Xinuxpki: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| Zeile 1: | Zeile 1: | ||
| + | =handling= | ||
| + | /usr/local/sbin/xinuxpki ca | cert [server] <COMMON_NAME> | revoke <COMMON_NAME> | dh | list | show <cert|req> COMMMON_NAME | help | ||
=download= | =download= | ||
[[Media:xinuxpki.sh|xinuxpki.sh]] | [[Media:xinuxpki.sh|xinuxpki.sh]] | ||
| − | |||
| − | |||
=script= | =script= | ||
<pre> | <pre> | ||
Version vom 8. November 2014, 15:47 Uhr
handling
/usr/local/sbin/xinuxpki ca | cert [server] <COMMON_NAME> | revoke <COMMON_NAME> | dh | list | show <cert|req> COMMMON_NAME | help
download
script
#!/bin/bash
SSLDIR="/var/ssl/ca"
export PASS="suxer"
export CAPASS="oimel"
function openssl-cf()
{
cat <<HERE
HOME = .
#RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
new_certs_dir = \$dir/newcerts
certificate = \$dir/ca.crt
serial = \$dir/serial
crlnumber = \$dir/crlnumber
crl = \$dir/ca.crl
private_key = \$dir/ca.key
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
copy_extensions = copy # add by xinux
name_opt = ca_default
cert_opt = ca_default
default_days = 3650 # change by xinux
default_crl_days= 30
default_md = default
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ORGANIZATION
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $UNIT
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = $COMMON_NAME
[ req_attributes ]
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ] # change by xinux
basicConstraints = CA:true
basicConstraints = critical, CA:TRUE
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.xinux.de/ca/ca.crl
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1
[ tsa_config1 ]
dir = ./demoCA
serial = $dir/tsaserial
crypto_device = builtin
signer_cert = $dir/tsacert.pem
certs = $dir/cacert.pem
signer_key = $dir/private/tsakey.pem
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
digests = md5, sha1
accuracy = secs:1, millisecs:500, microsecs:100
clock_precision_digits = 0
ordering = yes
tsa_name = yes
ess_cert_id_chain = no
HERE
}
function ask()
{
echo -ne "Country Name (2 letter code) [de]: "
read COUNTRY
test -z $COUNTRY && COUNTRY="de"
echo -ne "State or Province Name (full name) [rlp]: "
read PROVINCE
test -z $PROVINCE && PROVINCE="rlp"
echo -ne "Locality Name (eg, city) [zw]: "
read CITY
test -z $CITY && CITY="zw"
echo -ne "Organization Name (eg, company) [xinux] "
read ORGANIZATION
test -z $ORGANIZATION && ORGANIZATION="xinux"
echo -ne "Organizational Unit Name (eg, section) [it]: "
read UNIT
test -z $UNIT && UNIT="it"
}
function ca()
{
ask
COMMON_NAME=ca
export COUNTRY PROVINCE CITY COMMON_NAME UNIT
if [ -d $SSLDIR ]; then
echo "CA exist!"
exit 1
else
mkdir -p $SSLDIR/newcerts
cd $SSLDIR
touch index.txt
echo 01 > serial
echo 01 > crlnumber
fi
openssl-cf > openssl.cnf
openssl genrsa -passout env:CAPASS -des3 -out ca.key 2048
openssl req -passin env:CAPASS -new -batch -config openssl.cnf -key ca.key -x509 -days 3650 -out ca.crt
echo -e "\nCA created!\n"
}
function cert()
{
test "$1" = "server" && { shift ; EXT="server"; }
cd $SSLDIR
if test "$#" -eq 1
then
COMMON_NAME=$1
test -f $COMMON_NAME.key && { echo "$COMMON_NAME exists" ; exit 1; }
sed -e "s/commonName_default.\+/commonName_default\t\t= $COMMON_NAME/" openssl.cnf > $COMMON_NAME.cnf
else
ask
echo -ne "Common Name (e.g. server FQDN or YOUR name) : "
read COMMON_NAME
test -z "$COMMON_NAME" && { echo "COMMON_NAME expected" ; exit 1; }
test -f $COMMON_NAME.key && { echo "$COMMON_NAME exists" ; exit 1; }
openssl-cf > $COMMON_NAME.cnf
fi
openssl genrsa -passout env:PASS -des3 -out $COMMON_NAME.key 2048
if test "$EXT" = "server"
then
cat<<HERE >> $COMMON_NAME.cnf
[ server-ext ]
extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
subjectAltName = DNS:$COMMON_NAME
HERE
openssl req -passin env:PASS -new -batch -config $COMMON_NAME.cnf -key $COMMON_NAME.key -out $COMMON_NAME.csr -reqexts server-ext
else
openssl req -passin env:PASS -new -batch -config $COMMON_NAME.cnf -key $COMMON_NAME.key -out $COMMON_NAME.csr
fi
openssl ca -passin env:CAPASS -config openssl.cnf -batch -cert ca.crt -days 3650 -keyfile ca.key -in $COMMON_NAME.csr -out $COMMON_NAME.crt
openssl ca -passin env:CAPASS -batch -gencrl -config openssl.cnf -out ca.crl
openssl crl -in ca.crl -outform der -out crl-der.crl
openssl pkcs12 -passin env:PASS -passout env:PASS -export -in $COMMON_NAME.crt -inkey $COMMON_NAME.key -certfile ca.crt -out $COMMON_NAME.p12
echo -e "\ncert created\n"
}
function revoke()
{
cd $SSLDIR
COMMON_NAME=$1
openssl ca -passin env:CAPASS -config openssl.cnf -revoke $COMMON_NAME.crt
echo -e "\ncert $COMMON_NAME revoke\n"
}
function dh()
{
cd $SSLDIR
openssl gendh 1024 > dh1024.pem:
echo -e "\ndh generated\n"
}
function list()
{
cd $SSLDIR
cat index.txt
}
function help()
{
echo "$0 ca | cert [server] <COMMON_NAME> | revoke <COMMON_NAME> | dh | list | show <cert|req> COMMMON_NAME | help" ;
}
function show()
{
case $1 in
cert)
test -f $2.crt || { echo "$2.crt not found"; exit 1;}
openssl x509 -noout -text -in $2.crt
;;
req)
test -f $2.csr || { echo "$2.csr not found"; exit 1 ;}
openssl req -noout -text -in $2.csr
;;
esac
}
echo -e "working directory: $SSLDIR\n"
test -d $SSLDIR || { echo "first create CA" ; DF=1 ; }
case $1 in
ca) ca ;;
cert) cert $2 $3 ;;
revoke) revoke $2 ;;
dh) dh ;;
show) show $2 $3 ;;
list) list ;;
*) help ;;
esac