|
3 |
# Univention SSL |
3 |
# Univention SSL |
4 |
# gencertificate script |
4 |
# gencertificate script |
5 |
# |
5 |
# |
6 |
# Copyright 2004-2011 Univention GmbH |
6 |
# Copyright 2004-2012 Univention GmbH |
7 |
# |
7 |
# |
8 |
# http://www.univention.de/ |
8 |
# http://www.univention.de/ |
9 |
# |
9 |
# |
|
35 |
# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/ |
35 |
# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/ |
36 |
|
36 |
|
37 |
if [ -n "$sslbase" ]; then |
37 |
if [ -n "$sslbase" ]; then |
38 |
SSLBASE="$sslbase" |
38 |
SSLBASE="$sslbase" |
39 |
else |
39 |
else |
40 |
SSLBASE=/etc/univention/ssl |
40 |
SSLBASE=/etc/univention/ssl |
41 |
fi |
41 |
fi |
42 |
|
42 |
|
43 |
CA=ucsCA |
43 |
CA=ucsCA |
|
57 |
fi |
57 |
fi |
58 |
|
58 |
|
59 |
mk_config () { |
59 |
mk_config () { |
60 |
|
60 |
local outfile=$1 |
61 |
local outfile=$1; |
61 |
local password=$2 |
62 |
local password=$2; |
|
|
63 |
local days=$3 |
62 |
local days=$3 |
64 |
local name=$4 |
63 |
local name=$4 |
65 |
|
64 |
|
66 |
if test -e $outfile; then |
65 |
if test -e "$outfile"; then |
67 |
rm $outfile; |
66 |
rm -f "$outfile" |
68 |
fi |
67 |
fi |
69 |
touch $outfile; |
68 |
touch "$outfile" |
70 |
chmod 0600 $outfile; |
69 |
chmod 0600 "$outfile" |
71 |
|
70 |
|
72 |
eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)" |
71 |
eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)" |
73 |
|
72 |
|
74 |
|
73 |
cat >"$outfile" <<EOF |
75 |
cat <<EOF >>$outfile |
|
|
76 |
|
77 |
# HOME = . |
74 |
# HOME = . |
78 |
# RANDFILE = \$ENV::HOME/.rnd |
75 |
# RANDFILE = \$ENV::HOME/.rnd |
79 |
# oid_section = new_oids |
76 |
# oid_section = new_oids |
Lines 136-152
default_keyfile = privkey.pem
|
Link Here
|
---|
|
136 |
distinguished_name = req_distinguished_name |
133 |
distinguished_name = req_distinguished_name |
137 |
attributes = req_attributes |
134 |
attributes = req_attributes |
138 |
x509_extensions = v3_ca |
135 |
x509_extensions = v3_ca |
139 |
|
|
|
140 |
EOF |
136 |
EOF |
141 |
|
137 |
|
142 |
if [ "$password" ]; then |
138 |
if [ -n "$password" ]; then |
143 |
cat <<EOF >>$outfile |
139 |
cat >>"$outfile" <<EOF |
144 |
input_password = $password |
140 |
input_password = $password |
145 |
output_password = $password |
141 |
output_password = $password |
146 |
EOF |
142 |
EOF |
147 |
fi; |
143 |
fi |
148 |
|
144 |
|
149 |
cat <<EOF >>$outfile |
145 |
cat >>"$outfile" <<EOF |
150 |
|
146 |
|
151 |
string_mask = nombstr |
147 |
string_mask = nombstr |
152 |
req_extensions = v3_req |
148 |
req_extensions = v3_req |
Lines 219-256
nsComment = This certificate is a Root CA Certificate
|
Link Here
|
---|
|
219 |
|
215 |
|
220 |
issuerAltName = issuer:copy |
216 |
issuerAltName = issuer:copy |
221 |
authorityKeyIdentifier = keyid:always,issuer:always |
217 |
authorityKeyIdentifier = keyid:always,issuer:always |
222 |
|
|
|
223 |
EOF |
218 |
EOF |
224 |
chmod 0600 $outfile |
219 |
chmod 0600 "$outfile" |
225 |
|
|
|
226 |
} |
220 |
} |
227 |
|
221 |
|
228 |
move_cert () { |
222 |
move_cert () { |
229 |
local new; |
223 |
local count=0 |
230 |
local count=0; |
224 |
local OPWD=$(pwd) |
231 |
local linkname; |
225 |
cd "$SSLBASE" |
232 |
local hash; |
226 |
|
233 |
local OPWD=`pwd`; |
227 |
local i |
234 |
cd "$SSLBASE"; |
228 |
for i in "$@"; do |
235 |
|
229 |
if [ -f "$i" ] |
236 |
for i; do |
230 |
then |
237 |
if [ -f "$i" ]; then |
231 |
local new="${SSLBASE}/${CA}/certs/$(basename "$i")" |
238 |
new="${SSLBASE}/${CA}/certs/"`basename $i`; |
232 |
mv "$i" "$new" |
239 |
mv "$i" "$new"; |
233 |
local hash=$(openssl x509 -hash -noout -in "$new") |
240 |
hash=`openssl x509 -hash -noout -in "$new"`; |
234 |
while : |
241 |
while :; do |
235 |
do |
242 |
linkname="${CA}/certs/""$hash"".""$count"; |
236 |
local linkname="${CA}/certs/${hash}.${count}" |
243 |
if [ -h "$linkname" ]; then |
237 |
if [ -h "$linkname" ] |
244 |
count=$((count + 1)); |
238 |
then |
245 |
continue; |
239 |
count=$((count + 1)) |
246 |
else |
240 |
continue |
247 |
ln -s "$new" "$linkname"; |
241 |
else |
248 |
break; |
242 |
ln -s "$new" "$linkname" |
249 |
fi; |
243 |
break |
250 |
done; |
244 |
fi |
251 |
fi; |
245 |
done |
252 |
done; |
246 |
fi |
253 |
cd "$OPWD" |
247 |
done |
|
|
248 |
cd "$OPWD" |
254 |
} |
249 |
} |
255 |
|
250 |
|
256 |
init () { |
251 |
init () { |
|
266 |
chmod 600 "$SSLBASE/password" |
261 |
chmod 600 "$SSLBASE/password" |
267 |
makepasswd > "$SSLBASE/password" |
262 |
makepasswd > "$SSLBASE/password" |
268 |
fi |
263 |
fi |
269 |
PASSWD=`cat "$SSLBASE/password"` |
264 |
local PASSWD=`cat "$SSLBASE/password"` |
270 |
|
265 |
|
271 |
local OPWD=`pwd`; |
266 |
local OPWD=$(pwd) |
272 |
|
267 |
|
273 |
# create directory infrastructure |
268 |
# create directory infrastructure |
274 |
cd "$SSLBASE" |
269 |
cd "$SSLBASE" |
275 |
mkdir -m 700 -p ${CA}; |
270 |
mkdir -m 700 -p "${CA}" |
276 |
mkdir -p ${CA}/{certs,crl,newcerts,private}; |
271 |
mkdir -p "${CA}/"{certs,crl,newcerts,private} |
277 |
echo "01" > ${CA}/serial; |
272 |
echo "01" >"${CA}/serial" |
278 |
touch ${CA}/index.txt; |
273 |
touch "${CA}/index.txt" |
279 |
|
274 |
|
280 |
eval "$(ucr shell ssl/common)" |
275 |
eval "$(ucr shell ssl/common)" |
281 |
|
276 |
|
282 |
# make the root-CA configuration file |
277 |
# make the root-CA configuration file |
283 |
mk_config openssl.cnf $PASSWD $DEFAULT_DAYS "$ssl_common" |
278 |
mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common" |
284 |
|
279 |
|
285 |
|
280 |
openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048 |
286 |
openssl genrsa -des3 -passout pass:"$PASSWD" -out ${CA}/private/CAkey.pem 2048 |
281 |
yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem" |
287 |
yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem |
|
|
288 |
|
282 |
|
289 |
# copy the public key to a place, from where browsers can access it |
283 |
# copy the public key to a place, from where browsers can access it |
290 |
openssl x509 -in ${CA}/CAcert.pem -out /var/www/ucs-root-ca.crt |
284 |
openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt |
291 |
|
285 |
|
292 |
# mv the certificate to the certs dir and link it to its hash value |
286 |
# mv the certificate to the certs dir and link it to its hash value |
293 |
cp ${CA}/CAcert.pem ${CA}/newcerts/00.pem |
287 |
cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem" |
294 |
move_cert ${CA}/newcerts/00.pem |
288 |
move_cert "${CA}/newcerts/00.pem" |
295 |
|
289 |
|
296 |
# generate root ca request |
290 |
# generate root ca request |
297 |
openssl x509 -x509toreq -in ${CA}/CAcert.pem -signkey ${CA}/private/CAkey.pem -out ${CA}/CAreq.pem -passin pass:$PASSWD |
291 |
openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD" |
298 |
|
292 |
|
299 |
find ${CA} -type f | xargs chmod 600 |
293 |
find "${CA}" -type f -exec chmod 600 {} + |
300 |
find ${CA} -type d | xargs chmod 700 |
294 |
find "${CA}" -type d -exec chmod 700 {} + |
301 |
|
295 |
|
302 |
chmod 755 ${CA} |
296 |
chmod 755 "${CA}" |
303 |
chmod 644 ${CA}/CAcert.pem |
297 |
chmod 644 "${CA}/CAcert.pem" |
304 |
#generate empty crl at installation time |
298 |
#generate empty crl at installation time |
305 |
openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD" |
299 |
openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD" |
306 |
openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der |
300 |
openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der |
307 |
|
301 |
|
308 |
cd "$OPWD" |
302 |
cd "$OPWD" |
309 |
} |
303 |
} |
310 |
|
304 |
|
311 |
|
305 |
|
312 |
list_cert_names () { |
306 |
list_cert_names () { |
313 |
local OPWD=`pwd` |
307 |
local OPWD=$(pwd) |
314 |
cd "$SSLBASE" |
308 |
cd "$SSLBASE" |
315 |
awk 'BEGIN { FS="\t"; } |
309 |
awk 'BEGIN { FS="\t"; } |
316 |
{ if ( $1 == "V" ) |
310 |
{ if ( $1 == "V" ) |
|
323 |
} |
317 |
} |
324 |
} |
318 |
} |
325 |
} |
319 |
} |
326 |
}'< ${CA}/index.txt |
320 |
}' <"${CA}/index.txt" |
327 |
cd "$OPWD" |
321 |
cd "$OPWD" |
328 |
} |
322 |
} |
329 |
|
323 |
|
330 |
|
324 |
|
331 |
has_valid_cert () { |
325 |
has_valid_cert () { |
332 |
list_cert_names | egrep -q "$1$"; |
326 |
list_cert_names | egrep -q "$1$" |
333 |
} |
327 |
} |
334 |
|
328 |
|
335 |
renew_cert () { |
329 |
renew_cert () { |
336 |
local OPWD=`pwd`; |
330 |
local OPWD=$(pwd) |
337 |
cd "$SSLBASE"; |
331 |
cd "$SSLBASE" |
338 |
|
332 |
|
339 |
if [ -z "$1" ]; then |
333 |
if [ -z "$1" ]; then |
340 |
echo "missing certificate name" 1>&2; |
334 |
echo "missing certificate name" 1>&2 |
341 |
return 1; |
335 |
return 1 |
342 |
fi |
336 |
fi |
343 |
|
337 |
|
344 |
local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`; |
338 |
local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'` |
345 |
if [ -z "$NUM" ]; then |
339 |
if [ -z "$NUM" ]; then |
346 |
echo "no certificate for $1 registered" 1>&2; |
340 |
echo "no certificate for $1 registered" >&2 |
347 |
return 1; |
341 |
return 1 |
348 |
fi; |
342 |
fi |
349 |
|
343 |
|
350 |
if [ -z "$2" ]; then |
344 |
if [ -z "$2" ]; then |
351 |
days=$DEFAULT_DAYS |
345 |
days=$DEFAULT_DAYS |
352 |
fi |
346 |
fi |
353 |
|
347 |
|
354 |
# revoke cert |
348 |
# revoke cert |
355 |
revoke_cert $1 |
349 |
revoke_cert "$1" |
356 |
|
350 |
|
357 |
# get host extension file |
351 |
# get host extension file |
358 |
hostExt=$(ucr get ssl/host/extensions) |
352 |
hostExt=$(ucr get ssl/host/extensions) |
359 |
if [ -s "$hostExt" ]; then |
353 |
if [ -s "$hostExt" ]; then |
360 |
source $hostExt |
354 |
. "$hostExt" |
361 |
extFile=$(createHostExtensionsFile "$1") |
355 |
extFile=$(createHostExtensionsFile "$1") |
362 |
fi |
356 |
fi |
363 |
|
357 |
|
364 |
# sign the request |
358 |
# sign the request |
365 |
if [ -s "$extFile" ]; then |
359 |
if [ -s "$extFile" ]; then |
366 |
openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \ |
360 |
openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \ |
367 |
-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" |
361 |
-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" |
368 |
rm -f "$extFile" |
362 |
rm -f "$extFile" |
369 |
else |
363 |
else |
370 |
openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \ |
364 |
openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \ |
371 |
-out "$1/cert.pem" -passin pass:"$PASSWD" |
365 |
-out "$1/cert.pem" -passin pass:"$PASSWD" |
372 |
fi |
366 |
fi |
373 |
|
367 |
|
374 |
# move the new certificate to its place |
368 |
# move the new certificate to its place |
375 |
move_cert ${CA}/newcerts/*; |
369 |
move_cert "${CA}/newcerts/"* |
376 |
cd "$OPWD"; |
370 |
cd "$OPWD" |
377 |
} |
371 |
} |
378 |
|
372 |
|
379 |
# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll |
373 |
# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll |
380 |
|
374 |
|
381 |
revoke_cert () { |
375 |
revoke_cert () { |
382 |
local OPWD=`pwd`; |
376 |
local OPWD=`pwd` |
383 |
cd "$SSLBASE"; |
377 |
cd "$SSLBASE" |
384 |
|
378 |
|
385 |
if [ -z "$1" ]; then |
379 |
if [ -z "$1" ]; then |
386 |
echo "missing certificate name" 1>&2; |
380 |
echo "missing certificate name" >&2 |
387 |
return 1; |
381 |
return 1 |
388 |
fi |
382 |
fi |
389 |
|
383 |
|
390 |
local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`; |
384 |
local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'` |
391 |
if [ -z "$NUM" ]; then |
385 |
if [ -z "$NUM" ]; then |
392 |
echo "no certificate for $1 registered" 1>&2; |
386 |
echo "no certificate for $1 registered" >&2 |
393 |
return 1; |
387 |
return 1 |
394 |
fi; |
388 |
fi |
395 |
openssl ca -config openssl.cnf -revoke ${CA}/certs/${NUM}.pem -passin pass:"$PASSWD" |
389 |
openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" |
396 |
openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD" |
390 |
openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD" |
397 |
openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der |
391 |
openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der |
398 |
|
392 |
|
399 |
cd "$OPWD"; |
393 |
cd "$OPWD" |
400 |
} |
394 |
} |
401 |
|
395 |
|
402 |
|
396 |
|
|
410 |
local OPWD=`pwd` |
404 |
local OPWD=`pwd` |
411 |
cd "$SSLBASE" |
405 |
cd "$SSLBASE" |
412 |
if has_valid_cert "$2"; then |
406 |
if has_valid_cert "$2"; then |
413 |
revoke_cert "$2"; |
407 |
revoke_cert "$2" |
414 |
fi; |
408 |
fi |
415 |
|
409 |
|
416 |
days=$(/usr/sbin/univention-config-registry get ssl/default/days) |
410 |
local days=$(/usr/sbin/univention-config-registry get ssl/default/days) |
417 |
if [ -z "$days" ]; then |
411 |
if [ -z "$days" ]; then |
418 |
days=$DEFAULT_DAYS |
412 |
days=$DEFAULT_DAYS |
419 |
fi |
413 |
fi |
420 |
# generate a key pair |
414 |
# generate a key pair |
421 |
mkdir -pm 700 $name |
415 |
mkdir -pm 700 "$name" |
422 |
mk_config "$name/openssl.cnf" "" $days "$cn" |
416 |
mk_config "$name/openssl.cnf" "" "$days" "$cn" |
423 |
openssl genrsa -out "$name/private.key" 1024 |
417 |
openssl genrsa -out "$name/private.key" 1024 |
424 |
yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem" |
418 |
yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem" |
425 |
|
419 |
|
426 |
# get host extension file |
420 |
# get host extension file |
427 |
hostExt=$(ucr get ssl/host/extensions) |
421 |
local hostExt=$(ucr get ssl/host/extensions) |
428 |
if [ -s "$hostExt" ]; then |
422 |
if [ -s "$hostExt" ]; then |
429 |
source $hostExt |
423 |
. "$hostExt" |
430 |
extFile=$(createHostExtensionsFile "$cn") |
424 |
local extFile=$(createHostExtensionsFile "$cn") |
431 |
fi |
425 |
fi |
432 |
|
426 |
|
433 |
# sign the key |
427 |
# sign the key |
434 |
if [ -s "$extFile" ]; then |
428 |
if [ -s "$extFile" ]; then |
435 |
openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ |
429 |
openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ |
436 |
-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" |
430 |
-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" |
437 |
rm -f "$extFile" |
431 |
rm -f "$extFile" |
438 |
else |
432 |
else |
439 |
openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ |
433 |
openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ |
440 |
-out "$name/cert.pem" -passin pass:"$PASSWD" |
434 |
-out "$name/cert.pem" -passin pass:"$PASSWD" |
441 |
fi |
435 |
fi |
442 |
|
436 |
|
443 |
# move the new certificate to its place |
437 |
# move the new certificate to its place |
444 |
move_cert ${CA}/newcerts/*; |
438 |
move_cert "${CA}/newcerts/"* |
445 |
|
439 |
|
446 |
find $name -type f | xargs chmod 600 |
440 |
find "$name" -type f -exec chmod 600 {} + |
447 |
find $name -type d | xargs chmod 700 |
441 |
find "$name" -type d -exec chmod 700 {} + |
448 |
cd "$OPWD" |
442 |
cd "$OPWD" |
449 |
} |
443 |
} |