openswan/ipsec-gencert

#! /bin/bash
#
# ipsec-gencert.sh - Create a client certificate signed by localhost CA
#
# Copyright (c) 2004 by Silvan Calarco <silvan.calarco@qilinux.it>
# Copyright (c) 2004 by Davide Madrisan <davide.madrisan@qilinux.it>
#
# Release: 01/04/2004

test $UID = 0 ||
 { echo "error: $0: must be superuser" >&2
    { (exit 1); exit 1; }; }

unset DESTHOSTNAME REQFILE
REQGENERATED=0

function usage() {
   echo "error: $0: missing parameter"
   echo
   echo "Use: ipsec-gencert.sh hostname [-r cert.req]"
   echo " -r: use the certificate request file specified"
   echo
   exit 1
}

while [ $# -gt 0 ]; do
   case $1 in
   -r*) 
      if echo $1 | grep -q '='; then
         REQFILE=`echo $1 | sed 's/^-r=//'`
      else
         REQFILE=$2
         shift
      fi ;;
   *)
      [ -z "$DESTHOSTNAME" ] && DESTHOSTNAME=$1 || usage ;;
   esac
   shift
done

[ -z "$DESTHOSTNAME" ] && usage

if [ -z "$REQFILE" ]; then
   REQFILE="/etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"
   
   openssl req -new -keyout /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \
      -out $REQFILE -days 365 ||
    { echo "error: failed to create certificate request." >&2
       { (exit 1); exit 1; }; }
  
   REQGENERATED=1
fi

# generate cert from request
openssl ca -policy policy_anything \
   -out /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
   -infiles $REQFILE ||
 { echo "error: failed to sign request." >&2
    { (exit 1); exit 1; }; }

# export pkcs cert
if [ "$REQGENERATED" = "1" ]; then
   # remove request file
   rm /var/ssl/ipsec-$DESTHOSTNAME-req.pem
   openssl pkcs12 -export \
     -in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
     -inkey /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \
     -certfile /var/ssl/cacert.pem \
     -out /tmp/$DESTHOSTNAME.pl2
else
   openssl pkcs12 -export \
     -in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
     -certfile /var/ssl/cacert.pem \
     -out /tmp/$DESTHOSTNAME.pl2 \
     -nokeys
fi   

[ $REQGENERATED -eq 1 ] && 
   echo "Generated private keyfile: /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"

echo "Generated certificate: /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem"
echo "Generated pkcs certificate: /tmp/$DESTHOSTNAME.pl2"

exit 0
automatic version update by autodist [release 2.6.39-1mamba;Wed Jun 05 2013] 2024-01-06 08:17:14 +01:00			`#! /bin/bash`
			`#`
			`# ipsec-gencert.sh - Create a client certificate signed by localhost CA`
			`#`
			`# Copyright (c) 2004 by Silvan Calarco <silvan.calarco@qilinux.it>`
			`# Copyright (c) 2004 by Davide Madrisan <davide.madrisan@qilinux.it>`
			`#`
			`# Release: 01/04/2004`

			`test $UID = 0 \|\|`
			`{ echo "error: $0: must be superuser" >&2`
			`{ (exit 1); exit 1; }; }`

			`unset DESTHOSTNAME REQFILE`
			`REQGENERATED=0`

			`function usage() {`
			`echo "error: $0: missing parameter"`
			`echo`
			`echo "Use: ipsec-gencert.sh hostname [-r cert.req]"`
			`echo " -r: use the certificate request file specified"`
			`echo`
			`exit 1`
			`}`

			`while [ $# -gt 0 ]; do`
			`case $1 in`
			`-r*)`
			`if echo $1 \| grep -q '='; then`
			REQFILE=`echo $1 \| sed 's/^-r=//'`
			`else`
			`REQFILE=$2`
			`shift`
			`fi ;;`
			`*)`
			`[ -z "$DESTHOSTNAME" ] && DESTHOSTNAME=$1 \|\| usage ;;`
			`esac`
			`shift`
			`done`

			`[ -z "$DESTHOSTNAME" ] && usage`

			`if [ -z "$REQFILE" ]; then`
			`REQFILE="/etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"`

			`openssl req -new -keyout /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \`
			`-out $REQFILE -days 365 \|\|`
			`{ echo "error: failed to create certificate request." >&2`
			`{ (exit 1); exit 1; }; }`

			`REQGENERATED=1`
			`fi`

			`# generate cert from request`
			`openssl ca -policy policy_anything \`
			`-out /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \`
			`-infiles $REQFILE \|\|`
			`{ echo "error: failed to sign request." >&2`
			`{ (exit 1); exit 1; }; }`

			`# export pkcs cert`
			`if [ "$REQGENERATED" = "1" ]; then`
			`# remove request file`
			`rm /var/ssl/ipsec-$DESTHOSTNAME-req.pem`
			`openssl pkcs12 -export \`
			`-in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \`
			`-inkey /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \`
			`-certfile /var/ssl/cacert.pem \`
			`-out /tmp/$DESTHOSTNAME.pl2`
			`else`
			`openssl pkcs12 -export \`
			`-in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \`
			`-certfile /var/ssl/cacert.pem \`
			`-out /tmp/$DESTHOSTNAME.pl2 \`
			`-nokeys`
			`fi`

			`[ $REQGENERATED -eq 1 ] &&`
			`echo "Generated private keyfile: /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"`

			`echo "Generated certificate: /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem"`
			`echo "Generated pkcs certificate: /tmp/$DESTHOSTNAME.pl2"`

			`exit 0`