path: root/localmksslcerts

#!/bin/sh
#
# /usr/local/sbin/localmksslcerts
# Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk>
#
# $Id: localmksslcerts,v 1.19 2005-10-18 00:24:33 jonas Exp $
#
# Generate certificates for mail (and other) servers
# Based on uw-imapd-ssl post-install script
#
# TODO: Use getopts
# TODO: Add symlink from CA certificate to cacert.pem if non-existing
# TODO: Default CA certificate is cacert.pem if --cacert not set

set -e

prg=$(basename $0)
copyright="(C) 2001-2004 Jonas Smedegaard <dr@jones.dk>"

# Set some defaults
PATH="$PATH:/usr/bin/ssl"
DAYS2EXPIRE="365"
SSLCERTDIR="/etc/ssl/certs"
SSLPRIVDIR="/etc/ssl/private"

usage() {
echo "$prg, $copyright

Usage: $prg [--fqdn <FQDN>] [...] --daemon <daemon> [...] [--force]
   or: $prg <daemon> [<daemon>...] [-f]

Options:
      --fqdn <FQDN>         Fully Qualified Domain Name for this host.
      --cn <country>        Country Name (2 letter code)
      --state <state>       State or Province Name (full name)
      --loc <locality>      Locality Name (eg, city)
      --org <organisation>  Organisation/company
      --ou <department>     Organisational unit/department
      --daemon <daemon>     Daemon(s) in need for a certificate
                            (certificate is generated for each daemon)
      --issuer <issuer>     Email address of entity issuing certificate
      --cert                Use certified host certificate
      --cacert <file>       Where to store host certificate if missing
      --makeca              Create CA certificate if missing
  -f, --force               Force overwriting existing certificate(s)
  -h, --help                This help text

Examples:

    Create certs for UW imapd/popd, bound to default host cert if there:
    localmksslcerts imapd pop3d

    Create host cert for non-default hostname, overwriting stray files:
    localmksslcerts --fqdn mail.jones.dk --cert --force

    Create host cert for non-default hostname and bind to UW daemons:
    localmksslcerts --fqdn mail.jones.dk --cert --force imapd pop3d

    Create CA-signed host cert (and CA cert if not there):
    localmksslcerts --cert --cacert IT-guide_dr_Jones_CA


If issuer is not given, \"postmaster@<localdomain>\" is used."
exit 1
}

mkcerthash() {
    filebase="$1"
    filename="$filebase.pem"
    certhash="$(openssl x509 -noout -hash -in "$SSLCERTDIR/$filename")"
    hashfile="$certhash.0"
    ln -sf "$filename" "$SSLCERTDIR/$hashfile"
}

mkselfcert() {
    filebase="$1"
    cn="$2"
    state="$3"
    loc="$4"
    org="$5"
    ou="$6"
    fqdn="$7"
    issuer="$8"
    filename="$filebase.pem"
    openssl req -new -x509 -nodes \
        -days "$DAYS2EXPIRE" \
        -keyout "$SSLCERTDIR/$filename" \
        -out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+
$cn
$state
$loc
$org
$ou
$fqdn
$issuer
+
    mkcerthash "$filebase"
    chown root:root "$SSLCERTDIR/$filename"
    chmod 0640 "$SSLCERTDIR/$filename"
}

mkcertreq() {
    filebase="$1"
    cn="$2"
    state="$3"
    loc="$4"
    org="$5"
    ou="$6"
    fqdn="$7"
    issuer="$8"
    filename="$filebase.pem"
    openssl req -new \
        -key "$SSLPRIVDIR/$filename" \
        -out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+
$cn
$state
$loc
$org
$ou
$fqdn
$issuer
+
    chown root:root "$SSLCERTDIR/$filename"
    chmod 0640 "$SSLCERTDIR/$filename"
}

fqdn=''
cn=''
state=''
loc=''
org=''
ou=''
daemon=''
daemons=''
issuer=''
cert=''
cacert=''
makeca=''
force=''
args=''

TEMP=`getopt -o f --long help,fqdn:,cn:,state:,loc:,org:,ou:,daemon:,issuer:,cert,cacert:,makeca,force -n "$prg" -- "$@"`

# Check for non-GNU getopt
if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi

eval set -- "$TEMP"

while true ; do
    case "$1" in
        --help)     usage;;
        --fqdn)     fqdn="$2"; shift 2;;
        --cn)       cn="$2"; shift 2;;
        --state)    state="$2"; shift 2;;
        --loc)      loc="$2"; shift 2;;
        --org)      org="$2"; shift 2;;
        --ou)       ou="$2"; shift 2;;
        --daemon)   daemons="$daemons$2 "; shift 2;;
        --issuer)   issuer="$2"; shift 2;;
        --cert)     cert=1; shift;;
        --cacert)   cacert="$2"; shift 2;;
        --makeca)   makeca=1; shift;;
        --force|-f) force=1; shift;;
        --)     shift; break;;
        *)      echo "Internal error!" ; exit 1 ;;
    esac
done

if [ -z "$issuer" ]; then
    DOMAINNAME="`hostname -d`"
    ISSUER="postmaster@$DOMAINNAME"
fi

if [ -z "$fqdn" ]; then
    if [ $# -gt 0 ]; then
    fqdn="`hostname -f`"
    else
    echo "Too few parameters!"
    usage
    fi
fi

for val in org ou; do
    if eval [ -z "\$$val" ]; then
        eval "$val=\"$fqdn\""
    fi
done

for val in cn state loc; do
    if eval [ -z "\$$val" ]; then
        eval "$val=\".\""
    fi
done

if [ -n "$cert" ]; then
    if [ ! -s "$SSLCERTDIR/$fqdn.pem" ] || [ ! -s "$SSLPRIVDIR/$fqdn.pem" ]; then
        echo "WARNING: Host certificate for \"$fqdn\" missing..."
        if [ -z "$cacert" ]; then
            echo "ERROR: The \"--cacert\" option is required when making a host certificate!"
            exit 1
        fi
        # Cleaning up - if allowed
        for file in "$SSLPRIVDIR/$fqdn.pem" "$SSLCERTDIR/$fqdn.csr" "$SSLCERTDIR/$fqdn.pem"; do
            if [ -e "$file" ]; then
                if [ -n "$force" ]; then
                    rm -f "$file"
                else
                    echo "ERROR: File \"$file\" already exists!"
                    exit 1
                fi
            fi
        done
        if [ ! -s "$SSLCERTDIR/$cacert.pem" ] || [ ! -s "$SSLPRIVDIR/$cacert.pem" ]; then
            echo "WARNING: CAcert (certifying authority certificate) missing..."
            if [ -z "$makeca" ]; then
                echo "ERROR: The \"--makeca\" option is required when making a CAcert!"
                exit 1
            fi
            # Generate private key for CA certificate
            echo "Generating CAcert \"$cacert\"..."
#FIXME: Make strength configurable
            openssl genrsa -des3 -out "$SSLPRIVDIR/$cacert.pem" 1024
            chown root:root "$SSLPRIVDIR/$cacert.pem"
            chmod 0400 "$SSLPRIVDIR/$cacert.pem"
            # Generate and pre-fill certification request
#FIXME: Make validity configurable
            openssl req -new \
                -key "$SSLPRIVDIR/$cacert.pem" \
                -x509 -days 1095 \
                -out "$SSLCERTDIR/$cacert.pem"
            # Add hash to certified public certificate and cleanup
            mkcerthash $cacert
        fi
        echo "Generating host certificate for \"$fqdn\"..."
        # Generate private key for host certificate
        openssl genrsa -out "$SSLPRIVDIR/$fqdn.pem"
        chown root:root "$SSLPRIVDIR/$fqdn.pem"
        chmod 0600 "$SSLPRIVDIR/$fqdn.pem"
        # Generate and pre-fill certification request
        mkcertreq "$fqdn" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer"
        # Generate public certificate from certification request
        openssl x509 -req \
            -days $DAYS2EXPIRE \
            -CA "$SSLCERTDIR/$cacert.pem" \
            -CAkey "$SSLPRIVDIR/$cacert.pem" \
            -CAcreateserial -out "$SSLCERTDIR/$fqdn.pem" -in "$SSLCERTDIR/$fqdn.csr"
        # Add hash to certified public certificate and cleanup
        mkcerthash $fqdn
        rm "$SSLCERTDIR/$fqdn.csr"
    fi
fi

for daemon in $daemons $@; do
    if [ -f "$SSLCERTDIR/$daemon.pem" ]; then
        if [ -n "$force" ]; then
            rm -f "$SSLCERTDIR/$(openssl x509 -noout -hash < "$SSLCERTDIR/$daemon.pem").0"
            rm -f "$SSLCERTDIR/$daemon.pem"
        else
            echo "Ignoring certificate (/etc/ssl/certs/$daemon.pem already exists...)"
            continue
        fi
    fi
    if [ -n "$cert" ]; then
        echo "Attaching $daemon to certified certificate for $fqdn."
        ln -sf "$fqdn.pem" "$SSLCERTDIR/$daemon.pem"
        ln -sf "$fqdn.pem" "$SSLPRIVDIR/$daemon.pem"
    else
        echo -n "Generating self-certifying $daemon certificate..."
        mkselfcert "$daemon" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer"
        echo "Done!"
    fi
done