]> jfr.im git - vpn-prov.git/blob - easy-rsa/pkitool
projects / vpn-prov.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
init
[vpn-prov.git] / easy-rsa / pkitool
1 #!/bin/sh
2
3 # OpenVPN -- An application to securely tunnel IP networks
4 # over a single TCP/UDP port, with support for SSL/TLS-based
5 # session authentication and key exchange,
6 # packet encryption, packet authentication, and
7 # packet compression.
8 #
9 # Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License version 2
13 # as published by the Free Software Foundation.
14 #
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
19 #
20 # You should have received a copy of the GNU General Public License
21 # along with this program (see the file COPYING included with this
22 # distribution); if not, write to the Free Software Foundation, Inc.,
23 # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24
25 # pkitool is a front-end for the openssl tool.
26
27 # Calling scripts can set the certificate organizational
28 # unit with the KEY_OU environmental variable.
29
30 # Calling scripts can also set the KEY_NAME environmental
31 # variable to set the "name" X509 subject field.
32
33 PROGNAME=pkitool
34 VERSION=2.0
35 DEBUG=0
36
37 die()
38 {
39 local m="$1"
40
41 echo "$m" >&2
42 exit 1
43 }
44
45 need_vars()
46 {
47 cat <<EOM
48 Please edit the vars script to reflect your configuration,
49 then source it with "source ./vars".
50 Next, to start with a fresh PKI configuration and to delete any
51 previous certificates and keys, run "./clean-all".
52 Finally, you can run this tool ($PROGNAME) to build certificates/keys.
53 EOM
54 }
55
56 usage()
57 {
58 cat <<EOM
59 $PROGNAME $VERSION
60 Usage: $PROGNAME [options...] [common-name]
61
62 Options:
63 --batch : batch mode (default)
64 --keysize : Set keysize
65 size : size (default=1024)
66 --interact : interactive mode
67 --server : build server cert
68 --initca : build root CA
69 --inter : build intermediate CA
70 --pass : encrypt private key with password
71 --csr : only generate a CSR, do not sign
72 --sign : sign an existing CSR
73 --pkcs12 : generate a combined PKCS#12 file
74 --pkcs11 : generate certificate on PKCS#11 token
75 lib : PKCS#11 library
76 slot : PKCS#11 slot
77 id : PKCS#11 object id (hex string)
78 label : PKCS#11 object label
79
80 Standalone options:
81 --pkcs11-slots : list PKCS#11 slots
82 lib : PKCS#11 library
83 --pkcs11-objects : list PKCS#11 token objects
84 lib : PKCS#11 library
85 slot : PKCS#11 slot
86 --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
87 lib : PKCS#11 library
88 slot : PKCS#11 slot
89 label : PKCS#11 token label
90
91 Notes:
92 EOM
93 need_vars
94 cat <<EOM
95 In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
96
97 Generated files and corresponding OpenVPN directives:
98 (Files will be placed in the \$KEY_DIR directory, defined in ./vars)
99 ca.crt -> root certificate (--ca)
100 ca.key -> root key, keep secure (not directly used by OpenVPN)
101 .crt files -> client/server certificates (--cert)
102 .key files -> private keys, keep secure (--key)
103 .csr files -> certificate signing request (not directly used by OpenVPN)
104 dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
105
106 Examples:
107 $PROGNAME --initca -> Build root certificate
108 $PROGNAME --initca --pass -> Build root certificate with password-protected key
109 $PROGNAME --server server1 -> Build "server1" certificate/key
110 $PROGNAME client1 -> Build "client1" certificate/key
111 $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key
112 $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
113 $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA
114 $PROGNAME --sign client4 -> Sign "client4" CSR
115 $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key
116 Also see ./inherit-inter script.
117 $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
118 -> Build "client5" certificate/key in PKCS#11 token
119
120 Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
121 Protect client2 key with a password. Build DH parms. Generated files in ./keys :
122 [edit vars with your site-specific info]
123 source ./vars
124 ./clean-all
125 ./build-dh -> takes a long time, consider backgrounding
126 ./$PROGNAME --initca
127 ./$PROGNAME --server myserver
128 ./$PROGNAME client1
129 ./$PROGNAME --pass client2
130
131 Typical usage for adding client cert to existing PKI:
132 source ./vars
133 ./$PROGNAME client-new
134 EOM
135 }
136
137 # Set tool defaults
138 [ -n "$OPENSSL" ] || export OPENSSL="openssl"
139 [ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
140 [ -n "$GREP" ] || export GREP="grep"
141
142 # Set defaults
143 DO_REQ="1"
144 REQ_EXT=""
145 DO_CA="1"
146 CA_EXT=""
147 DO_P12="0"
148 DO_P11="0"
149 DO_ROOT="0"
150 NODES_REQ="-nodes"
151 NODES_P12=""
152 BATCH="-batch"
153 CA="ca"
154 # must be set or errors of openssl.cnf
155 PKCS11_MODULE_PATH="dummy"
156 PKCS11_PIN="dummy"
157
158 # Process options
159 while [ $# -gt 0 ]; do
160 case "$1" in
161 --keysize ) KEY_SIZE=$2
162 shift;;
163 --server ) REQ_EXT="$REQ_EXT -extensions server"
164 CA_EXT="$CA_EXT -extensions server" ;;
165 --batch ) BATCH="-batch" ;;
166 --interact ) BATCH="" ;;
167 --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
168 --initca ) DO_ROOT="1" ;;
169 --pass ) NODES_REQ="" ;;
170 --csr ) DO_CA="0" ;;
171 --sign ) DO_REQ="0" ;;
172 --pkcs12 ) DO_P12="1" ;;
173 --pkcs11 ) DO_P11="1"
174 PKCS11_MODULE_PATH="$2"
175 PKCS11_SLOT="$3"
176 PKCS11_ID="$4"
177 PKCS11_LABEL="$5"
178 shift 4;;
179
180 # standalone
181 --pkcs11-init)
182 PKCS11_MODULE_PATH="$2"
183 PKCS11_SLOT="$3"
184 PKCS11_LABEL="$4"
185 if [ -z "$PKCS11_LABEL" ]; then
186 die "Please specify library name, slot and label"
187 fi
188 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
189 --label "$PKCS11_LABEL" &&
190 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
191 exit $?;;
192 --pkcs11-slots)
193 PKCS11_MODULE_PATH="$2"
194 if [ -z "$PKCS11_MODULE_PATH" ]; then
195 die "Please specify library name"
196 fi
197 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
198 exit 0;;
199 --pkcs11-objects)
200 PKCS11_MODULE_PATH="$2"
201 PKCS11_SLOT="$3"
202 if [ -z "$PKCS11_SLOT" ]; then
203 die "Please specify library name and slot"
204 fi
205 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
206 exit 0;;
207
208 --help|--usage)
209 usage
210 exit ;;
211 --version)
212 echo "$PROGNAME $VERSION"
213 exit ;;
214 # errors
215 --* ) die "$PROGNAME: unknown option: $1" ;;
216 * ) break ;;
217 esac
218 shift
219 done
220
221 if ! [ -z "$BATCH" ]; then
222 if $OPENSSL version | grep 0.9.6 > /dev/null; then
223 die "Batch mode is unsupported in openssl<0.9.7"
224 fi
225 fi
226
227 if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
228 die "PKCS#11 and PKCS#12 cannot be specified together"
229 fi
230
231 if [ $DO_P11 -eq 1 ]; then
232 if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
233 die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
234 fi
235 fi
236
237 # If we are generating pkcs12, only encrypt the final step
238 if [ $DO_P12 -eq 1 ]; then
239 NODES_P12="$NODES_REQ"
240 NODES_REQ="-nodes"
241 fi
242
243 if [ $DO_P11 -eq 1 ]; then
244 if [ -z "$PKCS11_LABEL" ]; then
245 die "PKCS#11 arguments incomplete"
246 fi
247 fi
248
249 # If undefined, set default key expiration intervals
250 if [ -z "$KEY_EXPIRE" ]; then
251 KEY_EXPIRE=3650
252 fi
253 if [ -z "$CA_EXPIRE" ]; then
254 CA_EXPIRE=3650
255 fi
256
257 # Set organizational unit to empty string if undefined
258 if [ -z "$KEY_OU" ]; then
259 KEY_OU=""
260 fi
261
262 # Set X509 Name string to empty string if undefined
263 if [ -z "$KEY_NAME" ]; then
264 KEY_NAME=""
265 fi
266
267 # Set KEY_CN, FN
268 if [ $DO_ROOT -eq 1 ]; then
269 if [ -z "$KEY_CN" ]; then
270 if [ "$1" ]; then
271 KEY_CN="$1"
272 elif [ "$KEY_ORG" ]; then
273 KEY_CN="$KEY_ORG CA"
274 fi
275 fi
276 if [ $BATCH ] && [ "$KEY_CN" ]; then
277 echo "Using CA Common Name:" "$KEY_CN"
278 fi
279 FN="$KEY_CN"
280 elif [ $BATCH ] && [ "$KEY_CN" ]; then
281 echo "Using Common Name:" "$KEY_CN"
282 FN="$KEY_CN"
283 if [ "$1" ]; then
284 FN="$1"
285 fi
286 else
287 if [ $# -ne 1 ]; then
288 usage
289 exit 1
290 else
291 KEY_CN="$1"
292 fi
293 FN="$KEY_CN"
294 fi
295
296 export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
297
298 # Show parameters (debugging)
299 if [ $DEBUG -eq 1 ]; then
300 echo DO_REQ $DO_REQ
301 echo REQ_EXT $REQ_EXT
302 echo DO_CA $DO_CA
303 echo CA_EXT $CA_EXT
304 echo NODES_REQ $NODES_REQ
305 echo NODES_P12 $NODES_P12
306 echo DO_P12 $DO_P12
307 echo KEY_CN $KEY_CN
308 echo BATCH $BATCH
309 echo DO_ROOT $DO_ROOT
310 echo KEY_EXPIRE $KEY_EXPIRE
311 echo CA_EXPIRE $CA_EXPIRE
312 echo KEY_OU $KEY_OU
313 echo KEY_NAME $KEY_NAME
314 echo DO_P11 $DO_P11
315 echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
316 echo PKCS11_SLOT $PKCS11_SLOT
317 echo PKCS11_ID $PKCS11_ID
318 echo PKCS11_LABEL $PKCS11_LABEL
319 fi
320
321 # Make sure ./vars was sourced beforehand
322 if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
323 cd "$KEY_DIR"
324
325 # Make sure $KEY_CONFIG points to the correct version
326 # of openssl.cnf
327 if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
328 :
329 else
330 echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
331 echo "version of openssl.cnf: $KEY_CONFIG"
332 echo "The correct version should have a comment that says: easy-rsa version 2.x";
333 exit 1;
334 fi
335
336 # Build root CA
337 if [ $DO_ROOT -eq 1 ]; then
338 $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
339 -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
340 chmod 0600 "$CA.key"
341 else
342 # Make sure CA key/cert is available
343 if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
344 if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
345 echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
346 echo "Try $PROGNAME --initca to build a root certificate/key."
347 exit 1
348 fi
349 fi
350
351 # Generate key for PKCS#11 token
352 PKCS11_ARGS=
353 if [ $DO_P11 -eq 1 ]; then
354 stty -echo
355 echo -n "User PIN: "
356 read -r PKCS11_PIN
357 stty echo
358 export PKCS11_PIN
359
360 echo "Generating key pair on PKCS#11 token..."
361 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
362 --login --pin "$PKCS11_PIN" \
363 --key-type rsa:1024 \
364 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
365 PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
366 fi
367
368 # Build cert/key
369 ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
370 -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
371 ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
372 -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
373 ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
374 -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
375 ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
376 ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
377
378 # Load certificate into PKCS#11 token
379 if [ $DO_P11 -eq 1 ]; then
380 $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
381 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
382 --login --pin "$PKCS11_PIN" \
383 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
384 [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
385 fi
386
387 fi
388
389 # Need definitions
390 else
391 need_vars
392 fi
OpenVPN auto-provisioning