#!/bin/sh cd $(dirname "$0") if [ -z "${PKI_BASEDIR}" ]; then PKI_BASEDIR=$(dirname `pwd`) # equivalent to $(realpath `pwd`/.. fi PKI_DIR=${PKI_BASEDIR}/PKI SHARED_DIR=${PKI_DIR}/shared OPENSSL_CONF=`pwd`/openssl.cnf CAKEY=${PKI_DIR}/private/cakey.key CAREQ=${PKI_DIR}/careq.csr CACRT=${SHARED_DIR}/cacert.crt CADER=${SHARED_DIR}/cacert.der SRVKEY=${SHARED_DIR}/server.key SRVREQ=${SHARED_DIR}/server.csr SRVCRT=${SHARED_DIR}/server.crt # Generate certificates valid for: DAYS=2 STARTDATE=160125000000Z ENDDATE=160126235959Z VALIDITY="-startdate ${STARTDATE} -enddate ${ENDDATE}" #VALIDITY="-days ${DAYS}" if [ -z "$PS1" ] then GREEN="\033[1;32m" RED="\033[1;31m" COLOR_RST="\033[0m" BOLD="" END_BOLD="" ECHO_OPTS="-e" else GREEN="" RED="" COLOR_RST="" BOLD="" END_BOLD="" ECHO_OPTS="" fi usage() { echo "Usage: $0 (-newca|-newserver IP/URL|-revokeserver|-newclient NAME|-revoke NAME|-gencrl)" exit 1 } clean() { if [ "$1" = "ca" ]; then rm -rf ${PKI_DIR}/* ${SHARED_DIR}/* mkdir -p ${PKI_DIR}/certs ${PKI_DIR}/crl ${PKI_DIR}/newcerts \ ${PKI_DIR}/private ${PKI_DIR}/pkcs ${SHARED_DIR} echo "01" > ${PKI_DIR}/crlnumber elif [ "$1" = "client" ]; then rm -rf ${PKI_DIR}/${2}.key ${PKI_DIR}/${2}.csr fi rm -rf $OUTPUT } gen_crl() { echo $ECHO_OPTS "${GREEN}Generate shared/crl.pem${COLOR_RST}" if ! openssl ca -config ${OPENSSL_CONF} -gencrl -out ${SHARED_DIR}/crl.pem > $OUTPUT 2>&1 then echo $ECHO_OPTS "${RED}Generate shared/crl.pem failed" cat $OUTPUT exit 5 fi } [ $# -lt 1 ] && usage OUTPUT=$(mktemp) case $1 in "-newca" ) echo $ECHO_OPTS "${GREEN}Create the directories, take care this will delete the old directories ${COLOR_RST}" clean "ca" touch ${PKI_DIR}/index.txt ESCAPED=$(echo "${PKI_DIR}" | sed 's/[\/\.]/\\&/g') echo $ECHO_OPTS "${GREEN}Making CA key and csr${COLOR_RST}" sed -i 's/=.*#COMMONNAME/= FIC CA #COMMONNAME/' $OPENSSL_CONF sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF sed -i "s/=.*#DAYS/= ${DAYS} #DAYS/" $OPENSSL_CONF type pwgen > /dev/null if [ $? -ne 0 ]; then echo "command not found: pwgen" exit 5 fi pass=`pwgen -n -B -y 12 1` if ! openssl req -batch -new -keyout ${CAKEY} \ -out ${CAREQ} -passout pass:$pass \ -config ${OPENSSL_CONF} -extensions CORE_CA > $OUTPUT 2>&1 then cat $OUTPUT clean "ca" exit 4 fi # This line deleted the passphase for the FIC 2014 automatisation if ! openssl rsa -passin pass:$pass -in ${CAKEY} \ -out ${CAKEY} > $OUTPUT 2>&1 then cat $OUTPUT clean "ca" exit 4 fi echo $ECHO_OPTS "${GREEN}Self signes the CA certificate${COLOR_RST}" if ! openssl ca -batch -create_serial -out ${CACRT} \ ${VALIDITY} -keyfile ${CAKEY} \ -selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \ -infiles ${CAREQ} > $OUTPUT 2>&1 then cat $OUTPUT clean "ca" exit 4 fi echo $ECHO_OPTS "${GREEN}Generate DER format${COLOR_RST}" openssl x509 -in ${CACRT} -inform PEM -out ${CADER} -outform DER ;; "-newserver" ) if [ $# -lt 2 ]; then echo "Give as first argument the production IP or the domain that this certificat will cover." echo "eg.: $0 -newserver 10.42.23.69" echo " $0 -newserver fic.srs.epita.fr" exit 1 fi echo $ECHO_OPTS "${GREEN}Making the Server key and cert${COLOR_RST}" if ! [ -f ${CAKEY} ]; then echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi sed -i "s/=.*#COMMONNAME/=$2#COMMONNAME/" $OPENSSL_CONF sed -i "s/=.*#DAYS/= ${DAYS} #DAYS/" $OPENSSL_CONF if ! openssl req -batch -new -keyout ${SRVKEY} -out ${SRVREQ} \ -days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1 then cat $OUTPUT exit 4 fi echo $ECHO_OPTS "${GREEN}Signing the Server crt${COLOR_RST}" if ! openssl ca -policy policy_match -config ${OPENSSL_CONF} \ -out ${SRVCRT} -extensions SERVER_SSL -infiles ${SRVREQ} then echo $ECHO_OPTS "${RED}Signing failed for new server${COLOR_RST}" rm -f ${SRVKEY} ${SRVREQ} ${SRVCRT} cat $OUTPUT exit 3 else rm ${SRVREQ} echo $ECHO_OPTS "${GREEN}Signed certificate is in ${SRVCRT}${COLOR_RST}" fi ;; "-revokeserver" ) echo $ECHO_OPTS "${GREEN}Revocate server certificate${COLOR_RST}" if ! [ -f ${CAKEY} ]; then echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi if ! openssl ca -revoke ${SRVCRT} -config ${OPENSSL_CONF} \ -keyfile ${CAKEY} -cert ${CACRT} > $OUTPUT 2>&1 then echo $ECHO_OPTS "${RED}Server certificate revocation failed${COLOR_RST}" cat $OUTPUT exit 4 fi rm ${SRVKEY} ${SRVCRT} gen_crl ;; "-newclient" ) if [ $# -ne 2 ]; then echo "Usage: $0 -newclient NAME" exit 1 fi CLTNAM=$2 CLTREQ=${PKI_DIR}/${CLTNAM}.csr CLTCRT=${PKI_DIR}/certs/${CLTNAM}.crt CLTKEY=${PKI_DIR}/${CLTNAM}.key CLTP12=${PKI_DIR}/pkcs/${CLTNAM}.p12 echo "==============================================================" echo $ECHO_OPTS "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}" ESCAPED=$(echo "${PKI_DIR}" | sed 's/[\/\.]/\\&/g') sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF sed -i "s/=.*#DAYS/= ${DAYS} #DAYS/" $OPENSSL_CONF if ! [ -f ${CAKEY} ]; then echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF type pwgen > /dev/null if [ $? -ne 0 ]; then echo "command not found: pwgen" exit 5 fi pass=`pwgen -n -B -y 12 1` if ! openssl req -batch -new -keyout "${CLTKEY}" -out "${CLTREQ}" \ -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1 then cat $OUTPUT clean "client" ${CLTNAM} exit 4 fi echo $ECHO_OPTS "${GREEN}Signing the Client crt${COLOR_RST}" if ! openssl ca -batch -policy policy_match -out "${CLTCRT}" \ -config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles "${CLTREQ}" > $OUTPUT 2>&1 then echo $ECHO_OPTS "${RED}Signing failed for $2 ${COLOR_RST}" cat $OUTPUT clean "client" ${CLTNAM} exit 3 fi echo $ECHO_OPTS "${GREEN}Export the Client files to pkcs12${COLOR_RST}" if ! openssl pkcs12 -export -inkey "${CLTKEY}" -in "${CLTCRT}" -name ${2} \ -passin pass:$pass -out "${CLTP12}" \ -passout pass:$pass > $OUTPUT 2>&1 then echo $ECHO_OPTS "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}" cat $OUTPUT clean "client" ${CLTNAM} exit 4 else echo $ECHO_OPTS "Exported pkcs12 file is ${CLTP12}" fi echo "$CLTNAM:$pass" >> ${PKI_DIR}/teams.pass echo "$CLTNAM:$pass" clean "client" ${CLTNAM} ;; "-revoke" ) if [ $# -ne 2 ]; then echo "Usage: $0 -revoke NAME" exit 1 fi CLTNAM=$2 CLTCRT=${PKI_DIR}/certs/${CLTNAM}.crt CLTP12=${PKI_DIR}/pkcs/${CLTNAM}.p12 echo $ECHO_OPTS "${GREEN}Revocate ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}" if ! openssl ca -revoke "${CLTCRT}" -config "${OPENSSL_CONF}" \ -keyfile "${CAKEY}" -cert "${CACRT}" > $OUTPUT 2>&1 then echo $ECHO_OPTS "${RED}Revocation failed for ${BOLD}${CLTNAM}${END_BOLD}${COLOR_RST}" cat $OUTPUT exit 4 fi rm "${CLTCRT}" "${CLTP12}" gen_crl ;; "-gencrl" ) gen_crl ;; * ) usage ;; esac