#!/bin/bash # # Creates self-signed ssl certificates # Copyright (c) 2003-2008 by Silvan Calarco # Copyright (c) 2003-2005 by Davide Madrisan # # Create server side certificates # documentation taken from openssl howtos http://www.openssl.org/docs/HOWTO/ SSLDIR=/var/ssl [ "$CADAYS" ] || CADAYS=3650 [ "$CERTDAYS" ] || CERTDAYS=1825 mksslc_tempfile=`tempfile 2>/dev/null` # 1. Creating a certificate request (optional) # To create a certificate, you need to start with a certificate request # or, as some certificate authorities like to put it, # "certificate signing request", since that's exactly what they do, # they sign it and give you the result back, thus making it authentic # according to their policies. A certificate request can then be sent # to a certificate authority to get it signed into a certificate, or if # you have your own certificate authority, you may sign it yourself, or # if you need a self-signed certificate. Because you just want a test # certificate or because you are setting up your own CA. #openssl req -new -key privkey.perm -out cert.csr # 2. Creating a self-signed root Certification Authority certificate # If you don't want to deal with another certificate authority, or just # want to create a test certificate for yourself. This is similar to # creating a certificate request, but creates a certificate instead of # a certificate request. This is NOT the recommended way to create a # CA certificate, see ca.txt. if [ ! -e $SSLDIR/cacert.pem ]; then echo echo "Creating a new Certification Authority" [ "$CAPASS" -a "$CACOUNTRY" -a "$CASTATE" -a "$CACITY" -a \ "$CAORGANIZATION" -a "$CAOU" -a "$CACOMMONNAME" -a "$CAEMAIL" ] || echo "Please enter information about the Certification Authority" while [ ! "$CACOUNTRY" -o ${#CACOUNTRY} -ne 2 ]; do read -p "Two-letters country code (e.g. IT): " CACOUNTRY; done while [ ! "$CASTATE" ]; do read -p "State: " CASTATE; done while [ ! "$CACITY" ]; do read -p "City: " CACITY; done while [ ! "$CAORGANIZATION" ]; do read -p "Organization: " CAORGANIZATION; done while [ ! "$CAOU" ]; do read -p "Operational unit: " CAOU; done while [ ! "$CACOMMONNAME" ]; do read -p "Common name: " CACOMMONNAME; done while [ ! "$CAEMAIL" ]; do read -p "Email: " CAEMAIL; done while [ ! "$CAPASS" -o "$CAPASS" != "$CONFIRMPASS" ]; do unset CAPASS while [ ! "$CAPASS" ]; do read -s -p "Please enter a passphrase: " CAPASS; echo; done read -s -p "Please confirm the passphrase: " CONFIRMPASS echo done echo "Generating a self-signed root Certification Authority certificate" cat << _EOF > $mksslc_tempfile $CAPASS $CACOUNTRY $CASTATE $CACITY $CAORGANIZATION $CAOU $CACOMMONNAME $CAEMAIL _EOF openssl req -passout stdin -new -x509 -keyout $SSLDIR/private/cakey.pem \ -out $SSLDIR/cacert.pem -days 3650 < $mksslc_tempfile 2>&1 || exit 1 fi rm -f $mksslc_tempfile # remove sensible data [ "$CERTPASS" -a "$CERTCOUNTRY" -a "$CERTSTATE" -a "$CERTCITY" -a \ "$CERTORGANIZATION" -a "$CERTOU" -a "$CERTCOMMONNAME" -a "$CERTEMAIL" ] || { echo echo "Please enter information about the self-signed server certificate" } while [ ! "$CERTCOUNTRY" -o ${#CERTCOUNTRY} -ne 2 ]; do read -p "Two-letters country code (e.g. IT) [$CACOUNTRY]: " CERTCOUNTRY [ "$CERTCOUNTRY" ] || CERTCOUNTRY=$CACOUNTRY done while [ ! "$CERTSTATE" ]; do read -p "State [$CASTATE]: " CERTSTATE [ "$CERTSTATE" ] || CERTSTATE=$CASTATE done while [ ! "$CERTCITY" ]; do read -p "City [$CACITY]: " CERTCITY [ "$CERTCITY" ] || CERTCITY=$CACITY done while [ ! "$CERTORGANIZATION" ]; do read -p "Organization [$CAORGANIZATION]: " CERTORGANIZATION [ "$CERTORGANIZATION" ] || CERTORGANIZATION="$CAORGANIZATION" done while [ ! "$CERTOU" ]; do read -p "Operational unit [$CAOU]: " CERTOU [ "$CERTOU" ] || CERTOU=$CAOU done while [ ! "$CERTCOMMONNAME" ]; do read -p "Common name [$CACOMMONNAME]: " CERTCOMMONNAME [ "$CERTCOMMONNAME" ] || CERTCOMMONNAME=$CACOMMONNAME done while [ ! "$CERTEMAIL" ]; do read -p "Email [$CAEMAIL]: " CERTEMAIL [ "$CERTEMAIL" ] || CERTEMAIL=$CAEMAIL done while [ ! "$CERTPASS" -o "$CERTPASS" != "$CONFIRMPASS" ]; do unset CERTPASS while [ ! "$CERTPASS" ]; do read -s -p "Please enter a passphrase: " CERTPASS; echo; done read -s -p "Please confirm the passphrase: " CONFIRMPASS echo done while [ ! "$CAPASS" ]; do read -s -p "Please, enter the CA passphrase for signing the certificate: " CAPASS done [ -e $SSLDIR/certs/localhost.crt ] && { read -p "A certificate called $SSLDIR/certs/localhost.crt already exists; overwrite [y/N]?" OVERWRITE echo [ "$OVERWRITE" != "y" -a "$OVERWRITE" != "Y" ] && exit 0 } # 3. Generate a key without password openssl genrsa -out $SSLDIR/private/localhost.key >/dev/null || exit 1 # 4. Create a server certificate signing request (CSR) echo "Creating a server certificate request (CSR)" cat << _EOF > $mksslc_tempfile $CERTPASS $CERTCOUNTRY $CERTSTATE $CERTCITY $CERTORGANIZATION $CERTOU $CERTCOMMONNAME $CERTEMAIL _EOF echo "" >> $mksslc_tempfile # A challenge password echo "" >> $mksslc_tempfile # An optional company name openssl req -passout stdin -new -key $SSLDIR/private/localhost.key \ -out $SSLDIR/localhost.csr -days $CERTDAYS < $mksslc_tempfile >/dev/null || exit 1 rm -f $mksslc_tempfile # 4. Sign a server certificate request echo "Signing the certificate request" echo "$CAPASS" > $mksslc_tempfile echo "y" >> $mksslc_tempfile # Sign the certificate? [y/n] echo "y" >> $mksslc_tempfile # 1 out of 1 certificate requests certified, commit? openssl ca -days $CERTDAYS -passin stdin -policy policy_anything -out $SSLDIR/certs/localhost.crt \ -infiles $SSLDIR/localhost.csr < $mksslc_tempfile >/dev/null || exit 1 rm -f $mksslc_tempfile exit 0