Una mica antic per l’he pogut recuperar d’un backup.
Crea un entorn per gestionar una CA pròpia amb scripts per ajudar a administrar.
#!/bin/bash
# crearCA
#
# Copyright (c) 2008 Sergi Coll i Siria (sergi @ nit.cat)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
#
# Make Own Certificate Authority and administration scripts
# v0.1a - Initial release
# v0.2a - Add script to make certificate for multiples domains
if [ ! "$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "$0 exemple.fqdn.cat"
exit 1
fi
company=$2
if [ ! "$company" ]; then
company=$1
fi
cd /tmp
# Creem l'estructura de directoris per la nostra CA
mkdir $1_CA
cd $1_CA
mkdir bin config certs crl newcerts private
echo "01" > serial
echo "01" > crlnumber
touch index.txt.attr
touch index.txt
# Modifiquem el fitxer de configuració openssl per defecte amb els nostres valors.
cp /etc/pki/tls/openssl.cnf config
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\.\/demoCA/\./' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\/etc\/pki\/CA/\./' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\#unique_subject/unique_subject/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "s/OpenSSL Generated Certificate/"$company" OpenSSL Generated Certificate/" > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/XX/CA/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/Default Province/Catalunya/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\#stateOrProvinceName_default/stateOrProvinceName_default/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/Default City/Barcelona/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "s/Default Company Ltd/"$company"/" > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/cacert.pem/certs\/ca-crt.pem/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/cakey.pem/ca-key.pem/' > config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "/# copy_extensions = copy/ a\ copy_extensions = copy\n "> config/openssl.cnf
cp config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "/#nsSslServerName/ a\ nsBaseUrl = https://www.$1/ssl/\n\ nsCaRevocationUrl = https://www.$1/ssl/ca.crl\n\ nsCaPolicyUrl = https://www.$1/ssl/policy.html\n\ issuerAltName = URI:https://www.$1/ssl/ca.crt\n\ "> config/openssl.cnf
rm config/openssl.cnf.tmp
# Creem el certificat de la CA amb la nostra configuració
openssl req -new -x509 -keyout private/ca-key.pem -out certs/ca-crt.pem -days 3650 -config config/openssl.cnf
# Convertim el certificat de la CA a format DER per si fa falta en un LDAP
#openssl x509 -in certs/ca-crt.pem -outform der -out certs/ca-crt-der.pem
# Creem el CRL
openssl ca -gencrl -crldays 15 -out crl/ca-crl.pem -config config/openssl.cnf
# Creem els scripts d'administració de la CA
cat <<eof>bin/crear_certificat_per_signar_CA_externa
#!/bin/bash
echo "Creem la clau SSL (Key) i després Certificate Signing Request (CSR)"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
mkdir certs/\$1
# Es crea la clau (key) ssl i després creem el Certificate Signing Request (CSR)
openssl genrsa -des3 -out certs/\$1/\$1-key.pem 1024
openssl genrsa -out certs/\$1/\$1-key.pem 1024
openssl req -config config/openssl.cnf -new -key certs/\$1/\$1-key.pem -out certs/\$1/\$1-csr.pem
# Per veure el contingut del certificat
echo "openssl req -config config/openssl.cnf -noout -text -in certs/\$1/\$1-csr.pem"
echo "openssl rsa -noout -text -in certs/\$1/\$1-key.pem"
EOF
cat <<eof>bin/crear_certificat_x509_per_signar_la_nostra_CA
#!/bin/bash
echo "Cree els Certificate Signing Request (CSR) per que la signi la nostra CA"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
mkdir certs/\$1
openssl req -config config/openssl.cnf -nodes -new -x509 -keyout certs/\$1/\$1-key.pem -out certs/\$1/\$1-key.pem -days 365
openssl x509 -x509toreq -in certs/\$1/\$1-key.pem -signkey certs/\$1/\$1-key.pem -out certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/crear_certificat_x509_per_signar_la_nostra_CA_multidomini
#!/bin/bash
echo "Cree els Certificate Signing Request (CSR) per que la signi la nostra CA"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
echo "Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish"
SAN=1 # bogus value to begin the loop
SANAMES="" # sanitize
while [ ! "$\SAN" = "" ]; do
printf "SubjectAltName (email:,URI:,DNS:,RID:,IP:,dirName:): "
read SAN
if [ "\$SAN" = "" ]; then break; fi # end of input
if [ "\$SANAMES" = "" ]; then
SANAMES="\$SAN"
else
SANAMES="\$SANAMES, \$SAN"
fi
done
cat config/openssl.cnf | sed -e "/# subjectAltName=email:move/ a\ subjectAltName = \$SANAMES\n \ "> config/openssl_multidomini.cnf
mkdir certs/\$1
openssl req -config config/openssl_multidomini.cnf -nodes -new -x509 -keyout certs/\$1/\$1-key.pem -out certs/\$1/\$1-key.pem -days 3650
openssl x509 -x509toreq -in certs/\$1/\$1-key.pem -signkey certs/\$1/\$1-key.pem -out certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/signar_csr_a_traves_de_la_nostra_CA
#!/bin/bash
echo "Certifiquem CSRs a través de la nostra CA"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl ca -config config/openssl.cnf -policy policy_anything -out certs/\$1/\$1-crt.pem -infiles certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/signar_csr_a_traves_de_la_nostra_CA_multidomini
#!/bin/bash
echo "Certifiquem CSRs a través de la nostra CA"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl ca -config config/openssl_multidomini.cnf -policy policy_anything -out certs/\$1/\$1-crt.pem -infiles certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/convertir_certificats_format_pkcs12
#!/bin/bash
echo "Converteix certificats a format PKCS#12 pels navegadors"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl pkcs12 -export -inkey certs/\$1/\$1-key.pem -in certs/\$1/\$1-crt.pem -certfile certs/ca.crt.pem -out certs/\$1/\$1-key-crt-cacrt.p12 -name "\$1 CERTIFICATE"
EOF
cat <<eof>bin/revocar_certificat
#!/bin/bash
echo "Revoca un certificat de la base de dades i genera el CRL"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl ca -config config/openssl.cnf -revoke certs/\$1/\$1-crt.pem
openssl ca -config config/openssl.cnf -gencrl -crldays 7 -out crl/ca-crl.pem
echo "El fitxer: crl/ca.crl.pem a d'estar accesible pels usuaris"
EOF
cat <<eof>bin/renova_certificat
#!/bin/bash
echo "Revoca un certificat de la base de dades i genera el CRL"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
mv certs/\$1/\$1-csr.pem certs/\$1/\$1-csr.pem.old
openssl x509 -signkey certs/\$1/\$1-key.pem -in certs/\$1/\$1-crt.pem -x509toreq -out certs/\$1/\$1-csr.pem
openssl req -in certs/\$1/\$1-csr.pem -noout -verify -text
EOF
cat <<eof>bin/signar_renovacio_certificat
#!/bin/bash
echo "Signa la renovació del certificat"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl ca -config config/openssl.cnf -revoke certs/\$1/\$1-crt.pem
openssl ca -config config/openssl.cnf -gencrl -crldays 7 -out crl/ca-crl.pem
mv certs/\$1/\$1-crt.pem certs/\$1/\$1-crt.pem.old
openssl ca -config config/openssl.cnf -policy policy_anything -out certs/\$1/\$1-crt.pem -infiles certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/mostra_certificat
#!/bin/bash
echo "Mostra Certificat"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl x509 -in certs/\$1/\$1-crt.pem -noout -text
EOF
cat <<eof>bin/renova_certificat_de_la_ca
mv certs/ca-crt.pem certs/ca-crt.pem.old
openssl x509 -in certs/ca-crt.pem.old -days 3650 -enddate -out certs/ca-crt.pem -signkey private/ca-key.pem
EOF
cat <<eof>bin/crear_domainkey
#!/bin/bash
echo "DomainKey Certificat"
if [ ! "\$1" ]; then
echo "ERROR: Cal posar 1 argument"
echo "\$0 exemple.fqdn.cat"
exit 1
fi
openssl rsa -in certs/\$1/\$1-key.pem -pubout -out certs/\$1/\$1-domainkey.pem
EOF
chmod 700 bin/*
chown root.root bin/*