]> jfr.im git - z_archive/vpsm.git/blob - devtemp/certs/pkitool
projects / z_archive / vpsm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Adding start of SSL-certificate-stuff. easy-rsa
[z_archive/vpsm.git] / devtemp / certs / pkitool
1 #!/bin/sh
2
3 # OpenVPN -- An application to securely tunnel IP networks
4 # over a single TCP/UDP port, with support for SSL/TLS-based
5 # session authentication and key exchange,
6 # packet encryption, packet authentication, and
7 # packet compression.
8 #
9 # Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License version 2
13 # as published by the Free Software Foundation.
14 #
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
19 #
20 # You should have received a copy of the GNU General Public License
21 # along with this program (see the file COPYING included with this
22 # distribution); if not, write to the Free Software Foundation, Inc.,
23 # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24
25 # pkitool is a front-end for the openssl tool.
26
27 # Calling scripts can set the certificate organizational
28 # unit with the KEY_OU environmental variable.
29
30 # Calling scripts can also set the KEY_NAME environmental
31 # variable to set the "name" X509 subject field.
32
33 PROGNAME=pkitool
34 VERSION=2.0
35 DEBUG=0
36
37 die()
38 {
39 local m="$1"
40
41 echo "$m" >&2
42 exit 1
43 }
44
45 need_vars()
46 {
47 echo ' Please edit the vars script to reflect your configuration,'
48 echo ' then source it with "source ./vars".'
49 echo ' Next, to start with a fresh PKI configuration and to delete any'
50 echo ' previous certificates and keys, run "./clean-all".'
51 echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
52 }
53
54 usage()
55 {
56 echo "$PROGNAME $VERSION"
57 echo "Usage: $PROGNAME [options...] [common-name]"
58 echo "Options:"
59 echo " --batch : batch mode (default)"
60 echo " --keysize : Set keysize"
61 echo " size : size (default=1024)"
62 echo " --interact : interactive mode"
63 echo " --server : build server cert"
64 echo " --initca : build root CA"
65 echo " --inter : build intermediate CA"
66 echo " --pass : encrypt private key with password"
67 echo " --csr : only generate a CSR, do not sign"
68 echo " --sign : sign an existing CSR"
69 echo " --pkcs12 : generate a combined PKCS#12 file"
70 echo " --pkcs11 : generate certificate on PKCS#11 token"
71 echo " lib : PKCS#11 library"
72 echo " slot : PKCS#11 slot"
73 echo " id : PKCS#11 object id (hex string)"
74 echo " label : PKCS#11 object label"
75 echo "Standalone options:"
76 echo " --pkcs11-slots : list PKCS#11 slots"
77 echo " lib : PKCS#11 library"
78 echo " --pkcs11-objects : list PKCS#11 token objects"
79 echo " lib : PKCS#11 library"
80 echo " slot : PKCS#11 slot"
81 echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
82 echo " lib : PKCS#11 library"
83 echo " slot : PKCS#11 slot"
84 echo " label : PKCS#11 token label"
85 echo "Notes:"
86 need_vars
87 echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
88 echo "Generated files and corresponding OpenVPN directives:"
89 echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
90 echo " ca.crt -> root certificate (--ca)"
91 echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
92 echo " .crt files -> client/server certificates (--cert)"
93 echo " .key files -> private keys, keep secure (--key)"
94 echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
95 echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
96 echo "Examples:"
97 echo " $PROGNAME --initca -> Build root certificate"
98 echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
99 echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
100 echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
101 echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
102 echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
103 echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
104 echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
105 echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
106 echo " Also see ./inherit-inter script."
107 echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
108 echo " -> Build \"client5\" certificate/key in PKCS#11 token"
109 echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
110 echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
111 echo " [edit vars with your site-specific info]"
112 echo " source ./vars"
113 echo " ./clean-all"
114 echo " ./build-dh -> takes a long time, consider backgrounding"
115 echo " ./$PROGNAME --initca"
116 echo " ./$PROGNAME --server myserver"
117 echo " ./$PROGNAME client1"
118 echo " ./$PROGNAME --pass client2"
119 echo "Typical usage for adding client cert to existing PKI:"
120 echo " source ./vars"
121 echo " ./$PROGNAME client-new"
122 }
123
124 # Set tool defaults
125 [ -n "$OPENSSL" ] || export OPENSSL="openssl"
126 [ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
127 [ -n "$GREP" ] || export GREP="grep"
128
129 # Set defaults
130 DO_REQ="1"
131 REQ_EXT=""
132 DO_CA="1"
133 CA_EXT=""
134 DO_P12="0"
135 DO_P11="0"
136 DO_ROOT="0"
137 NODES_REQ="-nodes"
138 NODES_P12=""
139 BATCH="-batch"
140 CA="ca"
141 # must be set or errors of openssl.cnf
142 PKCS11_MODULE_PATH="dummy"
143 PKCS11_PIN="dummy"
144
145 # Process options
146 while [ $# -gt 0 ]; do
147 case "$1" in
148 --keysize ) KEY_SIZE=$2
149 shift;;
150 --server ) REQ_EXT="$REQ_EXT -extensions server"
151 CA_EXT="$CA_EXT -extensions server" ;;
152 --batch ) BATCH="-batch" ;;
153 --interact ) BATCH="" ;;
154 --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
155 --initca ) DO_ROOT="1" ;;
156 --pass ) NODES_REQ="" ;;
157 --csr ) DO_CA="0" ;;
158 --sign ) DO_REQ="0" ;;
159 --pkcs12 ) DO_P12="1" ;;
160 --pkcs11 ) DO_P11="1"
161 PKCS11_MODULE_PATH="$2"
162 PKCS11_SLOT="$3"
163 PKCS11_ID="$4"
164 PKCS11_LABEL="$5"
165 shift 4;;
166
167 # standalone
168 --pkcs11-init)
169 PKCS11_MODULE_PATH="$2"
170 PKCS11_SLOT="$3"
171 PKCS11_LABEL="$4"
172 if [ -z "$PKCS11_LABEL" ]; then
173 die "Please specify library name, slot and label"
174 fi
175 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
176 --label "$PKCS11_LABEL" &&
177 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
178 exit $?;;
179 --pkcs11-slots)
180 PKCS11_MODULE_PATH="$2"
181 if [ -z "$PKCS11_MODULE_PATH" ]; then
182 die "Please specify library name"
183 fi
184 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
185 exit 0;;
186 --pkcs11-objects)
187 PKCS11_MODULE_PATH="$2"
188 PKCS11_SLOT="$3"
189 if [ -z "$PKCS11_SLOT" ]; then
190 die "Please specify library name and slot"
191 fi
192 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
193 exit 0;;
194
195 --help|--usage)
196 usage
197 exit ;;
198 --version)
199 echo "$PROGNAME $VERSION"
200 exit ;;
201 # errors
202 --* ) die "$PROGNAME: unknown option: $1" ;;
203 * ) break ;;
204 esac
205 shift
206 done
207
208 if ! [ -z "$BATCH" ]; then
209 if $OPENSSL version | grep 0.9.6 > /dev/null; then
210 die "Batch mode is unsupported in openssl<0.9.7"
211 fi
212 fi
213
214 if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
215 die "PKCS#11 and PKCS#12 cannot be specified together"
216 fi
217
218 if [ $DO_P11 -eq 1 ]; then
219 if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
220 die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
221 fi
222 fi
223
224 # If we are generating pkcs12, only encrypt the final step
225 if [ $DO_P12 -eq 1 ]; then
226 NODES_P12="$NODES_REQ"
227 NODES_REQ="-nodes"
228 fi
229
230 if [ $DO_P11 -eq 1 ]; then
231 if [ -z "$PKCS11_LABEL" ]; then
232 die "PKCS#11 arguments incomplete"
233 fi
234 fi
235
236 # If undefined, set default key expiration intervals
237 if [ -z "$KEY_EXPIRE" ]; then
238 KEY_EXPIRE=3650
239 fi
240 if [ -z "$CA_EXPIRE" ]; then
241 CA_EXPIRE=3650
242 fi
243
244 # Set organizational unit to empty string if undefined
245 if [ -z "$KEY_OU" ]; then
246 KEY_OU=""
247 fi
248
249 # Set X509 Name string to empty string if undefined
250 if [ -z "$KEY_NAME" ]; then
251 KEY_NAME=""
252 fi
253
254 # Set KEY_CN, FN
255 if [ $DO_ROOT -eq 1 ]; then
256 if [ -z "$KEY_CN" ]; then
257 if [ "$1" ]; then
258 KEY_CN="$1"
259 elif [ "$KEY_ORG" ]; then
260 KEY_CN="$KEY_ORG CA"
261 fi
262 fi
263 if [ $BATCH ] && [ "$KEY_CN" ]; then
264 echo "Using CA Common Name:" "$KEY_CN"
265 fi
266 FN="$KEY_CN"
267 elif [ $BATCH ] && [ "$KEY_CN" ]; then
268 echo "Using Common Name:" "$KEY_CN"
269 FN="$KEY_CN"
270 if [ "$1" ]; then
271 FN="$1"
272 fi
273 else
274 if [ $# -ne 1 ]; then
275 usage
276 exit 1
277 else
278 KEY_CN="$1"
279 fi
280 FN="$KEY_CN"
281 fi
282
283 export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
284
285 # Show parameters (debugging)
286 if [ $DEBUG -eq 1 ]; then
287 echo DO_REQ $DO_REQ
288 echo REQ_EXT $REQ_EXT
289 echo DO_CA $DO_CA
290 echo CA_EXT $CA_EXT
291 echo NODES_REQ $NODES_REQ
292 echo NODES_P12 $NODES_P12
293 echo DO_P12 $DO_P12
294 echo KEY_CN $KEY_CN
295 echo BATCH $BATCH
296 echo DO_ROOT $DO_ROOT
297 echo KEY_EXPIRE $KEY_EXPIRE
298 echo CA_EXPIRE $CA_EXPIRE
299 echo KEY_OU $KEY_OU
300 echo KEY_NAME $KEY_NAME
301 echo DO_P11 $DO_P11
302 echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
303 echo PKCS11_SLOT $PKCS11_SLOT
304 echo PKCS11_ID $PKCS11_ID
305 echo PKCS11_LABEL $PKCS11_LABEL
306 fi
307
308 # Make sure ./vars was sourced beforehand
309 if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
310 cd "$KEY_DIR"
311
312 # Make sure $KEY_CONFIG points to the correct version
313 # of openssl.cnf
314 if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
315 :
316 else
317 echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
318 echo "version of openssl.cnf: $KEY_CONFIG"
319 echo "The correct version should have a comment that says: easy-rsa version 2.x";
320 exit 1;
321 fi
322
323 # Build root CA
324 if [ $DO_ROOT -eq 1 ]; then
325 $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
326 -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
327 chmod 0600 "$CA.key"
328 else
329 # Make sure CA key/cert is available
330 if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
331 if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
332 echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
333 echo "Try $PROGNAME --initca to build a root certificate/key."
334 exit 1
335 fi
336 fi
337
338 # Generate key for PKCS#11 token
339 PKCS11_ARGS=
340 if [ $DO_P11 -eq 1 ]; then
341 stty -echo
342 echo -n "User PIN: "
343 read -r PKCS11_PIN
344 stty echo
345 export PKCS11_PIN
346
347 echo "Generating key pair on PKCS#11 token..."
348 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
349 --login --pin "$PKCS11_PIN" \
350 --key-type rsa:1024 \
351 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
352 PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
353 fi
354
355 # Build cert/key
356 ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
357 -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
358 ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
359 -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
360 ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
361 -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
362 ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
363 ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
364
365 # Load certificate into PKCS#11 token
366 if [ $DO_P11 -eq 1 ]; then
367 $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
368 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
369 --login --pin "$PKCS11_PIN" \
370 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
371 [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
372 fi
373
374 fi
375
376 # Need definitions
377 else
378 need_vars
379 fi
Unnamed repository; edit this file 'description' to name the repository.