From 7f947e04e2a8c7dcfbfe36aeec52af5caf58ff05 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Tue, 18 Oct 2005 12:32:02 +0000
Subject: Remaining openssl routines as functions. Use SSLKEYDIR (not
 SSLPRIVDIR).

---
 localmksslcerts | 123 ++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 76 insertions(+), 47 deletions(-)

(limited to 'localmksslcerts')

diff --git a/localmksslcerts b/localmksslcerts
index 12198f1..bf65432 100755
--- a/localmksslcerts
+++ b/localmksslcerts
@@ -3,7 +3,7 @@
 # /usr/local/sbin/localmksslcerts
 # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk>
 #
-# $Id: localmksslcerts,v 1.19 2005-10-18 00:24:33 jonas Exp $
+# $Id: localmksslcerts,v 1.20 2005-10-18 12:32:02 jonas Exp $
 #
 # Generate certificates for mail (and other) servers
 # Based on uw-imapd-ssl post-install script
@@ -21,7 +21,7 @@ copyright="(C) 2001-2004 Jonas Smedegaard <dr@jones.dk>"
 PATH="$PATH:/usr/bin/ssl"
 DAYS2EXPIRE="365"
 SSLCERTDIR="/etc/ssl/certs"
-SSLPRIVDIR="/etc/ssl/private"
+SSLKEYDIR="/etc/ssl/private"
 
 usage() {
 echo "$prg, $copyright
@@ -74,13 +74,7 @@ mkcerthash() {
 
 mkselfcert() {
 	filebase="$1"
-	cn="$2"
-	state="$3"
-	loc="$4"
-	org="$5"
-	ou="$6"
-	fqdn="$7"
-	issuer="$8"
+	domain="$2"
 	filename="$filebase.pem"
 	openssl req -new -x509 -nodes \
 		-days "$DAYS2EXPIRE" \
@@ -91,7 +85,7 @@ $state
 $loc
 $org
 $ou
-$fqdn
+$domain
 $issuer
 +
 	mkcerthash "$filebase"
@@ -99,31 +93,69 @@ $issuer
 	chmod 0640 "$SSLCERTDIR/$filename"
 }
 
+mkkey() {
+	filebase="$1"
+	openssl genrsa \
+		-out "$SSLKEYDIR/$filename"
+	chown root:root "$SSLKEYDIR/$filename"
+	chmod 0600 "$SSLKEYDIR/$filename"
+}
+
 mkcertreq() {
 	filebase="$1"
-	cn="$2"
-	state="$3"
-	loc="$4"
-	org="$5"
-	ou="$6"
-	fqdn="$7"
-	issuer="$8"
+	domain="$2"
 	filename="$filebase.pem"
 	openssl req -new \
-		-key "$SSLPRIVDIR/$filename" \
+		-key "$SSLKEYDIR/$filename" \
 		-out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+
 $cn
 $state
 $loc
 $org
 $ou
-$fqdn
+$domain
 $issuer
 +
 	chown root:root "$SSLCERTDIR/$filename"
 	chmod 0640 "$SSLCERTDIR/$filename"
 }
 
+mkselfcacert() {
+	filebase="$1"
+	domain="$2"
+	cacert="$3"
+	filename="$filebase.pem"
+	reqfilename="$filebase.csr"
+	cafilename="$cacert.pem"
+	openssl x509 -req \
+		-days $DAYS2EXPIRE \
+		-CA "$SSLCERTDIR/$cafilename" \
+		-CAkey "$SSLKEYDIR/$cafilename" \
+		-CAcreateserial \
+		-in "$SSLCERTDIR/$reqfilename" \
+		-out "$SSLCERTDIR/$filename"
+}
+
+mkcacert() {
+	filebase="$1"
+	filename="$filebase.pem"
+#FIXME: Make strength configurable
+	openssl genrsa -des3 \
+		-out "$SSLKEYDIR/$filename" 1024
+	chown root:root "$SSLKEYDIR/$filename"
+	chmod 0400 "$SSLKEYDIR/$filename"
+	# Generate and pre-fill certification request
+#FIXME: Make validity configurable
+	openssl req -new \
+		-key "$SSLKEYDIR/$filename" \
+		-x509 -days 1095 \
+		-out "$SSLCERTDIR/$filename"
+	# Add hash to certified public certificate and cleanup
+	mkcerthash "$cacert"
+	chown root:root "$SSLCERTDIR/$filename"
+	chmod 0640 "$SSLCERTDIR/$filename"
+}
+
 fqdn=''
 cn=''
 state=''
@@ -146,6 +178,8 @@ if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi
 
 eval set -- "$TEMP"
 
+# TODO: Redesign to a case of selfcert, selfca or ca
+
 while true ; do
 	case "$1" in
 		--help)		usage;;
@@ -193,14 +227,14 @@ for val in cn state loc; do
 done
 
 if [ -n "$cert" ]; then
-	if [ ! -s "$SSLCERTDIR/$fqdn.pem" ] || [ ! -s "$SSLPRIVDIR/$fqdn.pem" ]; then
+	if [ ! -s "$SSLCERTDIR/$fqdn.pem" ] || [ ! -s "$SSLKEYDIR/$fqdn.pem" ]; then
 		echo "WARNING: Host certificate for \"$fqdn\" missing..."
 		if [ -z "$cacert" ]; then
 			echo "ERROR: The \"--cacert\" option is required when making a host certificate!"
 			exit 1
 		fi
 		# Cleaning up - if allowed
-		for file in "$SSLPRIVDIR/$fqdn.pem" "$SSLCERTDIR/$fqdn.csr" "$SSLCERTDIR/$fqdn.pem"; do
+		for file in "$SSLKEYDIR/$fqdn.pem" "$SSLCERTDIR/$fqdn.csr" "$SSLCERTDIR/$fqdn.pem"; do
 			if [ -e "$file" ]; then
 				if [ -n "$force" ]; then
 					rm -f "$file"
@@ -210,7 +244,7 @@ if [ -n "$cert" ]; then
 				fi
 			fi
 		done
-		if [ ! -s "$SSLCERTDIR/$cacert.pem" ] || [ ! -s "$SSLPRIVDIR/$cacert.pem" ]; then
+		if [ ! -s "$SSLCERTDIR/$cacert.pem" ] || [ ! -s "$SSLKEYDIR/$cacert.pem" ]; then
 			echo "WARNING: CAcert (certifying authority certificate) missing..."
 			if [ -z "$makeca" ]; then
 				echo "ERROR: The \"--makeca\" option is required when making a CAcert!"
@@ -218,34 +252,29 @@ if [ -n "$cert" ]; then
 			fi
 			# Generate private key for CA certificate
 			echo "Generating CAcert \"$cacert\"..."
-#FIXME: Make strength configurable
-			openssl genrsa -des3 -out "$SSLPRIVDIR/$cacert.pem" 1024
-			chown root:root "$SSLPRIVDIR/$cacert.pem"
-			chmod 0400 "$SSLPRIVDIR/$cacert.pem"
-			# Generate and pre-fill certification request
-#FIXME: Make validity configurable
-			openssl req -new \
-				-key "$SSLPRIVDIR/$cacert.pem" \
-				-x509 -days 1095 \
-				-out "$SSLCERTDIR/$cacert.pem"
-			# Add hash to certified public certificate and cleanup
-			mkcerthash $cacert
+			mkcacert "$cacert"
 		fi
 		echo "Generating host certificate for \"$fqdn\"..."
 		# Generate private key for host certificate
-		openssl genrsa -out "$SSLPRIVDIR/$fqdn.pem"
-		chown root:root "$SSLPRIVDIR/$fqdn.pem"
-		chmod 0600 "$SSLPRIVDIR/$fqdn.pem"
+		mkkey "$fqdn"
 		# Generate and pre-fill certification request
-		mkcertreq "$fqdn" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer"
-		# Generate public certificate from certification request
-		openssl x509 -req \
-			-days $DAYS2EXPIRE \
-			-CA "$SSLCERTDIR/$cacert.pem" \
-			-CAkey "$SSLPRIVDIR/$cacert.pem" \
-			-CAcreateserial -out "$SSLCERTDIR/$fqdn.pem" -in "$SSLCERTDIR/$fqdn.csr"
+		mkcertreq "$fqdn" "$fqdn"
+		if [ -n "$cacert" ]; then
+			# Generate public certificate from certification request
+			mkselfcacert "$fqdn" "$fqdn" "$cacert"
+		elif [ ! -f "$SSLCERTDIR/$fqdn.pem" ]; then
+			echo "Certificate request generated: $SSLCERTDIR/$fqdn.csr"
+			echo "Now pass the request to you certificate authority, save their"
+			echo "provided certificate as \"$SSLCERTDIR/$fqdn.pem\","
+			echo "and run this script with same options again."
+			exit 0
+		fi
+		if [ ! -f "$SSLCERTDIR/$fqdn.pem" ]; then
+			echo "ERROR: certificate "$SSLCERTDIR/$fqdn.pem" not found!"
+			exit 1
+		fi
 		# Add hash to certified public certificate and cleanup
-		mkcerthash $fqdn
+		mkcerthash "$fqdn"
 		rm "$SSLCERTDIR/$fqdn.csr"
 	fi
 fi
@@ -263,10 +292,10 @@ for daemon in $daemons $@; do
 	if [ -n "$cert" ]; then
 		echo "Attaching $daemon to certified certificate for $fqdn."
 		ln -sf "$fqdn.pem" "$SSLCERTDIR/$daemon.pem"
-		ln -sf "$fqdn.pem" "$SSLPRIVDIR/$daemon.pem"
+		ln -sf "$fqdn.pem" "$SSLKEYDIR/$daemon.pem"
 	else
 		echo -n "Generating self-certifying $daemon certificate..."
-		mkselfcert "$daemon" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer"
+		mkselfcert "$daemon" "$fqdn"
 		echo "Done!"
 	fi
 done
-- 
cgit v1.2.3