#! /bin/sh if [[ -z "${TOP_DIR}" ]]; then TOP_DIR=pki fi if [[ -z "${OPENSSL_CONF}" ]]; then OPENSSL_CONF=openssl.cnf fi CAKEY=./cakey.key CAREQ=./careq.csr CACERT=./cacert.crt DAYS=365 #GREEN="\033[1;32m" #RED="\033[1;31m" #COLOR_RST="\033[0m" GREEN="" RED="" COLOR_RST="" BOLD="" END_BOLD="" usage() { echo "Usage: $0 (-newca|-newserver|-newclient NAME|-revoke NAME)" exit 1 } clean() { if [ "$1" = "ca" ]; then rm -rf ${TOP_DIR} mkdir -p ${TOP_DIR}/certs mkdir -p ${TOP_DIR}/crl mkdir -p ${TOP_DIR}/newcerts mkdir -p ${TOP_DIR}/private mkdir -p ${TOP_DIR}/pkcs elif [ "$1" = "client" ]; then rm -rf ${2}.key ${2}.csr fi rm -rf $OUTPUT } [ $# -lt 1 ] && usage OUTPUT=$(mktemp) case $1 in "-newca" ) echo -e -n "${GREEN}Create the directories, take care this will delete" echo -e "the old directories ${COLOR_RST}" # sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3" clean "ca" touch ${TOP_DIR}/index.txt ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g') echo -e "${GREEN}Making CA key and csr${COLOR_RST}" sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF type pwgen > /dev/null if [ $? -ne 0 ]; then echo "command not found: pwgen" exit 5 fi pass=`pwgen -n -B -y 12 1` openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \ -out ${TOP_DIR}/${CAREQ} -passout pass:$pass \ -config $OPENSSL_CONF > $OUTPUT 2>&1 if [ $? -ne 0 ]; then cat $OUTPUT clean "ca" exit 4 fi # This line deleted the passphase for the FIC 2014 automatisation openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY} \ -out ${TOP_DIR}/private/${CAKEY} > $OUTPUT 2>&1 if [ $? -ne 0 ]; then cat $OUTPUT clean "ca" exit 4 fi echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}" openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \ -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \ -selfsign -extensions v3_ca -config ${OPENSSL_CONF} \ -infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1 if [ $? -ne 0 ]; then cat $OUTPUT clean "ca" exit 4 fi ;; "-newserver" ) echo -e "${GREEN}Making the Server key and cert${COLOR_RST}" if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then echo -e "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF openssl req -batch -new -keyout server.key -out server.csr \ -days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1 if [ $? -ne 0 ]; then cat $OUTPUT exit 4 fi echo -e "${GREEN}Signing the Server crt${COLOR_RST}" openssl ca -policy policy_match -config ${OPENSSL_CONF} \ -out server.crt -infiles server.csr > $OUTPUT 2>&1 if [ $? -ne 0 ]; then echo -e "${RED}Signing failed for new server${COLOR_RST}" rm -rf server.key server.crt server.csr cat $OUTPUT exit 3 else rm server.csr # remove ? echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}" fi ;; "-newclient" ) if [ $# -ne 2 ]; then echo "Usage: $0 -newclient NAME" exit 1 fi echo "==============================================================" echo -e "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}" if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then echo -e "${RED}Can not found the CA's key${COLOR_RST}" exit 2 fi sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF type pwgen > /dev/null if [ $? -ne 0 ]; then echo "command not found: pwgen" exit 5 fi pass=`pwgen -n -B -y 12 1` openssl req -batch -new -keyout ${2}.key -out ${2}.csr \ -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} > $OUTPUT 2>&1 if [ $? -ne 0 ]; then cat $OUTPUT clean "client" $2 exit 4 fi echo -e "${GREEN}Signing the Client crt${COLOR_RST}" openssl ca -batch -policy policy_match -out ${2}.crt \ -config ${OPENSSL_CONF} -infiles ${2}.csr > $OUTPUT 2>&1 if [ $? -ne 0 ]; then echo -e "${RED}Signing failed for $2 ${COLOR_RST}" cat $OUTPUT clean "client" $2 exit 3 fi echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}" openssl pkcs12 -export -inkey ${2}.key -in ${2}.crt -name ${2} \ -passin pass:$pass -out ${TOP_DIR}/pkcs/${2}.p12 \ -passout pass:$pass > $OUTPUT 2>&1 if [ $? -ne 0 ]; then echo -e "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}" cat $OUTPUT clean "client" $2 exit 4 else echo -e "Exported pkcs12 file is ${2}.p12" fi mv ${2}.crt ${TOP_DIR}/certs echo "$2:$pass" >> ${TOP_DIR}/../teams.pass clean "client" $2 ;; "-revoke" ) if [ $# -ne 2 ]; then echo "Usage: $0 -revoke NAME" exit 1 fi echo -e "${GREEN}Revocate ${BOLD}${2}${END_BOLD}${COLOR_RST}" openssl ca -revoke ${TOP_DIR}/certs/${2}.crt -config ${OPENSSL_CONF}\ -keyfile ${TOP_DIR}/private/${CAKEY} \ -cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1 if [ $? -ne 0 ]; then echo -e "${RED}Revocation failed for ${BOLD}${2}${END_BOLD}${COLOR_RST}" cat $OUTPUT exit 4 fi rm ${TOP_DIR}/certs/${2}.crt rm ${TOP_DIR}/pkcs/${2}.p12 ;; * ) usage ;; esac