Xinuxpki: Unterschied zwischen den Versionen

Aus xinux.net
Zur Navigation springen Zur Suche springen
 
(36 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
=script=
+
=download=
<pre>
+
*[[media:Xinuxpki.sh|xinuxpki.sh]]
#!/bin/bash
+
*[[Datei:Xinuxpki.sh]]
SSLDIR="/var/ssl/ca"
 
export PASS="suxer"
 
export CAPASS="oimel"
 
  
function openssl-cf()
+
=handling=
{
+
/usr/local/sbin/Xinuxpki.sh ca | cert [server|client] <COMMONNAME> | revoke <COMMONNAME> | dh | list | show <cert|req> COMMMON_NAME | help
cat <<HERE
+
=cert location=
HOME                    = .
+
  /var/ssl/ca
#RANDFILE                = $ENV::HOME/.rnd
 
oid_section            = new_oids
 
[ new_oids ]
 
tsa_policy1 = 1.2.3.4.1
 
tsa_policy2 = 1.2.3.4.5.6
 
tsa_policy3 = 1.2.3.4.5.7
 
[ ca ]
 
default_ca      = CA_default
 
[ CA_default ]
 
dir            = ./
 
certs          = \$dir/certs
 
crl_dir        = \$dir/crl
 
database        = \$dir/index.txt
 
new_certs_dir  = \$dir/newcerts
 
certificate    = \$dir/ca.crt
 
serial          = \$dir/serial
 
crlnumber      = \$dir/crlnumber
 
crl            = \$dir/ca.crl
 
private_key    = \$dir/ca.key
 
#RANDFILE        = $dir/private/.rand
 
x509_extensions = usr_cert
 
copy_extensions = copy  # add by xinux
 
name_opt        = ca_default
 
cert_opt        = ca_default
 
default_days    = 3650  # change by xinux
 
default_crl_days= 30
 
default_md      = default
 
preserve        = no
 
policy          = policy_match
 
[ policy_match ]
 
countryName            = match
 
stateOrProvinceName    = optional
 
localityName            = optional
 
organizationName        = match
 
organizationalUnitName = optional
 
commonName              = supplied
 
emailAddress            = optional
 
[ policy_anything ]
 
countryName            = optional
 
stateOrProvinceName    = optional
 
localityName            = optional
 
organizationName        = optional
 
organizationalUnitName  = optional
 
 
 
commonName              = supplied
 
emailAddress            = optional
 
[ req ]
 
default_bits            = 2048
 
default_keyfile        = privkey.pem
 
distinguished_name      = req_distinguished_name
 
attributes              = req_attributes
 
x509_extensions = v3_ca
 
string_mask = utf8only
 
[ req_distinguished_name ]
 
countryName                    = Country Name (2 letter code)
 
countryName_default            = $COUNTRY
 
countryName_min                = 2
 
countryName_max                = 2
 
stateOrProvinceName            = State or Province Name (full name)
 
stateOrProvinceName_default    = $PROVINCE
 
localityName                    = Locality Name (eg, city)
 
localityName_default            = $CITY
 
0.organizationName              = Organization Name (eg, company)
 
0.organizationName_default      = $ORGANIZATION
 
organizationalUnitName          = Organizational Unit Name (eg, section)
 
organizationalUnitName_default = $UNIT
 
commonName                      = Common Name (eg, YOUR name)
 
commonName_max                  = 64
 
commonName_default              = $COMMON_NAME
 
[ req_attributes ]
 
[ usr_cert ]
 
basicConstraints=CA:FALSE
 
nsComment                      = "OpenSSL Generated Certificate"
 
subjectKeyIdentifier=hash
 
authorityKeyIdentifier=keyid,issuer
 
[ v3_req ]
 
basicConstraints = CA:FALSE
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
[ v3_ca ] # change by xinux
 
basicConstraints = CA:true
 
basicConstraints      = critical, CA:TRUE
 
keyUsage              = cRLSign, keyCertSign
 
subjectKeyIdentifier  = hash
 
authorityKeyIdentifier = keyid, issuer:always
 
subjectAltName        = email:copy
 
issuerAltName          = issuer:copy
 
crlDistributionPoints  = URI:http://www.xinux.de/ca/ca.crl
 
[ crl_ext ]
 
authorityKeyIdentifier=keyid:always
 
[ proxy_cert_ext ]
 
basicConstraints=CA:FALSE
 
nsComment                      = "OpenSSL Generated Certificate"
 
subjectKeyIdentifier=hash
 
authorityKeyIdentifier=keyid,issuer
 
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
[ tsa ]
 
default_tsa = tsa_config1
 
[ tsa_config1 ]
 
dir            = ./demoCA
 
serial          = $dir/tsaserial
 
crypto_device  = builtin
 
signer_cert    = $dir/tsacert.pem
 
certs          = $dir/cacert.pem
 
signer_key      = $dir/private/tsakey.pem
 
default_policy  = tsa_policy1
 
other_policies  = tsa_policy2, tsa_policy3
 
digests        = md5, sha1
 
accuracy        = secs:1, millisecs:500, microsecs:100
 
clock_precision_digits  = 0
 
ordering                = yes
 
tsa_name                = yes
 
ess_cert_id_chain      = no
 
HERE
 
}
 
  
 +
==help==
 +
<pre>
 +
"/usr/local/sbin/Xpki.sh"
  
function ask()
+
ca "generate a CA"
{
 
echo -ne "Country Name (2 letter code) [de]: "
 
read COUNTRY
 
test -z $COUNTRY && COUNTRY="de"
 
echo -ne "State or Province Name (full name) [rlp]: "
 
read PROVINCE
 
test -z $PROVINCE && PROVINCE="rlp"
 
echo -ne "Locality Name (eg, city) [zw]: "
 
read CITY
 
test -z $CITY && CITY="zw"
 
echo -ne "Organization Name (eg, company) [xinux] "
 
read ORGANIZATION
 
test -z $ORGANIZATION && ORGANIZATION="xinux"
 
echo -ne "Organizational Unit Name (eg, section) [it]: "
 
read UNIT
 
test -z $UNIT && UNIT="it"
 
}
 
  
 +
cert "interactive"
  
 +
cert server "interaktiv serverext"
  
function ca()
+
cert client "interaktiv clientext"
{
 
ask
 
COMMON_NAME=ca
 
export COUNTRY PROVINCE CITY COMMON_NAME UNIT
 
if [ -d $SSLDIR ]; then
 
echo "CA exist!"
 
exit 1
 
else
 
mkdir -p $SSLDIR/newcerts
 
cd $SSLDIR
 
touch index.txt
 
echo 01 > serial
 
echo 01 > crlnumber
 
fi
 
openssl-cf > openssl.cnf
 
openssl genrsa -passout env:CAPASS -des3 -out ca.key 2048
 
openssl req -passin env:CAPASS -new -batch -config openssl.cnf -key ca.key -x509 -days 3650 -out ca.crt
 
echo -e "\nCA created!\n"
 
}
 
  
function cert()
+
cert <COMMONNAME> "interactive"  
{
 
test "$1" = "server" && { shift ; EXT="server"; }
 
cd $SSLDIR
 
if test "$#" -eq 1
 
then
 
COMMON_NAME=$1
 
test -f $COMMON_NAME.key && { echo "$COMMON_NAME exists" ; exit 1; }
 
sed -e "s/commonName_default.\+/commonName_default\t\t= $COMMON_NAME/" openssl.cnf > $COMMON_NAME.cnf
 
else
 
ask
 
echo -ne "Common Name (e.g. server FQDN or YOUR name) : "
 
read COMMON_NAME
 
test -z "$COMMON_NAME" && { echo "COMMON_NAME expected" ; exit 1; }
 
test -f $COMMON_NAME.key && { echo "$COMMON_NAME exists" ; exit 1; }
 
openssl-cf > $COMMON_NAME.cnf
 
fi
 
openssl genrsa -passout env:PASS -des3 -out $COMMON_NAME.key 2048
 
if test "$EXT" = "server"
 
then
 
cat<<HERE >> $COMMON_NAME.cnf
 
[ server-ext ]
 
extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
 
subjectAltName = DNS:$COMMON_NAME
 
HERE
 
openssl req -passin env:PASS -new -batch -config $COMMON_NAME.cnf -key $COMMON_NAME.key -out $COMMON_NAME.csr -reqexts server-ext
 
else
 
openssl req -passin env:PASS -new -batch -config $COMMON_NAME.cnf -key $COMMON_NAME.key -out $COMMON_NAME.csr
 
fi
 
openssl ca  -passin env:CAPASS -config openssl.cnf -batch -cert ca.crt -days 3650 -keyfile ca.key  -in $COMMON_NAME.csr  -out $COMMON_NAME.crt
 
openssl ca -passin env:CAPASS -batch -gencrl -config openssl.cnf -out ca.crl
 
openssl  crl -in ca.crl -outform der -out crl-der.crl
 
openssl pkcs12 -passin env:PASS  -passout env:PASS  -export -in $COMMON_NAME.crt -inkey $COMMON_NAME.key -certfile ca.crt -out $COMMON_NAME.p12
 
echo -e "\ncert created\n"
 
}
 
  
function revoke()
+
cert server <COMMONNAME> "interactive serverext"  
{
 
cd $SSLDIR
 
COMMON_NAME=$1
 
openssl ca -passin env:CAPASS -config openssl.cnf -revoke $COMMON_NAME.crt
 
echo -e "\ncert $COMMON_NAME revoke\n"
 
}
 
  
 +
cert client <COMMONNAME> "interactive clientext"
  
function dh()
+
revoke <COMMONNAME> "revoke a cert"
{
 
cd $SSLDIR
 
openssl gendh 1024 > dh1024.pem:
 
echo -e "\ndh generated\n"
 
}
 
  
function list()
+
dh "generate diffie-hellmann"  
{
 
cd $SSLDIR
 
cat index.txt
 
}
 
function help()
 
{
 
echo "$0 ca | cert [server] <COMMON_NAME>  | revoke <COMMON_NAME> | dh | list | show <cert|req> COMMMON_NAME | help" ;
 
}
 
  
function show()
+
list "list certs"
{
 
case $1 in
 
cert)
 
test -f $2.crt ||  { echo "$2.crt not found"; exit 1;}
 
openssl x509 -noout -text -in $2.crt
 
;;
 
req)
 
test -f $2.csr || { echo "$2.csr not found"; exit 1 ;}
 
openssl req -noout -text -in $2.csr
 
;;
 
esac
 
}
 
  
echo -e "working directory: $SSLDIR\n"
+
show req  <COMMONNAME> "show request"
test -d $SSLDIR || { echo "first create CA" ; DF=1 ; }
 
  
 +
show cert <COMMONNAME> "show cert"
  
case $1 in
+
help "this help"
ca) ca ;;
 
cert) cert $2 $3 ;;
 
revoke) revoke $2 ;;
 
dh) dh ;;
 
show) show $2 $3 ;;
 
list) list ;;
 
*) help ;;
 
esac
 
  
  
 
</pre>
 
</pre>

Aktuelle Version vom 14. Dezember 2022, 17:09 Uhr

download

handling

/usr/local/sbin/Xinuxpki.sh ca | cert [server|client] <COMMONNAME>  | revoke <COMMONNAME> | dh | list | show <cert|req> COMMMON_NAME | help

cert location

/var/ssl/ca

help

"/usr/local/sbin/Xpki.sh" 

ca "generate a CA"

cert "interactive"

cert server "interaktiv serverext"

cert client "interaktiv clientext"

cert <COMMONNAME> "interactive" 

cert server <COMMONNAME> "interactive serverext" 

cert client <COMMONNAME> "interactive clientext" 

revoke <COMMONNAME> "revoke a cert"

dh "generate diffie-hellmann" 

list "list certs"

show req  <COMMONNAME> "show request"

show cert <COMMONNAME> "show cert"

help "this help"
Abgerufen von „https://xinux.net/index.php?title=Xinuxpki&oldid=39006