Xinuxpki
handling
/usr/local/sbin/xinuxpki ca | cert [server] <COMMON_NAME> | revoke <COMMON_NAME> | dh | list | show <cert|req> COMMMON_NAME | help
ca
xinuxpki ca
cert
interaktiv
xinuxpki cert
interaktiv serverext
xinuxpki cert server
automatisch
xinuxpki cert <COMMON_NAME>
automatisch serverext
xinuxpki cert server <COMMON_NAME>
revoke
xinuxpki revoke <COMMON_NAME>
dh
xinuxpki dh
list
xinuxpki list
show
req
xinux show req <COMMON_NAME>
cert
xinux show req <COMMON_NAME>
download
script
#!/bin/bash SSLDIR="/var/ssl/ca" export PASS="suxer" export CAPASS="oimel" function openssl-cf() { cat <<HERE HOME = . #RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = \$dir/certs crl_dir = \$dir/crl database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/ca.crt serial = \$dir/serial crlnumber = \$dir/crlnumber crl = \$dir/ca.crl private_key = \$dir/ca.key #RANDFILE = $dir/private/.rand x509_extensions = usr_cert copy_extensions = copy # add by xinux name_opt = ca_default cert_opt = ca_default default_days = 3650 # change by xinux default_crl_days= 30 default_md = default preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = optional localityName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $PROVINCE localityName = Locality Name (eg, city) localityName_default = $CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ORGANIZATION organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = $UNIT commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = $COMMON_NAME [ req_attributes ] [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # change by xinux basicConstraints = CA:true basicConstraints = critical, CA:TRUE keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy crlDistributionPoints = URI:http://www.xinux.de/ca/ca.crl [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [ tsa ] default_tsa = tsa_config1 [ tsa_config1 ] dir = ./demoCA serial = $dir/tsaserial crypto_device = builtin signer_cert = $dir/tsacert.pem certs = $dir/cacert.pem signer_key = $dir/private/tsakey.pem default_policy = tsa_policy1 other_policies = tsa_policy2, tsa_policy3 digests = md5, sha1 accuracy = secs:1, millisecs:500, microsecs:100 clock_precision_digits = 0 ordering = yes tsa_name = yes ess_cert_id_chain = no HERE } function ask() { echo -ne "Country Name (2 letter code) [de]: " read COUNTRY test -z $COUNTRY && COUNTRY="de" echo -ne "State or Province Name (full name) [rlp]: " read PROVINCE test -z $PROVINCE && PROVINCE="rlp" echo -ne "Locality Name (eg, city) [zw]: " read CITY test -z $CITY && CITY="zw" echo -ne "Organization Name (eg, company) [xinux] " read ORGANIZATION test -z $ORGANIZATION && ORGANIZATION="xinux" echo -ne "Organizational Unit Name (eg, section) [it]: " read UNIT test -z $UNIT && UNIT="it" } function ca() { ask COMMON_NAME=ca export COUNTRY PROVINCE CITY COMMON_NAME UNIT if [ -d $SSLDIR ]; then echo "CA exist!" exit 1 else mkdir -p $SSLDIR/newcerts cd $SSLDIR touch index.txt echo 01 > serial echo 01 > crlnumber fi openssl-cf > openssl.cnf openssl genrsa -passout env:CAPASS -des3 -out ca.key 2048 openssl req -passin env:CAPASS -new -batch -config openssl.cnf -key ca.key -x509 -days 3650 -out ca.crt echo -e "\nCA created!\n" } function cert() { test "$1" = "server" && { shift ; EXT="server"; } cd $SSLDIR if test "$#" -eq 1 then COMMON_NAME=$1 test -f $COMMON_NAME.key && { echo "$COMMON_NAME exists" ; exit 1; } sed -e "s/commonName_default.\+/commonName_default\t\t= $COMMON_NAME/" openssl.cnf > $COMMON_NAME.cnf else ask echo -ne "Common Name (e.g. server FQDN or YOUR name) : " read COMMON_NAME test -z "$COMMON_NAME" && { echo "COMMON_NAME expected" ; exit 1; } test -f $COMMON_NAME.key && { echo "$COMMON_NAME exists" ; exit 1; } openssl-cf > $COMMON_NAME.cnf fi openssl genrsa -passout env:PASS -des3 -out $COMMON_NAME.key 2048 if test "$EXT" = "server" then cat<<HERE >> $COMMON_NAME.cnf [ server-ext ] extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 subjectAltName = DNS:$COMMON_NAME HERE openssl req -passin env:PASS -new -batch -config $COMMON_NAME.cnf -key $COMMON_NAME.key -out $COMMON_NAME.csr -reqexts server-ext else openssl req -passin env:PASS -new -batch -config $COMMON_NAME.cnf -key $COMMON_NAME.key -out $COMMON_NAME.csr fi openssl ca -passin env:CAPASS -config openssl.cnf -batch -cert ca.crt -days 3650 -keyfile ca.key -in $COMMON_NAME.csr -out $COMMON_NAME.crt openssl ca -passin env:CAPASS -batch -gencrl -config openssl.cnf -out ca.crl openssl crl -in ca.crl -outform der -out crl-der.crl openssl pkcs12 -passin env:PASS -passout env:PASS -export -in $COMMON_NAME.crt -inkey $COMMON_NAME.key -certfile ca.crt -out $COMMON_NAME.p12 echo -e "\ncert created\n" } function revoke() { cd $SSLDIR COMMON_NAME=$1 openssl ca -passin env:CAPASS -config openssl.cnf -revoke $COMMON_NAME.crt echo -e "\ncert $COMMON_NAME revoke\n" } function dh() { cd $SSLDIR openssl gendh 1024 > dh1024.pem: echo -e "\ndh generated\n" } function list() { cd $SSLDIR cat index.txt } function help() { echo "$0 ca | cert [server] <COMMON_NAME> | revoke <COMMON_NAME> | dh | list | show <cert|req> COMMMON_NAME | help" ; } function show() { case $1 in cert) test -f $2.crt || { echo "$2.crt not found"; exit 1;} openssl x509 -noout -text -in $2.crt ;; req) test -f $2.csr || { echo "$2.csr not found"; exit 1 ;} openssl req -noout -text -in $2.csr ;; esac } echo -e "working directory: $SSLDIR\n" test -d $SSLDIR || { echo "first create CA" ; DF=1 ; } case $1 in ca) ca ;; cert) cert $2 $3 ;; revoke) revoke $2 ;; dh) dh ;; show) show $2 $3 ;; list) list ;; *) help ;; esac