Script vintage per crear una CA pròpia amb OpenSSL

Una mica antic per l’he pogut recuperar d’un backup.

Crea un entorn per gestionar una CA pròpia amb scripts per ajudar a administrar.

#!/bin/bash

#   crearCA
#
#   Copyright (c) 2008 Sergi Coll i Siria  (sergi @ nit.cat)
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
#                                                                             

# Make Own Certificate Authority and administration scripts

# v0.1a - Initial release
# v0.2a - Add script to make certificate for multiples domains

if [ ! "$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "$0 exemple.fqdn.cat"
        exit 1
fi
company=$2
if [ ! "$company" ]; then
	company=$1
fi

cd /tmp

# Creem l'estructura de directoris per la nostra CA

mkdir $1_CA
cd $1_CA
mkdir bin config certs crl newcerts private
echo "01" > serial
echo "01" > crlnumber
touch index.txt.attr
touch index.txt

# Modifiquem el fitxer de configuració openssl per defecte amb els nostres valors.

cp /etc/pki/tls/openssl.cnf config
cp  config/openssl.cnf config/openssl.cnf.tmp

cat config/openssl.cnf.tmp | sed -e 's/\.\/demoCA/\./' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\/etc\/pki\/CA/\./' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\#unique_subject/unique_subject/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "s/OpenSSL Generated Certificate/"$company" OpenSSL Generated Certificate/" > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/XX/CA/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/Default Province/Catalunya/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/\#stateOrProvinceName_default/stateOrProvinceName_default/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/Default City/Barcelona/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "s/Default Company Ltd/"$company"/" > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/cacert.pem/certs\/ca-crt.pem/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e 's/cakey.pem/ca-key.pem/' > config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "/# copy_extensions = copy/ a\ copy_extensions = copy\n "> config/openssl.cnf
cp  config/openssl.cnf config/openssl.cnf.tmp
cat config/openssl.cnf.tmp | sed -e "/#nsSslServerName/ a\ nsBaseUrl  = https://www.$1/ssl/\n\ nsCaRevocationUrl = https://www.$1/ssl/ca.crl\n\ nsCaPolicyUrl  = https://www.$1/ssl/policy.html\n\ issuerAltName = URI:https://www.$1/ssl/ca.crt\n\ "> config/openssl.cnf
rm config/openssl.cnf.tmp
# Creem el certificat de la CA amb la nostra configuració
openssl req -new -x509 -keyout private/ca-key.pem -out certs/ca-crt.pem -days 3650 -config config/openssl.cnf

# Convertim  el certificat de la CA a format DER per si fa falta en un LDAP
#openssl x509 -in certs/ca-crt.pem -outform der  -out certs/ca-crt-der.pem

# Creem el CRL
openssl ca -gencrl -crldays 15 -out crl/ca-crl.pem -config config/openssl.cnf

# Creem els scripts d'administració de la CA

cat <<eof>bin/crear_certificat_per_signar_CA_externa
#!/bin/bash
echo "Creem la clau SSL (Key) i després Certificate Signing Request (CSR)"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
mkdir certs/\$1
# Es crea la clau (key) ssl i després creem el  Certificate Signing Request (CSR)
openssl genrsa -des3 -out certs/\$1/\$1-key.pem 1024
openssl genrsa -out certs/\$1/\$1-key.pem 1024
openssl req    -config config/openssl.cnf -new -key certs/\$1/\$1-key.pem -out certs/\$1/\$1-csr.pem

# Per veure el contingut del certificat
echo "openssl req -config config/openssl.cnf -noout -text -in certs/\$1/\$1-csr.pem"
echo "openssl rsa -noout -text -in certs/\$1/\$1-key.pem"
EOF
cat <<eof>bin/crear_certificat_x509_per_signar_la_nostra_CA
#!/bin/bash
echo "Cree els Certificate Signing Request (CSR) per que la signi la nostra CA"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
mkdir certs/\$1
openssl req  -config config/openssl.cnf -nodes -new -x509 -keyout certs/\$1/\$1-key.pem -out certs/\$1/\$1-key.pem -days 365
openssl x509 -x509toreq -in certs/\$1/\$1-key.pem -signkey certs/\$1/\$1-key.pem -out certs/\$1/\$1-csr.pem
EOF


cat <<eof>bin/crear_certificat_x509_per_signar_la_nostra_CA_multidomini
#!/bin/bash
echo "Cree els Certificate Signing Request (CSR) per que la signi la nostra CA"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi

echo "Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish"
SAN=1        # bogus value to begin the loop
SANAMES=""   # sanitize
while [ ! "$\SAN" = "" ]; do
    printf "SubjectAltName (email:,URI:,DNS:,RID:,IP:,dirName:): "
    read SAN
    if [ "\$SAN" = "" ]; then break; fi # end of input
    if [ "\$SANAMES" = "" ]; then
        SANAMES="\$SAN"
    else
        SANAMES="\$SANAMES, \$SAN"
    fi
done
cat config/openssl.cnf | sed -e "/# subjectAltName=email:move/ a\ subjectAltName = \$SANAMES\n \ "> config/openssl_multidomini.cnf

mkdir certs/\$1
openssl req  -config config/openssl_multidomini.cnf -nodes -new -x509 -keyout certs/\$1/\$1-key.pem -out certs/\$1/\$1-key.pem -days 3650
openssl x509 -x509toreq -in certs/\$1/\$1-key.pem -signkey certs/\$1/\$1-key.pem -out certs/\$1/\$1-csr.pem
EOF

cat <<eof>bin/signar_csr_a_traves_de_la_nostra_CA
#!/bin/bash
echo "Certifiquem CSRs a través de la nostra CA"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl ca -config config/openssl.cnf -policy policy_anything -out certs/\$1/\$1-crt.pem -infiles certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/signar_csr_a_traves_de_la_nostra_CA_multidomini
#!/bin/bash
echo "Certifiquem CSRs a través de la nostra CA"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl ca -config config/openssl_multidomini.cnf -policy policy_anything -out certs/\$1/\$1-crt.pem -infiles certs/\$1/\$1-csr.pem
EOF

cat <<eof>bin/convertir_certificats_format_pkcs12
#!/bin/bash
echo "Converteix certificats a format PKCS#12 pels navegadors"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl pkcs12 -export -inkey certs/\$1/\$1-key.pem -in certs/\$1/\$1-crt.pem -certfile certs/ca.crt.pem -out certs/\$1/\$1-key-crt-cacrt.p12 -name "\$1 CERTIFICATE"
EOF
cat <<eof>bin/revocar_certificat
#!/bin/bash
echo "Revoca un certificat de la base de dades i genera el CRL"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl ca -config config/openssl.cnf -revoke certs/\$1/\$1-crt.pem
openssl ca -config config/openssl.cnf -gencrl -crldays 7 -out crl/ca-crl.pem
echo "El fitxer: crl/ca.crl.pem a d'estar accesible pels usuaris"
EOF
cat <<eof>bin/renova_certificat
#!/bin/bash
echo "Revoca un certificat de la base de dades i genera el CRL"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
mv certs/\$1/\$1-csr.pem  certs/\$1/\$1-csr.pem.old
openssl x509 -signkey certs/\$1/\$1-key.pem -in certs/\$1/\$1-crt.pem -x509toreq -out certs/\$1/\$1-csr.pem
openssl req -in certs/\$1/\$1-csr.pem -noout -verify -text 
EOF
cat <<eof>bin/signar_renovacio_certificat
#!/bin/bash
echo "Signa la renovació del certificat"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl ca -config config/openssl.cnf -revoke certs/\$1/\$1-crt.pem
openssl ca -config config/openssl.cnf -gencrl -crldays 7 -out crl/ca-crl.pem
mv certs/\$1/\$1-crt.pem certs/\$1/\$1-crt.pem.old
openssl ca -config config/openssl.cnf -policy policy_anything -out certs/\$1/\$1-crt.pem -infiles certs/\$1/\$1-csr.pem
EOF
cat <<eof>bin/mostra_certificat
#!/bin/bash
echo "Mostra Certificat"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl x509 -in certs/\$1/\$1-crt.pem -noout -text
EOF
cat <<eof>bin/renova_certificat_de_la_ca
mv certs/ca-crt.pem certs/ca-crt.pem.old
openssl x509 -in certs/ca-crt.pem.old -days 3650 -enddate -out certs/ca-crt.pem -signkey private/ca-key.pem
EOF
cat <<eof>bin/crear_domainkey
#!/bin/bash
echo "DomainKey Certificat"
if [ ! "\$1" ]; then
        echo "ERROR: Cal posar 1 argument"
        echo "\$0 exemple.fqdn.cat"
        exit 1
fi
openssl rsa -in certs/\$1/\$1-key.pem -pubout -out certs/\$1/\$1-domainkey.pem
EOF
chmod 700 bin/*
chown root.root bin/*