openswan/ipsec-gencert

86 lines
2.2 KiB
Bash

#! /bin/bash
#
# ipsec-gencert.sh - Create a client certificate signed by localhost CA
#
# Copyright (c) 2004 by Silvan Calarco <silvan.calarco@qilinux.it>
# Copyright (c) 2004 by Davide Madrisan <davide.madrisan@qilinux.it>
#
# Release: 01/04/2004
test $UID = 0 ||
{ echo "error: $0: must be superuser" >&2
{ (exit 1); exit 1; }; }
unset DESTHOSTNAME REQFILE
REQGENERATED=0
function usage() {
echo "error: $0: missing parameter"
echo
echo "Use: ipsec-gencert.sh hostname [-r cert.req]"
echo " -r: use the certificate request file specified"
echo
exit 1
}
while [ $# -gt 0 ]; do
case $1 in
-r*)
if echo $1 | grep -q '='; then
REQFILE=`echo $1 | sed 's/^-r=//'`
else
REQFILE=$2
shift
fi ;;
*)
[ -z "$DESTHOSTNAME" ] && DESTHOSTNAME=$1 || usage ;;
esac
shift
done
[ -z "$DESTHOSTNAME" ] && usage
if [ -z "$REQFILE" ]; then
REQFILE="/etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"
openssl req -new -keyout /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \
-out $REQFILE -days 365 ||
{ echo "error: failed to create certificate request." >&2
{ (exit 1); exit 1; }; }
REQGENERATED=1
fi
# generate cert from request
openssl ca -policy policy_anything \
-out /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
-infiles $REQFILE ||
{ echo "error: failed to sign request." >&2
{ (exit 1); exit 1; }; }
# export pkcs cert
if [ "$REQGENERATED" = "1" ]; then
# remove request file
rm /var/ssl/ipsec-$DESTHOSTNAME-req.pem
openssl pkcs12 -export \
-in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
-inkey /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \
-certfile /var/ssl/cacert.pem \
-out /tmp/$DESTHOSTNAME.pl2
else
openssl pkcs12 -export \
-in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \
-certfile /var/ssl/cacert.pem \
-out /tmp/$DESTHOSTNAME.pl2 \
-nokeys
fi
[ $REQGENERATED -eq 1 ] &&
echo "Generated private keyfile: /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem"
echo "Generated certificate: /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem"
echo "Generated pkcs certificate: /tmp/$DESTHOSTNAME.pl2"
exit 0