fic/server
2
0
Fork 0
Code Issues Pull Requests 10 Releases Wiki Activity
4a67552a29
server/misc/CA.sh

228 lines
7.2 KiB
Bash
Executable File
Raw Blame History

#! /bin/sh
if [[ -z "${TOP_DIR}" ]]; then
TOP_DIR=pki
fi
if [[ -z "${OPENSSL_CONF}" ]]; then
OPENSSL_CONF=openssl.cnf
fi
CAKEY=./cakey.key
CAREQ=./careq.csr
CACERT=./cacert.crt
DAYS=2
#GREEN="\033[1;32m"
#RED="\033[1;31m"
#COLOR_RST="\033[0m"
GREEN="<font color=green>"
RED="<font color=red>"
COLOR_RST="</font>"
BOLD="<b>"
END_BOLD="</b>"
usage()
{
echo "Usage: $0 (-newca|-newserver|-newclient NAME|-revoke NAME|-gencrl)"
exit 1
}
clean()
{
if [ "$1" = "ca" ]; then
rm -rf ${TOP_DIR}
mkdir -p ${TOP_DIR}/certs
mkdir -p ${TOP_DIR}/crl
mkdir -p ${TOP_DIR}/newcerts
mkdir -p ${TOP_DIR}/private
mkdir -p ${TOP_DIR}/pkcs
echo "01" > ${TOP_DIR}/crlnumber
elif [ "$1" = "client" ]; then
rm -rf ${TOP_DIR}/${2}.key ${TOP_DIR}/${2}.csr
fi
rm -rf $OUTPUT
}
[ $# -lt 1 ] && usage
OUTPUT=$(mktemp)
case $1 in
"-newca" )
echo -e -n "${GREEN}Create the directories, take care this will delete"
echo -e "the old directories ${COLOR_RST}"
# sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"
clean "ca"
touch ${TOP_DIR}/index.txt
ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g')
echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
type pwgen > /dev/null
if [ $? -ne 0 ]; then
echo "command not found: pwgen"
exit 5
fi
pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/${CAREQ} -passout pass:$pass \
-config $OPENSSL_CONF -extensions CORE_CA > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
clean "ca"
exit 4
fi
# This line deleted the passphase for the FIC 2014 automatisation
openssl rsa -passin pass:$pass -in ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/private/${CAKEY} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
clean "ca"
exit 4
fi
echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
-selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
-infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
clean "ca"
exit 4
fi
;;
"-newserver" )
echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF
openssl req -batch -new -keyout server.key -out server.csr \
-days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
exit 4
fi
echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
openssl ca -policy policy_match -config ${OPENSSL_CONF} \
-out server.crt -extensions SERVER_SSL -infiles server.csr
if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed for new server${COLOR_RST}"
rm -rf server.key server.crt server.csr
cat $OUTPUT
exit 3
else
rm server.csr # remove ?
echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
fi
;;
"-newclient" )
if [ $# -ne 2 ]; then
echo "Usage: $0 -newclient NAME"
exit 1
fi
echo "=============================================================="
echo -e "${GREEN}Making the client key and csr of ${BOLD}${2}${END_BOLD}${COLOR_RST}"
ESCAPED=$(echo "${TOP_DIR}" | sed 's/[\/\.]/\\&/g')
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
type pwgen > /dev/null
if [ $? -ne 0 ]; then
echo "command not found: pwgen"
exit 5
fi
pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr \
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
clean "client" $2
exit 4
fi
echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt \
-config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed for $2 ${COLOR_RST}"
cat $OUTPUT
clean "client" $2
exit 3
fi
echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
openssl pkcs12 -export -inkey ${TOP_DIR}/${2}.key -in ${TOP_DIR}/${2}.crt -name ${2} \
-passin pass:$pass -out ${TOP_DIR}/pkcs/${2}.p12 \
-passout pass:$pass > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo -e "${RED}pkcs12 export failed for ${BOLD}$2${END_BOLD}${COLOR_RST}"
cat $OUTPUT
clean "client" $2
exit 4
else
echo -e "Exported pkcs12 file is ${2}.p12"
fi
mv ${TOP_DIR}/${2}.crt ${TOP_DIR}/certs
echo "$2:$pass" >> ${TOP_DIR}/../teams.pass
echo "$pass"
clean "client" $2
;;
"-revoke" )
if [ $# -ne 2 ]; then
echo "Usage: $0 -revoke NAME"
exit 1
fi
echo -e "${GREEN}Revocate ${BOLD}${2}${END_BOLD}${COLOR_RST}"
openssl ca -revoke ${TOP_DIR}/certs/${2}.crt -config ${OPENSSL_CONF}\
-keyfile ${TOP_DIR}/private/${CAKEY} \
-cert ${TOP_DIR}/${CACERT} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo -e "${RED}Revocation failed for ${BOLD}${2}${END_BOLD}${COLOR_RST}"
cat $OUTPUT
exit 4
fi
rm ${TOP_DIR}/certs/${2}.crt
rm ${TOP_DIR}/pkcs/${2}.p12
echo -e "${GREEN}Generate crl.pem${COLOR_RST}"
openssl ca -config ${OPENSSL_CONF} -gencrl -out ${TOP_DIR}/crl.pem > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo -e "${RED}Generate crl.pem failed"
cat $OUTPUT
exit 5
fi
;;
"-gencrl" )
echo -e "${GREEN}Generate crl.pem${COLOR_RST}"
openssl ca -config ${OPENSSL_CONF} -gencrl -out ${TOP_DIR}/crl.pem > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo -e "${RED}Generate crl.pem failed"
cat $OUTPUT
exit 5
fi
;;
* )
usage
;;
esac
Reference in New Issue View Git Blame Copy Permalink