From 45064849e2292461bba795cbaee66068552b77d6 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 4 May 2004 19:43:36 +0000 Subject: Implement support for generation and use of certified host certificates (but not yet generation of CAcert). --- localmksslcerts | 111 +++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 82 insertions(+), 29 deletions(-) (limited to 'localmksslcerts') diff --git a/localmksslcerts b/localmksslcerts index bf9b8b9..db6da7a 100755 --- a/localmksslcerts +++ b/localmksslcerts @@ -1,28 +1,17 @@ #!/bin/sh # # /usr/local/sbin/localmksslcerts -# Copyright 2001-2002 Jonas Smedegaard +# Copyright 2001-2004 Jonas Smedegaard # -# $Id: localmksslcerts,v 1.8 2003-01-04 02:24:43 jonas Exp $ +# $Id: localmksslcerts,v 1.9 2004-05-04 19:43:36 jonas Exp $ # # Generate certificates for mail (and other) servers # Based on uw-imapd-ssl post-install script # -# TODO: Check if /etc/ssl/{certs,private}/cacert.pem exists and instead -# create /etc/ssl/{certs,private}/.pem and symlink to hash of -# certificate and each of /etc/ssl/{certs,private}/.pem using -# commands similar to these: -# -# openssl genrsa -out new.key -# openssl req -new -key new.key -out new.csr -# openssl x509 -req -days 365 -in new.csr -CA /etc/ssl/certs/cacert.pem -CAkey /etc/ssl/private/cacert.pem -CAcreateserial -out new.crt -# ln -s new.crt `openssl x509 -hash -noout -in new.crt`.0 -# rm new.csr -# # TODO: Use getopts prg=$(basename $0) -copyright="(C) 2001-2002 Jonas Smedegaard " +copyright="(C) 2001-2004 Jonas Smedegaard " usage() { echo "$prg, $copyright @@ -40,6 +29,8 @@ Options: --daemon Daemon(s) in need for a certificate (separate certificate is generated for each daemon) --issuer Email address of the person responsible for the certificate + --cert Use certified host certificate + --cacert CAcert used for creating missing host certificate -f, --force Force overwriting existing certificate -h, --help This help text @@ -61,6 +52,8 @@ ou='' daemon='' daemons='' issuer='' +cert='' +cacert='' force='' args='' while [ $# -gt 0 ]; do @@ -74,6 +67,8 @@ while [ $# -gt 0 ]; do --ou) ou="$2"; doubleshift=1;; --daemon) daemons="$daemons$2 "; doubleshift=1;; --issuer) issuer="$2"; doubleshift=1;; + --cert) cert=1;; + --cacert) cacert="$2"; doubleshift=1;; --force|-f) force=1;; -*) usage;; *) args="$args$1 ";; @@ -82,7 +77,7 @@ while [ $# -gt 0 ]; do if [ $# -gt 1 ]; then shift else - echo "Missing parameter for option \"$1\"!" + echo "ERROR: Parameter for option \"$1\" missing!" usage fi fi @@ -91,13 +86,13 @@ done set -- $args if [ -z "$issuer" ]; then - DOMAINNAME=`hostname -d` + DOMAINNAME="`hostname -d`" ISSUER="postmaster@$DOMAINNAME" fi if [ -z "$fqdn" ]; then if [ $# -gt 0 ]; then - fqdn=`hostname -f` + fqdn="`hostname -f`" else echo "Too few parameters!" usage @@ -106,29 +101,87 @@ fi for val in org ou; do if eval [ -z "\$$val" ]; then - eval $val=$fqdn + eval "$val=\"$fqdn\"" fi done for val in cn state loc; do if eval [ -z "\$$val" ]; then - eval $val="." + eval "$val=\".\"" fi done +if [ -n "$cert" ]; then + if [ ! -f /etc/ssl/certs/$fqdn.pem -o ! -f /etc/ssl/private/$fqdn.pem ]; then + if [ -z "$cacert" ]; then + echo "ERROR: Host certificate for \"$fqdn\" missing!" + exit 1 + fi + if [ ! -r /etc/ssl/certs/$cacert.pem -o ! -r /etc/ssl/private/$cacert.pem ]; then +#FIXME: Generate CAcert if --mkcacert is provided + echo "ERROR: CAcert (certifying authority certificate) missing!" + exit 1 + fi + echo "Generating host certificate for \"$fqdn\"..." + for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do + if [ -e $file ]; then + echo "ERROR: File $file already exists!" + exit 1 + fi + done + # Generate host certificate (private key) + cd /etc/ssl/private + openssl genrsa -out $fqdn.pem + ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 + chown root:root $fqdn.pem + chmod 0600 $fqdn.pem + # Generate and fill-out certification request for host certificate + cd /etc/ssl/certs + openssl req -new \ + -key /etc/ssl/private/$daemon.pem \ + -out $daemon.csr > /dev/null 2>&1 <<+ +$cn +$state +$loc +$org +$ou +$fqdn +$issuer ++ + # Authorize certification request (= public part of certificate) + openssl x509 -req \ + -days $DAYS2EXPIRE \ + -CA /etc/ssl/certs/$cacert.pem \ + -CAkey /etc/ssl/private/$cacert.pem \ + -CAcreateserial -out $daemon.pem -in new.csr + rm new.csr + fi +fi + cd /etc/ssl/certs for daemon in $daemons $@; do if [ -f $daemon.pem ]; then - if [ -n $force ]; then + if [ -n "$force" ]; then rm -f `openssl x509 -noout -hash < $daemon.pem`.0 rm -f $daemon.pem else - echo "You already have /etc/ssl/certs/$daemon.pem - exiting...!" - exit 1 + echo "Ignoring certificate (/etc/ssl/certs/$daemon.pem already exists...)" + continue fi fi - echo -n "Generating $daemon certificate..." - openssl req -new -x509 -nodes -out $daemon.pem -keyout $daemon.pem -days $DAYS2EXPIRE > /dev/null 2>&1 <<+ + if [ -n "$cert" ]; then + echo "Attaching $daemon to certified certificate for $fqdn." + ln -sf $fqdn.pem $daemon.pem + ( + cd /etc/ssl/private + ln -sf $fqdn.pem $daemon.pem + ) + else + echo -n "Generating self-certifying $daemon certificate..." + openssl req -new -x509 -nodes \ + -days $DAYS2EXPIRE \ + -keyout $daemon.pem \ + -out $daemon.pem > /dev/null 2>&1 <<+ $cn $state $loc @@ -137,11 +190,11 @@ $ou $fqdn $issuer + - ln -sf $daemon.pem `openssl x509 -noout -hash < $daemon.pem`.0 - echo "Done!" - - chown root.root /etc/ssl/certs/$daemon.pem - chmod 0640 /etc/ssl/certs/$daemon.pem + ln -sf $daemon.pem `openssl x509 -noout -hash -in $daemon.pem`.0 + chown root:root $daemon.pem + chmod 0640 $daemon.pem + echo "Done!" + fi done cd $CWD -- cgit v1.2.3