86 lines
2.2 KiB
Plaintext
86 lines
2.2 KiB
Plaintext
|
#! /bin/bash
|
||
|
#
|
||
|
# ipsec-gencert.sh - Create a client certificate signed by localhost CA
|
||
|
#
|
||
|
# Copyright (c) 2004 by Silvan Calarco <silvan.calarco@qilinux.it>
|
||
|
# Copyright (c) 2004 by Davide Madrisan <davide.madrisan@qilinux.it>
|
||
|
#
|
||
|
# Release: 01/04/2004
|
||
|
|
||
|
test $UID = 0 ||
|
||
|
{ echo "error: $0: must be superuser" >&2
|
||
|
{ (exit 1); exit 1; }; }
|
||
|
|
||
|
unset DESTHOSTNAME REQFILE
|
||
|
REQGENERATED=0
|
||
|
|
||
|
function usage() {
|
||
|
echo "error: $0: missing parameter"
|
||
|
echo
|
||
|
echo "Use: ipsec-gencert.sh hostname [-r cert.req]"
|
||
|
echo " -r: use the certificate request file specified"
|
||
|
echo
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
while [ $# -gt 0 ]; do
|
||
|
case $1 in
|
||
|
-r*)
|
||
|
if echo $1 | grep -q '='; then
|
||
|
REQFILE=`echo $1 | sed 's/^-r=//'`
|
||
|
else
|
||
|
REQFILE=$2
|
||
|
shift
|
||
|
fi ;;
|
||
|
*)
|
||
|
[ -z "$DESTHOSTNAME" ] && DESTHOSTNAME=$1 || usage ;;
|
||
|
esac
|
||
|
shift
|
||
|
done
|
||
|
|
||
|
[ -z "$DESTHOSTNAME" ] && usage
|
||
|
|
||
|
if [ -z "$REQFILE" ]; then
|
||
|
REQFILE="/etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"
|
||
|
|
||
|
openssl req -new -keyout /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \
|
||
|
-out $REQFILE -days 365 ||
|
||
|
{ echo "error: failed to create certificate request." >&2
|
||
|
{ (exit 1); exit 1; }; }
|
||
|
|
||
|
REQGENERATED=1
|
||
|
fi
|
||
|
|
||
|
# generate cert from request
|
||
|
openssl ca -policy policy_anything \
|
||
|
-out /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
|
||
|
-infiles $REQFILE ||
|
||
|
{ echo "error: failed to sign request." >&2
|
||
|
{ (exit 1); exit 1; }; }
|
||
|
|
||
|
# export pkcs cert
|
||
|
if [ "$REQGENERATED" = "1" ]; then
|
||
|
# remove request file
|
||
|
rm /var/ssl/ipsec-$DESTHOSTNAME-req.pem
|
||
|
openssl pkcs12 -export \
|
||
|
-in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
|
||
|
-inkey /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \
|
||
|
-certfile /var/ssl/cacert.pem \
|
||
|
-out /tmp/$DESTHOSTNAME.pl2
|
||
|
else
|
||
|
openssl pkcs12 -export \
|
||
|
-in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
|
||
|
-certfile /var/ssl/cacert.pem \
|
||
|
-out /tmp/$DESTHOSTNAME.pl2 \
|
||
|
-nokeys
|
||
|
fi
|
||
|
|
||
|
[ $REQGENERATED -eq 1 ] &&
|
||
|
echo "Generated private keyfile: /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"
|
||
|
|
||
|
echo "Generated certificate: /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem"
|
||
|
echo "Generated pkcs certificate: /tmp/$DESTHOSTNAME.pl2"
|
||
|
|
||
|
exit 0
|
||
|
|