#! /bin/bash # # ipsec-gencert.sh - Create a client certificate signed by localhost CA # # Copyright (c) 2004 by Silvan Calarco # Copyright (c) 2004 by Davide Madrisan # # Release: 01/04/2004 test $UID = 0 || { echo "error: $0: must be superuser" >&2 { (exit 1); exit 1; }; } unset DESTHOSTNAME REQFILE REQGENERATED=0 function usage() { echo "error: $0: missing parameter" echo echo "Use: ipsec-gencert.sh hostname [-r cert.req]" echo " -r: use the certificate request file specified" echo exit 1 } while [ $# -gt 0 ]; do case $1 in -r*) if echo $1 | grep -q '='; then REQFILE=`echo $1 | sed 's/^-r=//'` else REQFILE=$2 shift fi ;; *) [ -z "$DESTHOSTNAME" ] && DESTHOSTNAME=$1 || usage ;; esac shift done [ -z "$DESTHOSTNAME" ] && usage if [ -z "$REQFILE" ]; then REQFILE="/etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem" openssl req -new -keyout /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \ -out $REQFILE -days 365 || { echo "error: failed to create certificate request." >&2 { (exit 1); exit 1; }; } REQGENERATED=1 fi # generate cert from request openssl ca -policy policy_anything \ -out /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \ -infiles $REQFILE || { echo "error: failed to sign request." >&2 { (exit 1); exit 1; }; } # export pkcs cert if [ "$REQGENERATED" = "1" ]; then # remove request file rm /var/ssl/ipsec-$DESTHOSTNAME-req.pem openssl pkcs12 -export \ -in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \ -inkey /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \ -certfile /var/ssl/cacert.pem \ -out /tmp/$DESTHOSTNAME.pl2 else openssl pkcs12 -export \ -in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \ -certfile /var/ssl/cacert.pem \ -out /tmp/$DESTHOSTNAME.pl2 \ -nokeys fi [ $REQGENERATED -eq 1 ] && echo "Generated private keyfile: /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem" echo "Generated certificate: /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem" echo "Generated pkcs certificate: /tmp/$DESTHOSTNAME.pl2" exit 0