123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 |
- #!/bin/sh
- CONFDIR=@certsdir@
- DAYS=2190
- KEY_SIZE=2048
- export KEY_SIZE=${KEY_SIZE}
- TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
- COMMON_NAME="FreeSWITCH CA"
- ALT_NAME="DNS:test.freeswitch.org"
- ORG_NAME="FreeSWITCH"
- OUTFILE="agent.pem"
- umask 037
- check_ca() {
- for x in cacert.pem cakey.pem config.tpl; do
- if [ ! -e "${CONFDIR}/CA/${x}" ]; then
- return 1
- fi
- done
- return 0
- }
- setup_ca() {
- if check_ca; then
- echo "Existing CA found in \"${CONFDIR}/CA\""
- echo "(Use \"gentls_cert remove\" to delete)"
- exit 1
- fi
- echo "Creating new CA..."
- if [ ! -d "${CONFDIR}/CA" ]; then
- mkdir -p -m 750 "${CONFDIR}/CA" || exit 1
- fi
- if [ -e "${CONFDIR}/CA/config.tpl" ]; then
- if [ $0 -nt "${CONFDIR}/CA/config.tpl" ]; then
- echo "WARNING! genttls_cert has a modified time more recent than ${CONFDIR}/CA/config.tpl remove config.tpl to re-generate it"
- fi
- else
- cat > "${CONFDIR}/CA/config.tpl" <<-EOF
- [ req ]
- default_bits = \$ENV::KEY_SIZE
- prompt = no
- distinguished_name = req_dn
- x509_extensions = v3_ca
- [ req_dn ]
- commonName = %CN%
- organizationName = %ORG%
- [ server ]
- nsComment="FS Server Cert"
- basicConstraints=CA:FALSE
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid,issuer:always
- subjectAltName=%ALTNAME%
- nsCertType=server
- extendedKeyUsage=serverAuth
- [ client ]
- nsComment="FS Client Cert"
- basicConstraints=CA:FALSE
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid,issuer:always
- subjectAltName=%ALTNAME%
- nsCertType=client
- extendedKeyUsage=clientAuth
- [ v3_ca ]
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid:always,issuer
- basicConstraints=CA:TRUE
- EOF
- fi
- sed \
- -e "s|%CN%|$COMMON_NAME|" \
- -e "s|%ORG%|$ORG_NAME|" \
- -e "/%ALTNAME%/d" \
- -e "s|CA:FALSE|CA:TRUE|" \
- "${CONFDIR}/CA/config.tpl" \
- > "${TMPFILE}.cfg" || exit 1
- openssl req -out "${CONFDIR}/CA/cacert.pem" \
- -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
- -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
- cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
- cp $TMPFILE.cfg /tmp/ssl.cfg
- rm "${TMPFILE}.cfg"
- echo "DONE"
- }
- generate_cert() {
- local val=""
- if ! check_ca; then
- echo "No existing CA found, please create one with \"gentls_cert setup\" first"
- exit 1
- fi
- echo "Generating new certificate..."
- echo
- echo "--------------------------------------------------------"
- echo "CN: \"${COMMON_NAME}\""
- echo "ORG_NAME: \"${ORG_NAME}\""
- echo "ALT_NAME: \"${ALT_NAME}\""
- echo
- echo "Certificate filename \"${OUTFILE}\""
- echo
- echo "[Is this OK? (y/N)]"
- read val
- if [ "${val}" != "y" ] && [ "${val}" != "Y" ]; then
- echo "Aborted"
- return 2
- fi
- sed \
- -e "s|%CN%|$COMMON_NAME|" \
- -e "s|%ALTNAME%|$ALT_NAME|" \
- -e "s|%ORG%|$ORG_NAME|" \
- "${CONFDIR}/CA/config.tpl" \
- > "${TMPFILE}.cfg" || exit 1
- openssl req -new -out "${TMPFILE}.req" \
- -newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
- -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
- openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
- -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
- -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
- cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
- rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
- echo "DONE"
- }
- remove_ca() {
- echo "Removing CA"
- if [ -d "${CONFDIR}/CA" ]; then
- rm "${CONFDIR}/CA/"*
- rmdir "${CONFDIR}/CA"
- fi
- echo "DONE"
- }
- OUTFILESET="0"
- command="$1"
- shift
- while [ $# -gt 0 ]; do
- case $1 in
- -cn)
- shift
- COMMON_NAME="$1"
- ;;
- -alt)
- shift
- ALT_NAME="$1"
- ;;
- -org)
- shift
- ORG_NAME="$1"
- ;;
- -out)
- shift
- OUTFILE="$1"
- OUTFILESET="1"
- ;;
- -days)
- shift
- DAYS="$1"
- ;;
- esac
- shift
- done
- case ${command} in
- setup)
- setup_ca
- ;;
- create)
- EXTENSIONS="server"
- generate_cert
- ;;
- create_server)
- EXTENSIONS="server"
- generate_cert
- ;;
- create_client)
- EXTENSIONS="client"
- if [ "${OUTFILESET}" = "0" ]; then
- OUTFILE="client.pem"
- fi
- generate_cert
- ;;
- remove)
- echo "Are you sure you want to delete the CA? [YES to delete]"
- read val
- if [ "${val}" = "YES" ]; then
- remove_ca
- else
- echo "Not deleting CA"
- fi
- ;;
- *)
- cat <<-EOF
- $0 <setup|create_server|create_client|clean> [options]
- * commands:
- setup - Setup new CA
- remove - Remove CA
- create_server - Create new certificate (overwriting existing!)
- create_client - Create a new client certificate (overwrites existing!)
- * options:
- -cn Set common name
- -alt Set alternative name (use prefix 'DNS:' or 'URI:')
- -org Set organization name
- -out Filename for new certificate (create only)
- -days Certificate expires in X days (default: 365)
- EOF
- exit 1
- ;;
- esac
|