161 lines
5.8 KiB
Bash
161 lines
5.8 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Creates self-signed ssl certificates
|
|
# Copyright (c) 2003-2008 by Silvan Calarco <silvan.calarco@mambasoft.it>
|
|
# Copyright (c) 2003-2005 by Davide Madrisan <davide.madrisan@qilinux.it>
|
|
#
|
|
# Create server side certificates
|
|
# documentation taken from openssl howtos http://www.openssl.org/docs/HOWTO/
|
|
|
|
SSLDIR=/var/ssl
|
|
[ "$CADAYS" ] || CADAYS=3650
|
|
[ "$CERTDAYS" ] || CERTDAYS=1825
|
|
mksslc_tempfile=`tempfile 2>/dev/null`
|
|
# 1. Creating a certificate request (optional)
|
|
# To create a certificate, you need to start with a certificate request
|
|
# or, as some certificate authorities like to put it,
|
|
# "certificate signing request", since that's exactly what they do,
|
|
# they sign it and give you the result back, thus making it authentic
|
|
# according to their policies. A certificate request can then be sent
|
|
# to a certificate authority to get it signed into a certificate, or if
|
|
# you have your own certificate authority, you may sign it yourself, or
|
|
# if you need a self-signed certificate. Because you just want a test
|
|
# certificate or because you are setting up your own CA.
|
|
|
|
#openssl req -new -key privkey.perm -out cert.csr
|
|
|
|
# 2. Creating a self-signed root Certification Authority certificate
|
|
# If you don't want to deal with another certificate authority, or just
|
|
# want to create a test certificate for yourself. This is similar to
|
|
# creating a certificate request, but creates a certificate instead of
|
|
# a certificate request. This is NOT the recommended way to create a
|
|
# CA certificate, see ca.txt.
|
|
|
|
if [ ! -e $SSLDIR/cacert.pem ]; then
|
|
echo
|
|
echo "Creating a new Certification Authority"
|
|
[ "$CAPASS" -a "$CACOUNTRY" -a "$CASTATE" -a "$CACITY" -a \
|
|
"$CAORGANIZATION" -a "$CAOU" -a "$CACOMMONNAME" -a "$CAEMAIL" ] ||
|
|
echo "Please enter information about the Certification Authority"
|
|
while [ ! "$CACOUNTRY" -o ${#CACOUNTRY} -ne 2 ]; do
|
|
read -p "Two-letters country code (e.g. IT): " CACOUNTRY;
|
|
done
|
|
while [ ! "$CASTATE" ]; do read -p "State: " CASTATE; done
|
|
while [ ! "$CACITY" ]; do read -p "City: " CACITY; done
|
|
while [ ! "$CAORGANIZATION" ]; do read -p "Organization: " CAORGANIZATION; done
|
|
while [ ! "$CAOU" ]; do read -p "Operational unit: " CAOU; done
|
|
while [ ! "$CACOMMONNAME" ]; do read -p "Common name: " CACOMMONNAME; done
|
|
while [ ! "$CAEMAIL" ]; do read -p "Email: " CAEMAIL; done
|
|
while [ ! "$CAPASS" -o "$CAPASS" != "$CONFIRMPASS" ]; do
|
|
unset CAPASS
|
|
while [ ! "$CAPASS" ]; do read -s -p "Please enter a passphrase: " CAPASS; echo; done
|
|
read -s -p "Please confirm the passphrase: " CONFIRMPASS
|
|
echo
|
|
done
|
|
|
|
echo "Generating a self-signed root Certification Authority certificate"
|
|
cat << _EOF > $mksslc_tempfile
|
|
$CAPASS
|
|
$CACOUNTRY
|
|
$CASTATE
|
|
$CACITY
|
|
$CAORGANIZATION
|
|
$CAOU
|
|
$CACOMMONNAME
|
|
$CAEMAIL
|
|
_EOF
|
|
|
|
openssl req -passout stdin -new -x509 -keyout $SSLDIR/private/cakey.pem \
|
|
-out $SSLDIR/cacert.pem -days 3650 < $mksslc_tempfile 2>&1 || exit 1
|
|
|
|
fi
|
|
|
|
rm -f $mksslc_tempfile # remove sensible data
|
|
|
|
[ "$CERTPASS" -a "$CERTCOUNTRY" -a "$CERTSTATE" -a "$CERTCITY" -a \
|
|
"$CERTORGANIZATION" -a "$CERTOU" -a "$CERTCOMMONNAME" -a "$CERTEMAIL" ] || {
|
|
echo
|
|
echo "Please enter information about the self-signed server certificate"
|
|
}
|
|
|
|
while [ ! "$CERTCOUNTRY" -o ${#CERTCOUNTRY} -ne 2 ]; do
|
|
read -p "Two-letters country code (e.g. IT) [$CACOUNTRY]: " CERTCOUNTRY
|
|
[ "$CERTCOUNTRY" ] || CERTCOUNTRY=$CACOUNTRY
|
|
done
|
|
while [ ! "$CERTSTATE" ]; do
|
|
read -p "State [$CASTATE]: " CERTSTATE
|
|
[ "$CERTSTATE" ] || CERTSTATE=$CASTATE
|
|
done
|
|
while [ ! "$CERTCITY" ]; do
|
|
read -p "City [$CACITY]: " CERTCITY
|
|
[ "$CERTCITY" ] || CERTCITY=$CACITY
|
|
done
|
|
while [ ! "$CERTORGANIZATION" ]; do
|
|
read -p "Organization [$CAORGANIZATION]: " CERTORGANIZATION
|
|
[ "$CERTORGANIZATION" ] || CERTORGANIZATION="$CAORGANIZATION"
|
|
done
|
|
while [ ! "$CERTOU" ]; do
|
|
read -p "Operational unit [$CAOU]: " CERTOU
|
|
[ "$CERTOU" ] || CERTOU=$CAOU
|
|
done
|
|
while [ ! "$CERTCOMMONNAME" ]; do
|
|
read -p "Common name [$CACOMMONNAME]: " CERTCOMMONNAME
|
|
[ "$CERTCOMMONNAME" ] || CERTCOMMONNAME=$CACOMMONNAME
|
|
done
|
|
while [ ! "$CERTEMAIL" ]; do
|
|
read -p "Email [$CAEMAIL]: " CERTEMAIL
|
|
[ "$CERTEMAIL" ] || CERTEMAIL=$CAEMAIL
|
|
done
|
|
while [ ! "$CERTPASS" -o "$CERTPASS" != "$CONFIRMPASS" ]; do
|
|
unset CERTPASS
|
|
while [ ! "$CERTPASS" ]; do read -s -p "Please enter a passphrase: " CERTPASS; echo; done
|
|
read -s -p "Please confirm the passphrase: " CONFIRMPASS
|
|
echo
|
|
done
|
|
while [ ! "$CAPASS" ]; do
|
|
read -s -p "Please, enter the CA passphrase for signing the certificate: " CAPASS
|
|
done
|
|
|
|
[ -e $SSLDIR/certs/localhost.crt ] && {
|
|
read -p "A certificate called $SSLDIR/certs/localhost.crt already exists; overwrite [y/N]?" OVERWRITE
|
|
echo
|
|
[ "$OVERWRITE" != "y" -a "$OVERWRITE" != "Y" ] && exit 0
|
|
}
|
|
|
|
# 3. Generate a key without password
|
|
openssl genrsa -out $SSLDIR/private/localhost.key >/dev/null || exit 1
|
|
|
|
# 4. Create a server certificate signing request (CSR)
|
|
echo "Creating a server certificate request (CSR)"
|
|
cat << _EOF > $mksslc_tempfile
|
|
$CERTPASS
|
|
$CERTCOUNTRY
|
|
$CERTSTATE
|
|
$CERTCITY
|
|
$CERTORGANIZATION
|
|
$CERTOU
|
|
$CERTCOMMONNAME
|
|
$CERTEMAIL
|
|
_EOF
|
|
echo "" >> $mksslc_tempfile # A challenge password
|
|
echo "" >> $mksslc_tempfile # An optional company name
|
|
|
|
openssl req -passout stdin -new -key $SSLDIR/private/localhost.key \
|
|
-out $SSLDIR/localhost.csr -days $CERTDAYS < $mksslc_tempfile >/dev/null || exit 1
|
|
|
|
rm -f $mksslc_tempfile
|
|
|
|
# 4. Sign a server certificate request
|
|
echo "Signing the certificate request"
|
|
|
|
echo "$CAPASS" > $mksslc_tempfile
|
|
echo "y" >> $mksslc_tempfile # Sign the certificate? [y/n]
|
|
echo "y" >> $mksslc_tempfile # 1 out of 1 certificate requests certified, commit?
|
|
|
|
openssl ca -days $CERTDAYS -passin stdin -policy policy_anything -out $SSLDIR/certs/localhost.crt \
|
|
-infiles $SSLDIR/localhost.csr < $mksslc_tempfile >/dev/null || exit 1
|
|
|
|
rm -f $mksslc_tempfile
|
|
|
|
exit 0
|