openssl/openssl-makecerts

161 lines
5.8 KiB
Bash

#!/bin/bash
#
# Creates self-signed ssl certificates
# Copyright (c) 2003-2008 by Silvan Calarco <silvan.calarco@mambasoft.it>
# Copyright (c) 2003-2005 by Davide Madrisan <davide.madrisan@qilinux.it>
#
# Create server side certificates
# documentation taken from openssl howtos http://www.openssl.org/docs/HOWTO/
SSLDIR=/var/ssl
[ "$CADAYS" ] || CADAYS=3650
[ "$CERTDAYS" ] || CERTDAYS=1825
mksslc_tempfile=`tempfile 2>/dev/null`
# 1. Creating a certificate request (optional)
# To create a certificate, you need to start with a certificate request
# or, as some certificate authorities like to put it,
# "certificate signing request", since that's exactly what they do,
# they sign it and give you the result back, thus making it authentic
# according to their policies. A certificate request can then be sent
# to a certificate authority to get it signed into a certificate, or if
# you have your own certificate authority, you may sign it yourself, or
# if you need a self-signed certificate. Because you just want a test
# certificate or because you are setting up your own CA.
#openssl req -new -key privkey.perm -out cert.csr
# 2. Creating a self-signed root Certification Authority certificate
# If you don't want to deal with another certificate authority, or just
# want to create a test certificate for yourself. This is similar to
# creating a certificate request, but creates a certificate instead of
# a certificate request. This is NOT the recommended way to create a
# CA certificate, see ca.txt.
if [ ! -e $SSLDIR/cacert.pem ]; then
echo
echo "Creating a new Certification Authority"
[ "$CAPASS" -a "$CACOUNTRY" -a "$CASTATE" -a "$CACITY" -a \
"$CAORGANIZATION" -a "$CAOU" -a "$CACOMMONNAME" -a "$CAEMAIL" ] ||
echo "Please enter information about the Certification Authority"
while [ ! "$CACOUNTRY" -o ${#CACOUNTRY} -ne 2 ]; do
read -p "Two-letters country code (e.g. IT): " CACOUNTRY;
done
while [ ! "$CASTATE" ]; do read -p "State: " CASTATE; done
while [ ! "$CACITY" ]; do read -p "City: " CACITY; done
while [ ! "$CAORGANIZATION" ]; do read -p "Organization: " CAORGANIZATION; done
while [ ! "$CAOU" ]; do read -p "Operational unit: " CAOU; done
while [ ! "$CACOMMONNAME" ]; do read -p "Common name: " CACOMMONNAME; done
while [ ! "$CAEMAIL" ]; do read -p "Email: " CAEMAIL; done
while [ ! "$CAPASS" -o "$CAPASS" != "$CONFIRMPASS" ]; do
unset CAPASS
while [ ! "$CAPASS" ]; do read -s -p "Please enter a passphrase: " CAPASS; echo; done
read -s -p "Please confirm the passphrase: " CONFIRMPASS
echo
done
echo "Generating a self-signed root Certification Authority certificate"
cat << _EOF > $mksslc_tempfile
$CAPASS
$CACOUNTRY
$CASTATE
$CACITY
$CAORGANIZATION
$CAOU
$CACOMMONNAME
$CAEMAIL
_EOF
openssl req -passout stdin -new -x509 -keyout $SSLDIR/private/cakey.pem \
-out $SSLDIR/cacert.pem -days 3650 < $mksslc_tempfile 2>&1 || exit 1
fi
rm -f $mksslc_tempfile # remove sensible data
[ "$CERTPASS" -a "$CERTCOUNTRY" -a "$CERTSTATE" -a "$CERTCITY" -a \
"$CERTORGANIZATION" -a "$CERTOU" -a "$CERTCOMMONNAME" -a "$CERTEMAIL" ] || {
echo
echo "Please enter information about the self-signed server certificate"
}
while [ ! "$CERTCOUNTRY" -o ${#CERTCOUNTRY} -ne 2 ]; do
read -p "Two-letters country code (e.g. IT) [$CACOUNTRY]: " CERTCOUNTRY
[ "$CERTCOUNTRY" ] || CERTCOUNTRY=$CACOUNTRY
done
while [ ! "$CERTSTATE" ]; do
read -p "State [$CASTATE]: " CERTSTATE
[ "$CERTSTATE" ] || CERTSTATE=$CASTATE
done
while [ ! "$CERTCITY" ]; do
read -p "City [$CACITY]: " CERTCITY
[ "$CERTCITY" ] || CERTCITY=$CACITY
done
while [ ! "$CERTORGANIZATION" ]; do
read -p "Organization [$CAORGANIZATION]: " CERTORGANIZATION
[ "$CERTORGANIZATION" ] || CERTORGANIZATION="$CAORGANIZATION"
done
while [ ! "$CERTOU" ]; do
read -p "Operational unit [$CAOU]: " CERTOU
[ "$CERTOU" ] || CERTOU=$CAOU
done
while [ ! "$CERTCOMMONNAME" ]; do
read -p "Common name [$CACOMMONNAME]: " CERTCOMMONNAME
[ "$CERTCOMMONNAME" ] || CERTCOMMONNAME=$CACOMMONNAME
done
while [ ! "$CERTEMAIL" ]; do
read -p "Email [$CAEMAIL]: " CERTEMAIL
[ "$CERTEMAIL" ] || CERTEMAIL=$CAEMAIL
done
while [ ! "$CERTPASS" -o "$CERTPASS" != "$CONFIRMPASS" ]; do
unset CERTPASS
while [ ! "$CERTPASS" ]; do read -s -p "Please enter a passphrase: " CERTPASS; echo; done
read -s -p "Please confirm the passphrase: " CONFIRMPASS
echo
done
while [ ! "$CAPASS" ]; do
read -s -p "Please, enter the CA passphrase for signing the certificate: " CAPASS
done
[ -e $SSLDIR/certs/localhost.crt ] && {
read -p "A certificate called $SSLDIR/certs/localhost.crt already exists; overwrite [y/N]?" OVERWRITE
echo
[ "$OVERWRITE" != "y" -a "$OVERWRITE" != "Y" ] && exit 0
}
# 3. Generate a key without password
openssl genrsa -out $SSLDIR/private/localhost.key >/dev/null || exit 1
# 4. Create a server certificate signing request (CSR)
echo "Creating a server certificate request (CSR)"
cat << _EOF > $mksslc_tempfile
$CERTPASS
$CERTCOUNTRY
$CERTSTATE
$CERTCITY
$CERTORGANIZATION
$CERTOU
$CERTCOMMONNAME
$CERTEMAIL
_EOF
echo "" >> $mksslc_tempfile # A challenge password
echo "" >> $mksslc_tempfile # An optional company name
openssl req -passout stdin -new -key $SSLDIR/private/localhost.key \
-out $SSLDIR/localhost.csr -days $CERTDAYS < $mksslc_tempfile >/dev/null || exit 1
rm -f $mksslc_tempfile
# 4. Sign a server certificate request
echo "Signing the certificate request"
echo "$CAPASS" > $mksslc_tempfile
echo "y" >> $mksslc_tempfile # Sign the certificate? [y/n]
echo "y" >> $mksslc_tempfile # 1 out of 1 certificate requests certified, commit?
openssl ca -days $CERTDAYS -passin stdin -policy policy_anything -out $SSLDIR/certs/localhost.crt \
-infiles $SSLDIR/localhost.csr < $mksslc_tempfile >/dev/null || exit 1
rm -f $mksslc_tempfile
exit 0