIR}/private
+        touch ${TOP_DIR}/index.txt

-        rm client.key
-        rm client.csr
-        rm client.crt
+        echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
+        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
+        sed -i "s/=.*#DIR/= ${TOP_DIR} #DIR/" $OPENSSL_CONF
+        sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
+
+        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}         \
+                    -out ${TOP_DIR}/${CAREQ}
+
+        echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
+        openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT}          \
+                -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY}          \
+                -selfsign -extensions v3_ca -infiles ${TOP_DIR}/${CAREQ}
        ;;
-    "*" )
-        echo "*"
+    "-newserver" )
+        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
+            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
+            exit 2
+        fi
+        echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
+        sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
+        openssl req -batch -new -keyout server.key -out server.csr -days ${DAYS}
+        echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
+        openssl ca -policy policy_match -out server.crt -infiles server.csr
+        if [ $? -ne 0 ]; then
+            echo -e "${RED}Signing failed${COLOR_RST}"
+            rm -rf server.key server.crt server.csr
+            exit 3
+        else
+            rm server.csr # remove ?
+            echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
+        fi
+        ;;
+    "-newclient" )
+        [ $# -ne 2 ] && "Usage: $0 -newclient NAME"
+        echo -e "${GREEN}Making the client key and csr${COLOR_RST}"
+
+        sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
+        sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF
+
+        openssl req -batch -new -keyout ${2}.key -out ${2}.csr -days ${DAYS}
+        echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
+        openssl ca -policy policy_match -out ${2}.crt -infiles ${2}.csr
+        if [ $? -ne 0 ]; then
+            echo -e "${RED}Signing failed${COLOR_RST}"
+            exit 3
+        fi
+        echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
+        openssl pkcs12 -export -inkey ${2}.key  -in ${2}.crt -name ${2} -out ${2}.p12
+        if [ $? -ne 0 ]; then
+            echo -e "${RED}pkcs12 export failed${COLOR_RST}"
+            exit 4
+        else
+            echo -e "Exported pkcs12 file is ${2}.p12"
+        fi
+
+        rm -rf ${2}.key ${2}.csr ${2}.crt
+        ;;
+    * )
+        usage
        ;;
 esac
--- a/misc/openssl.cnf
+++ b/misc/openssl.cnf
@ -39,7 +39,7 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]

-dir		= /etc/ssl		# Where everything is kept
+dir		= fic_pki #DIR 		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
@ -47,12 +47,12 @@ database	= $dir/index.txt	# database index file.
 					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.

-certificate	= $dir/cacert.pem 	# The CA certificate
+certificate	= $dir/cacert.crt 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
+private_key	= $dir/private/cakey.key # The private key
 RANDFILE	= $dir/private/.rand	# private random number file

 x509_extensions	= usr_cert		# The extentions to add to the cert
@ -147,11 +147,12 @@ organizationalUnitName		= Organizational Unit Name (eg, section)
 organizationalUnitName_default	= SRS

 commonName			= Common Name (e.g. server FQDN or YOUR name)
-commonName_default		= tata#CommonNameEndEndEndEndEnd
+commonName_default		= toto#COMMONNAME
 commonName_max			= 64

 emailAddress			= Email Address
 emailAddress_max		= 64
+emailAddress_default		= root@srs.epita.fr

 # SET-ex3			= SET extension number 3

@ -175,7 +176,7 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.

 # This is OK for an SSL server.
-# nsCertType			= server
+nsCertType			= client #CERTTYPE

 # For an object signing certificate this would be used.
 # nsCertType = objsign
@ -190,7 +191,7 @@ basicConstraints=CA:FALSE
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 # This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
+nsComment			= "FIC 2014 generated certificates"

 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash