2
0

gentls_cert.in 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
  1. #!/bin/sh
  2. CONFDIR=@certsdir@
  3. DAYS=2190
  4. KEY_SIZE=2048
  5. export KEY_SIZE=${KEY_SIZE}
  6. TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
  7. COMMON_NAME="FreeSWITCH CA"
  8. ALT_NAME="DNS:test.freeswitch.org"
  9. ORG_NAME="FreeSWITCH"
  10. OUTFILE="agent.pem"
  11. umask 037
  12. check_ca() {
  13. for x in cacert.pem cakey.pem config.tpl; do
  14. if [ ! -e "${CONFDIR}/CA/${x}" ]; then
  15. return 1
  16. fi
  17. done
  18. return 0
  19. }
  20. setup_ca() {
  21. if check_ca; then
  22. echo "Existing CA found in \"${CONFDIR}/CA\""
  23. echo "(Use \"gentls_cert remove\" to delete)"
  24. exit 1
  25. fi
  26. echo "Creating new CA..."
  27. if [ ! -d "${CONFDIR}/CA" ]; then
  28. mkdir -p -m 750 "${CONFDIR}/CA" || exit 1
  29. fi
  30. if [ -e "${CONFDIR}/CA/config.tpl" ]; then
  31. if [ $0 -nt "${CONFDIR}/CA/config.tpl" ]; then
  32. echo "WARNING! genttls_cert has a modified time more recent than ${CONFDIR}/CA/config.tpl remove config.tpl to re-generate it"
  33. fi
  34. else
  35. cat > "${CONFDIR}/CA/config.tpl" <<-EOF
  36. [ req ]
  37. default_bits = \$ENV::KEY_SIZE
  38. prompt = no
  39. distinguished_name = req_dn
  40. x509_extensions = v3_ca
  41. [ req_dn ]
  42. commonName = %CN%
  43. organizationName = %ORG%
  44. [ server ]
  45. nsComment="FS Server Cert"
  46. basicConstraints=CA:FALSE
  47. subjectKeyIdentifier=hash
  48. authorityKeyIdentifier=keyid,issuer:always
  49. subjectAltName=%ALTNAME%
  50. nsCertType=server
  51. extendedKeyUsage=serverAuth
  52. [ client ]
  53. nsComment="FS Client Cert"
  54. basicConstraints=CA:FALSE
  55. subjectKeyIdentifier=hash
  56. authorityKeyIdentifier=keyid,issuer:always
  57. subjectAltName=%ALTNAME%
  58. nsCertType=client
  59. extendedKeyUsage=clientAuth
  60. [ v3_ca ]
  61. subjectKeyIdentifier=hash
  62. authorityKeyIdentifier=keyid:always,issuer
  63. basicConstraints=CA:TRUE
  64. EOF
  65. fi
  66. sed \
  67. -e "s|%CN%|$COMMON_NAME|" \
  68. -e "s|%ORG%|$ORG_NAME|" \
  69. -e "/%ALTNAME%/d" \
  70. -e "s|CA:FALSE|CA:TRUE|" \
  71. "${CONFDIR}/CA/config.tpl" \
  72. > "${TMPFILE}.cfg" || exit 1
  73. openssl req -out "${CONFDIR}/CA/cacert.pem" \
  74. -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
  75. -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha256 >/dev/null || exit 1
  76. cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
  77. cp $TMPFILE.cfg /tmp/ssl.cfg
  78. rm "${TMPFILE}.cfg"
  79. echo "DONE"
  80. }
  81. generate_cert() {
  82. local val=""
  83. if ! check_ca; then
  84. echo "No existing CA found, please create one with \"gentls_cert setup\" first"
  85. exit 1
  86. fi
  87. echo "Generating new certificate..."
  88. echo
  89. echo "--------------------------------------------------------"
  90. echo "CN: \"${COMMON_NAME}\""
  91. echo "ORG_NAME: \"${ORG_NAME}\""
  92. echo "ALT_NAME: \"${ALT_NAME}\""
  93. echo
  94. echo "Certificate filename \"${OUTFILE}\""
  95. echo
  96. echo "[Is this OK? (y/N)]"
  97. read val
  98. if [ "${val}" != "y" ] && [ "${val}" != "Y" ]; then
  99. echo "Aborted"
  100. return 2
  101. fi
  102. sed \
  103. -e "s|%CN%|$COMMON_NAME|" \
  104. -e "s|%ALTNAME%|$ALT_NAME|" \
  105. -e "s|%ORG%|$ORG_NAME|" \
  106. "${CONFDIR}/CA/config.tpl" \
  107. > "${TMPFILE}.cfg" || exit 1
  108. openssl req -new -out "${TMPFILE}.req" \
  109. -newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
  110. -config "${TMPFILE}.cfg" -nodes -sha256 >/dev/null || exit 1
  111. openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
  112. -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
  113. -extensions "${EXTENSIONS}" -days ${DAYS} -sha256 >/dev/null || exit 1
  114. cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
  115. rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
  116. echo "DONE"
  117. }
  118. remove_ca() {
  119. echo "Removing CA"
  120. if [ -d "${CONFDIR}/CA" ]; then
  121. rm "${CONFDIR}/CA/"*
  122. rmdir "${CONFDIR}/CA"
  123. fi
  124. echo "DONE"
  125. }
  126. OUTFILESET="0"
  127. command="$1"
  128. shift
  129. while [ $# -gt 0 ]; do
  130. case $1 in
  131. -cn)
  132. shift
  133. COMMON_NAME="$1"
  134. ;;
  135. -alt)
  136. shift
  137. ALT_NAME="$1"
  138. ;;
  139. -org)
  140. shift
  141. ORG_NAME="$1"
  142. ;;
  143. -out)
  144. shift
  145. OUTFILE="$1"
  146. OUTFILESET="1"
  147. ;;
  148. -days)
  149. shift
  150. DAYS="$1"
  151. ;;
  152. esac
  153. shift
  154. done
  155. case ${command} in
  156. setup)
  157. setup_ca
  158. ;;
  159. create)
  160. EXTENSIONS="server"
  161. generate_cert
  162. ;;
  163. create_server)
  164. EXTENSIONS="server"
  165. generate_cert
  166. ;;
  167. create_client)
  168. EXTENSIONS="client"
  169. if [ "${OUTFILESET}" = "0" ]; then
  170. OUTFILE="client.pem"
  171. fi
  172. generate_cert
  173. ;;
  174. remove)
  175. echo "Are you sure you want to delete the CA? [YES to delete]"
  176. read val
  177. if [ "${val}" = "YES" ]; then
  178. remove_ca
  179. else
  180. echo "Not deleting CA"
  181. fi
  182. ;;
  183. *)
  184. cat <<-EOF
  185. $0 <setup|create_server|create_client|clean> [options]
  186. * commands:
  187. setup - Setup new CA
  188. remove - Remove CA
  189. create_server - Create new certificate (overwriting existing!)
  190. create_client - Create a new client certificate (overwrites existing!)
  191. * options:
  192. -cn Set common name
  193. -alt Set alternative name (use prefix 'DNS:' or 'URI:')
  194. -org Set organization name
  195. -out Filename for new certificate (create only)
  196. -days Certificate expires in X days (default: 365)
  197. EOF
  198. exit 1
  199. ;;
  200. esac