server/misc/CA.sh

# TODO key usage

OPENSSL_CONF=$(pwd)/openssl.cnf

TOP_DIR=fic_pki

CAKEY=./cakey.key
CAREQ=./careq.csr
CACERT=./cacert.crt
DAYS=365

GREEN="\033[1;32m"
RED="\033[1;31m"
COLOR_RST="\033[0m"

usage()
{
    echo "Usage: $0 (-newca|-newserver|-newclient NAME)"
    exit 1
}

[ $# -lt 1 ] && usage

export OPENSSL_CONF=${OPENSSL_CONF}

case $1 in
    "-newca" )
        echo -e -n "${GREEN}Create the directories, take care this will delete"
        echo -e "the old directories ${COLOR_RST}"
        sleep 1; echo -n "1 "; sleep 1; echo -n "2 "; sleep 1; echo "3"

        rm -rf ${TOP_DIR}
        mkdir -p ${TOP_DIR}/certs
        mkdir -p ${TOP_DIR}/crl
        mkdir -p ${TOP_DIR}/newcerts
        mkdir -p ${TOP_DIR}/private
        touch ${TOP_DIR}/index.txt

        echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#DIR/= ${TOP_DIR} #DIR/" $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF

        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}         \
                    -out ${TOP_DIR}/${CAREQ}

        echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
        openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT}          \
                -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY}          \
                -selfsign -extensions v3_ca -infiles ${TOP_DIR}/${CAREQ}
        ;;
    "-newserver" )
        echo -e "${GREEN}Making the Server key and cert${COLOR_RST}"
        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
        sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
        openssl req -batch -new -keyout server.key -out server.csr -days ${DAYS}
        echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
        openssl ca -policy policy_match -out server.crt -infiles server.csr
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed${COLOR_RST}"
            rm -rf server.key server.crt server.csr
            exit 3
        else
            rm server.csr # remove ?
            echo -e "${GREEN}Signed certificate is in server.crt${COLOR_RST}"
        fi
        ;;
    "-newclient" )
        [ $# -ne 2 ] && "Usage: $0 -newclient NAME"
        echo -e "${GREEN}Making the client key and csr${COLOR_RST}"

        if ! [ -f ${TOP_DIR}/private/${CAKEY} ]; then
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
        sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
        sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF

        openssl req -batch -new -keyout ${2}.key -out ${2}.csr -days ${DAYS}
        echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
        openssl ca -policy policy_match -out ${2}.crt -infiles ${2}.csr
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed${COLOR_RST}"
            exit 3
        fi
        echo -e "${GREEN}Export the Client files to pkcs12${COLOR_RST}"
        openssl pkcs12 -export -inkey ${2}.key  -in ${2}.crt -name ${2} -out ${2}.p12
        if [ $? -ne 0 ]; then
            echo -e "${RED}pkcs12 export failed${COLOR_RST}"
            exit 4
        else
            echo -e "Exported pkcs12 file is ${2}.p12"
        fi

        rm -rf ${2}.key ${2}.csr ${2}.crt
        ;;
    * )
        usage
        ;;
esac