fic/server
Archived
1
0
Fork 0
Code Issues Pull requests 10 Releases Wiki Activity

CA script done

Browse source
This commit is contained in:
Li Chen 2013-10-26 16:41:21 +02:00
commit fa6fc60759
2 changed files with 97 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

128
misc/CA.sh
View file

@ -1,49 +1,99 @@
# Create CA for client # TODO key usage
#openssl genrsa -des3 -out ca.key 4096
#openssl req -new -x509 -days 365 -key ca.key -out ca.crt
#
## Server cert
#openssl genrsa -des3 -out server.key 2028
#openssl req -new -key server.key -out server.csr
#
## Self sign ??
#openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# TODO serial OPENSSL_CONF=$(pwd)/openssl.cnf
# TODO common name
OPENSSL_CONF=openssl.cnf TOP_DIR=fic_pki
[ $# -ne 1 ] && echo "Usage: $0 init CAKEY=./cakey.key
client NAME" CAREQ=./careq.csr
CACERT=./cacert.crt
DAYS=365
GREEN="\033[1;32m"
RED="\033[1;31m"
COLOR_RST="\033[0m"
usage()
{
echo "Usage: $0 (-newca|-newserver|-newclient NAME)"
exit 1
}
[ $# -lt 1 ] && usage
export OPENSSL_CONF=${OPENSSL_CONF}
case $1 in case $1 in
"init" ) "-newca" )
echo "Create CA for signing client certs" echo -e -n "${GREEN}Create the directories, take care this will delete"
openssl genrsa -des3 -out ca.key 4096 echo -e "the old directories ${COLOR_RST}"
sed -i 's/=.*#CommonName/= FIC2014 CA#CommonNameEnd/' $OPENSSL_CONF sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"
openssl req -batch -new -x509 -days 365 -key ca.key -out ca.crt
echo "Create server cert" rm -rf ${TOP_DIR}
openssl genrsa -des3 -out server.key 2048 mkdir -p ${TOP_DIR}/certs
sed -i 's/=.*#CommonNameEnd/= FIC2014 Server#CommonNameEnd/' $OPENSSL_CONF mkdir -p ${TOP_DIR}/crl
openssl req -batch -new -key server.key -out server.csr mkdir -p ${TOP_DIR}/newcerts
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt mkdir -p ${TOP_DIR}/private
rm server.csr touch ${TOP_DIR}/index.txt
;;
"client" )
[ $# -ne 2 ] && "client Usage"
openssl genrsa -des3 -out client.key 2048
sed -i "s/=.*#CommonNameEnd/= $2#CommonNameEnd/" $OPENSSL_CONF
openssl req -batch -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -inkey client.key -in client.crt -name $2 -out ${2}.p12
rm client.key echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
rm client.csr sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
rm client.crt sed -i "s/=.*#DIR/= ${TOP_DIR} #DIR/" $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/${CAREQ}
echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
-selfsign -extensions v3_ca -infiles ${TOP_DIR}/${CAREQ}
;; ;;
"*" ) "-newserver" )
echo "*" if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
openssl req -batch -new -keyout server.key -out server.csr -days ${DAYS}
echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
openssl ca -policy policy_match -out server.crt -infiles server.csr
if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed${COLOR_RST}"
rm -rf server.key server.crt server.csr
exit 3
else
rm server.csr # remove ?
echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
fi
;;
"-newclient" )
[ $# -ne 2 ] && "Usage: $0 -newclient NAME"
echo -e "${GREEN}Making the client key and csr${COLOR_RST}"
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF
openssl req -batch -new -keyout ${2}.key -out ${2}.csr -days ${DAYS}
echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
openssl ca -policy policy_match -out ${2}.crt -infiles ${2}.csr
if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed${COLOR_RST}"
exit 3
fi
echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2} -out ${2}.p12
if [ $? -ne 0 ]; then
echo -e "${RED}pkcs12 export failed${COLOR_RST}"
exit 4
else
echo -e "Exported pkcs12 file is ${2}.p12"
fi
rm -rf ${2}.key ${2}.csr ${2}.crt
;;
* )
usage
;; ;;
esac esac

13
misc/openssl.cnf
View file

@ -39,7 +39,7 @@ default_ca = CA_default # The default ca section
#################################################################### ####################################################################
[ CA_default ] [ CA_default ]
dir = /etc/ssl # Where everything is kept dir = fic_pki #DIR # Where everything is kept
certs = $dir/certs # Where the issued certs are kept certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file. database = $dir/index.txt # database index file.
@ -47,12 +47,12 @@ database = $dir/index.txt # database index file.
# several ctificates with same subject. # several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate certificate = $dir/cacert.crt # The CA certificate
serial = $dir/serial # The current serial number serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key private_key = $dir/private/cakey.key # The private key
RANDFILE = $dir/private/.rand # private random number file RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert x509_extensions = usr_cert # The extentions to add to the cert
@ -147,11 +147,12 @@ organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = SRS organizationalUnitName_default = SRS
commonName = Common Name (e.g. server FQDN or YOUR name) commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = tata#CommonNameEndEndEndEndEnd commonName_default = toto#COMMONNAME
commonName_max = 64 commonName_max = 64
emailAddress = Email Address emailAddress = Email Address
emailAddress_max = 64 emailAddress_max = 64
emailAddress_default = root@srs.epita.fr
# SET-ex3 = SET extension number 3 # SET-ex3 = SET extension number 3
@ -175,7 +176,7 @@ basicConstraints=CA:FALSE
# the certificate can be used for anything *except* object signing. # the certificate can be used for anything *except* object signing.
# This is OK for an SSL server. # This is OK for an SSL server.
# nsCertType = server nsCertType = client #CERTTYPE
# For an object signing certificate this would be used. # For an object signing certificate this would be used.
# nsCertType = objsign # nsCertType = objsign
@ -190,7 +191,7 @@ basicConstraints=CA:FALSE
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox. # This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate" nsComment = "FIC 2014 generated certificates"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash