Okay.. here's a more refined version of the script - including features for client / ca certificate generation.. I've tried to keep it simple and modular - pl. let me know if you have any feedback..
-Madhu -----Original Message----- From: Gomez Henri [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 3:30 PM To: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) Cc: '[EMAIL PROTECTED]' Subject: RE: SSL and certficates script En réponse à "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <[EMAIL PROTECTED]>: > The script is pretty similar to what we had for Apache 1.3.x.. You can > get > the usage details by "./mkcert.sh --help".. Pl. do let me know if the > Usage > details provided are not sufficient - I'll try to put in more details > there.. I just want to say that this script is a SUPERB tool and everything is present to have the graal of SSL certs. We need a tool to generate : 1) a custom CA cert 2) custom server certs signed with that CA 3) client (browser) certs signed all with that CA What will give Apache 2.0 a decent simple "PKI" and which will be very usefull for small companies... > The creation of a self-signed CA and a certificate are both linked > together > - it can be created by "./mkcert.sh --custom" or "./mkcert.sh > --type=custom".. > > Did you want to just create the self-signed CA certificate only, and > NOT > the > server certificate ?.. If yes, then it's not possible with the current > script.. I'm trying to make it more modular, so that you can have a > mix-n-match of the functions.. > Also, I've changed the layout of the files to a certain extent - the > .csr > files now go into the conf/ssl.crt/ directory itself -if this is not > okay, I > can change it back to go to conf/ssl.csr/ The scripts I sent previously included code to generate the client cert (PKCS12 format). I feel you have now everything to give AP2.0 its own little Cert Agency :))))) Hope you could do that for us :) - Henri Gomez ___[_]____ EMAIL : [EMAIL PROTECTED] (. .) PGP KEY : 697ECEDD ...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
#!/bin/sh ## ## mkcert.sh -- SSL Certificate Generation Utility ## export certdir=/opt/apache2s export PATH=$certdir/ssl/bin:$PATH ## Some local variables used openssl=`whence openssl` type= algo= crt= key= view= ## Terminal Sequences case $TERM in xterm|xterm*|vt220|vt220*) BB=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'` BE=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'` ;; vt100|vt100*) BB=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'` BE=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'` ;; default) BB='' BE='' ;; esac ## Utility Functions : function Usage { echo "+---------------------------------------------------------------------+"; echo "| |"; echo "| USAGE |"; echo "| |"; echo "| Before you use the mod_ssl you should prepare the SSL certificate |"; echo "| system by running the 'mkcert.sh' command. |"; echo "| For different situations the following variants are provided: |"; echo "| |"; echo "| To view a certificate (displays the generated data) |"; echo "| % mkcert.sh --view |"; echo "| |"; echo "| To generate a Client certificate (signed by own CA) |"; echo "| % mkcert.sh --client |"; echo "| |"; echo "| To generate a custom CA certificate |"; echo "| % mkcert.sh --ca |"; echo "| |"; echo "| To generate a custom certificate (signed by own CA) |"; echo "| % mkcert.sh --custom |"; echo "| |"; echo "| To generate a dummy certificate (dummy self-signed Snake Oil cert) |"; echo "| % mkcert.sh --dummy |"; echo "| |"; echo "| To generate a test certificate (test self-signed Snake Oil CA) |"; echo "| % mkcert.sh --test |"; echo "| |"; echo "| Use type=dummy when you're a vendor package maintainer, |"; echo "| the type=test when you're an admin but want to do tests only, |"; echo "| the type=custom when you're an admin willing to run a real server |"; echo "| (The default is type=test) |"; echo "| |"; echo "| Additionally add --algo=RSA (default) or --algo=DSA to select |"; echo "| the signature algorithm used for the generated certificate. |"; echo "| |"; echo "| Thanks for using Apache |"; echo "+---------------------------------------------------------------------+"; exit 0 } function becho { echo "${BB}$1${BE}" } function perr { echo "${BB}$1${BE}" 1>&2 exit 1 } function desc_key_warning { echo "The contents of the $1 file (the generated private key) has" echo "to be kept secret. So we strongly recommend you to encrypt the" echo "$1 file with a Triple-DES cipher and a Pass Phrase." } function desc_dsa_warning { echo "" echo "${BB}WARNING!${BE} You're generating DSA based certificate/key" echo " pairs. This implies that RSA based ciphers won't be" echo " available later, which for your web server currently" echo " still means that mostly all popular web browsers cannot" echo " connect to it. At least not until you also generate an" echo " additional RSA based certificate/key pair and configure" echo " them in parallel." } function desc_server_certificate { echo "" becho "o $keydir/server.key" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${BB}KEEP THIS FILE PRIVATE!${BE}" echo "" becho "o $crtdir/server.crt" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" } function desc_ca_certificate { echo "" becho "o $keydir/ca.key" echo " The PEM-encoded $algo private key file of the CA which you can" echo " use to sign other servers or clients.\c" becho " KEEP THIS FILE PRIVATE!" echo "" becho "o $crtdir/ca.crt" echo " The PEM-encoded X.509 certificate file of the CA which you use" echo " to sign other servers or clients. When you sign clients with it" echo " (for SSL client authentication) you can configure this file with" echo " the 'SSLCACertificateFile' directive." } function get_ca_csr { cat >.mkcert.cfg <<EOT [ req ] default_bits = 1024 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = XY countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Snake Desert localityName = "3. Locality Name (eg, city) " localityName_default = Snake Town 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Snake Oil, Ltd organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Certificate Authority commonName = "6. Common Name (eg, CA name) " commonName_max = 64 commonName_default = Snake Oil CA emailAddress = "7. Email Address (eg, name@FQDN)" emailAddress_max = 40 emailAddress_default = [EMAIL PROTECTED] EOT } function get_server_csr { cat >.mkcert.cfg <<EOT [ req ] default_bits = 1024 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = XY countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Snake Desert localityName = "3. Locality Name (eg, city) " localityName_default = Snake Town 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Snake Oil, Ltd organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Webserver Team commonName = "6. Common Name (eg, FQDN) " commonName_max = 64 commonName_default = www.snakeoil.dom emailAddress = "7. Email Address (eg, name@FQDN)" emailAddress_max = 40 emailAddress_default = [EMAIL PROTECTED] EOT } function get_client_csr { cat >.mkcert.cfg <<EOT [ req ] default_bits = 1024 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = State localityName = "3. Locality Name (eg, city) " localityName_default = City 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Company Name organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Webserver Team commonName = "6. Common Name (eg, FQDN) " commonName_max = 64 commonName_default = Username emailAddress = "7. Email Address (eg, name@fqdn)" emailAddress_max = 40 emailAddress_default = [EMAIL PROTECTED] EOT } function do_encrypt { while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? [Y/n]: "); }' read rc if [ ".$rc" = .n -o ".$rc" = .N ]; then rc="n" break fi if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then rc="y" break fi done if [ ".$rc" = .y ]; then if [ ".$algo" = .RSA ]; then (umask 077; $openssl rsa -des3 -in $1 -out $1.crypt) else (umask 077; $openssl dsa -des3 -in $1 -out $1.crypt) fi if [ $? -ne 0 ]; then perr "MKCERT: Failed to encrypt $algo private key" fi (umask 077; cp $1.crypt $1) rm -f $1.crypt echo "Fine, you're using an encrypted $algo private key." else echo "Warning, you're using an unencrypted $algo private key." echo "Please notice this fact and do this on your own risk." fi } function do_verify { echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $1 | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then modkey=`$openssl rsa -noout -modulus -in $2 | sed -e 's;.*Modulus=;;'` else modkey=`$openssl dsa -noout -modulus -in $2 | sed -e 's;.*Key=;;'` fi if [ ".$modcrt" != ".$modkey" ]; then perr "MKCERT: Failed to verify modulus on resulting X.509 certificate" fi } function get_algorithm { if [ ".$algo" = .choose ]; then echo $LINE_SEP becho "STEP 0: Decide the signature algorithm used for certificates" echo "The generated X.509 certificates can contain either" echo "RSA or DSA based ingredients. Select the one you want to use." def1=R def2=r def=RSA prompt="Signature Algorithm ((R)SA or (D)SA) [$def1]:" while [ 1 ]; do echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read algo if [ ".$algo" = ".$def1" -o ".$algo" = ".$def2" -o ".$algo" = . ]; then algo=$def break elif [ ".$algo" = ".R" -o ".$algo" = ".r" ]; then algo=RSA break elif [ ".$algo" = ".D" -o ".$algo" = ".d" ]; then algo=DSA break else becho "MKCERT: Invalid selection" fi done fi if [ ".$algo" = ".DSA" ]; then desc_dsa_warning fi } function gen_random_key { if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $1 1024 else $openssl genrsa -out $1 1024 fi if [ $? -ne 0 ]; then perr "MKCERT: Failed to generate RSA private key" fi else echo "Generating DSA private key:" if [ ".$3" != "." ]; then if [ ".$randfiles" != . ]; then $openssl dsaparam -rand $randfiles -out $2 1024 else $openssl dsaparam -out $keydir/ca.prm 1024 fi fi if [ ".$randfiles" != . ]; then (umask 077; $openssl gendsa -rand $randfiles -out $1 $2) else (umask 077; $openssl gendsa -out $1 $2) fi if [ $? -ne 0 ]; then perr "MKCERT: Failed to generate DSA private key" fi fi } function gen_certificate_request { $openssl req -config .mkcert.cfg -new -key $1 -out $2 if [ $? -ne 0 ]; then perr "MKCERT: Failed to generate certificate signing request" fi rm -f .mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days if [ ".$days" = . ]; then days=365 fi echo dummy | \ awk '{ printf("%s", prompt); }' "prompt=Certificate Version (1 or 3) [3]:" read certversion extfile="" } function gen_certificate { if [ ! -f .mkcert.serial ]; then echo '01' >.mkcert.serial fi if [ ".$algo" = .RSA ]; then $openssl x509 $extfile -days $days -CAserial .mkcert.serial \ -CA $crtdir/ca.crt -CAkey $keydir/ca.key \ -in $1 -req -out $2 else $openssl x509 $extfile -days $days -CAserial .mkcert.serial \ -CA $crtdir/ca-dsa.crt -CAkey $keydir/ca-dsa.key \ -in $1 -req -out $2 fi if [ $? -ne 0 ]; then perr "MKCERT: Failed to generate X.509 certificate" fi rm -f .mkcert.cfg } function gen_custom_ca { echo $LINE_SEP becho "STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]" gen_random_key $keydir/ca.key $keydir/ca.prm TRUE echo $LINE_SEP becho "STEP 2: Generating X.509 certificate signing request for CA [ca.csr]" get_ca_csr gen_certificate_request $keydir/ca.key $crtdir/ca.csr echo $LINE_SEP becho "STEP 3: Generating X.509 certificate for CA signed by self [ca.crt]" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy basicConstraints = CA:true,pathlen:0 nsComment = "mod_ssl generated custom CA certificate" nsCertType = sslCA EOT fi $openssl x509 $extfile -days $days -signkey $keydir/ca.key \ -in $crtdir/ca.csr -req -out $crtdir/ca.crt if [ $? -ne 0 ]; then perr "MKCERT: Failed to generate self-signed CA certificate" fi rm -f .mkcert.cfg do_verify $crtdir/ca.crt $keydir/ca.key echo "Verify: matching certificate signature" $openssl verify $crtdir/ca.crt if [ $? -ne 0 ]; then perr "MKCERT:Failed to verify signature on resulting X.509 certificate" fi echo "Saving the CA Certificates" if [ ".$algo" = .RSA ]; then cp -f $crtdir/ca.crt $crtdir/ca-rsa.crt cp -f $keydir/ca.key $keydir/ca-rsa.key else cp -f $crtdir/ca.crt $crtdir/ca-dsa.crt cp -f $keydir/ca.key $keydir/ca-dsa.key fi echo $LINE_SEP becho "STEP 4: Enrypting $algo private key of CA with a pass phrase for\c" becho " security [ca.key]" desc_key_warning "ca.key" do_encrypt $keydir/ca.key } ## Some useful Definitions : LINE_SEP="________________________________________________________________________\n" ## ## Main (script starts here) ## # Check if the user has entered the required details : if [ $# -eq 0 ]; then Usage fi for opt do # If previous option needs an argument, assign it. if [ "x$prev" != "x" ]; then eval "$prev=\$opt" prev="" continue fi # Split out arguments case "$opt" in -*=*) arg=`echo "$opt" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) arg= ;; esac # Process arguments case "$opt" in --custom) type="custom" ;; --client) type="client" ;; --ca) type="ca" ;; --dummy) type="dummy" ;; --test) type="test" ;; --type=*) type="$arg" ;; --algo=*) algo="$arg" ;; --crt=*) crt="$arg" ;; --key=*) key="$arg" ;; --view) view=1 ;; * ) Usage exit 1 ;; esac done becho "SSL Certificate Generation Utility (mkcert.sh)" echo "Enter the Certificate(s) Location [$certdir] :\c" read ncertdir < /dev/tty if [ "x$ncertdir" != "x" ]; then certdir=$ncertdir fi if [ ! -d $certdir ]; then echo "\nERROR: [$certdir] not found." perr "Please enter a valid location and try again." fi crtdir="$certdir/conf/ssl.crt" keydir="$certdir/conf/ssl.key" # Check if the OPENSSL binary is available. if [ "x$openssl" = "x" ]; then for p in /usr/local/bin /usr/bin; do if test -f "$p/openssl"; then openssl="$p/openssl" break fi done if [ "x$openssl" = "x" ]; then perr "Could not find OPENSSL in the path !!." fi fi # View certificates. if [ ".$view" != . ]; then if [ -f "$crtdir/ca.crt" -a -f "$keydir/ca.key" ]; then echo "" becho "CA X.509 Certificate [ca.crt]" echo $LINE_SEP $openssl x509 -noout -text -in $crtdir/ca.crt echo "" if [ ".`$openssl x509 -noout -text -in $crtdir/ca.crt | \ grep 'Signature Algorithm' | grep -i RSA`" != . ]; then becho "CA RSA Private Key [ca.key]" echo $LINE_SEP $openssl rsa -noout -text -in $keydir/ca.key else becho "CA DSA Private Key [ca.key]" echo $LINE_SEP $openssl dsa -noout -text -in $keydir/ca.key fi else echo "" echo "NO CA Certificate found in the directory specified !!." fi if [ -f "$crtdir/server.crt" -a -f "$keydir/server.key" ]; then echo "" echo "${BB}Server X.509 Certificate${BE} [server.crt]" echo $LINE_SEP $openssl x509 -noout -text -in $crtdir/server.crt echo "" if [ ".`$openssl x509 -noout -text -in $crtdir/server.crt | \ grep 'Signature Algorithm' | grep -i RSA`" != . ]; then becho "Server RSA Private Key [server.key]" echo $LINE_SEP $openssl rsa -noout -text -in $keydir/server.key else becho "Server DSA Private Key [server.key]" echo $LINE_SEP $openssl dsa -noout -text -in $keydir/server.key fi else echo "" echo "NO Server Certificate found in the directory specified !!." fi if [ -f "$crtdir/client.crt" -a -f "$keydir/client.key" ]; then echo "" echo "${BB}Client X.509 Certificate${BE} [client.crt]" echo $LINE_SEP $openssl x509 -noout -text -in $crtdir/client.crt echo "" if [ ".`$openssl x509 -noout -text -in $crtdir/client.crt | \ grep 'Signature Algorithm' | grep -i RSA`" != . ]; then becho "Client RSA Private Key [client.key]" echo $LINE_SEP $openssl rsa -noout -text -in $keydir/client.key else becho "Client DSA Private Key [client.key]" echo $LINE_SEP $openssl dsa -noout -text -in $keydir/client.key fi else echo "" echo "NO Client Certificate found in the directory specified !!." fi exit 0 fi # Create the directories if required. if [ ! -d $crtdir ]; then echo "Creating Certificates directory [$crtdir]" mkdir -p $crtdir fi if [ ! -d $keydir ]; then echo "Creating keys directory [$crtdir]" mkdir -p $keydir fi # Find random files and initialize the RANDFILE environment variable randfiles='' for file in /var/log/messages /var/adm/messages /var/log/system.log \ /var/wtmp /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do if [ -r $file ]; then if [ ".$randfiles" = . ]; then randfiles="$file" else randfiles="${randfiles}:$file" fi fi done if [ -f $HOME/.rnd ]; then RANDFILE="$HOME/.rnd" else RANDFILE=".mkcert.rnd" (ps; date) >$RANDFILE fi export RANDFILE # Extract parameters case "x$type" in x ) type=test ;; esac case "x$algo" in xRSA|xrsa ) algo=RSA ;; xDSA|xdsa ) algo=DSA ;; x ) algo=choose ;; * ) perr "Unknown algorithm \'$algo' (use RSA or DSA!)" ;; esac # Processing case $type in dummy) echo "" becho "Generating self-signed Snake Oil certificate [DUMMY]" echo $LINE_SEP if [ ".$algo" = .choose ]; then algo=RSA fi if [ ".$algo" = .RSA ]; then if [ ! -f "$crtdir/server-rsa.crt" -a ! -f "$keydir/server-rsa.key" ]; then echo "" echo "There are no dummy certificates loaded on your system." echo "You can create certificates using the --custom option." exit 1 fi cp $crtdir/server-rsa.crt $crtdir/server.crt (umask 077; cp $keydir/server-rsa.key $keydir/server.key) else if [ ! -f "$crtdir/server-dsa.crt" -a ! -f "$keydir/server-dsa.key" ]; then echo "" echo "There are no dummy certificates loaded on your system." echo "You can create certificates using the --custom option." exit 1 fi cp $crtdir/server-dsa.crt $crtdir/server.crt (umask 077; cp $keydir/server-dsa.key $keydir/server.key) fi becho "RESULT: Server Certification Files" desc_server_certificate echo "WARNING: Do not use this for real-life/production systems" echo "" ;; ca) get_algorithm gen_custom_ca ;; test) echo "" becho "Generating test certificate signed by Snake Oil CA [TEST]" echo "WARNING: Do not use this for real-life/production systems" get_algorithm echo $LINE_SEP becho "STEP 1: Generating $algo private key(1024 bit) [server.key]" gen_random_key $keydir/server.key $keydir/ca-dsa.prm echo $LINE_SEP becho "STEP 2: Generating X.509 certificate signing request [server.csr]" get_server_csr gen_certificate_request $keydir/server.key $crtdir/server.csr echo $LINE_SEP becho "STEP 3: Generating X.509 certificate signed by Snake Oil CA\c" becho " [server.crt]" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy nsComment = "mod_ssl generated test server certificate" nsCertType = server EOT fi gen_certificate $crtdir/server.csr $crtdir/server.crt do_verify $crtdir/server.crt $keydir/server.key echo "Verify: matching certificate signature" if [ ".$algo" = .RSA ]; then $openssl verify -CAfile $crtdir/ca-rsa.crt $crtdir/server.crt else $openssl verify -CAfile $crtdir/ca-dsa.crt $crtdir/server.crt fi if [ $? -ne 0 ]; then perr "MKCERT:Failed to verify signature on resulting X.509 certificate" fi echo $LINE_SEP becho "STEP 4: Enrypting $algo private key with a pass phrase for\c" becho " security [server.key]" desc_key_warning "server.key" do_encrypt $keydir/server.key echo $LINE_SEP becho "RESULT: Server Certification Files" desc_server_certificate echo "" becho "o $crtdir/server.csr" echo " The PEM-encoded X.509 certificate signing request file which" echo " you can send to an official Certificate Authority (CA) in order" echo " to request a real server certificate (signed by this CA instead" echo " of our demonstration-only Snake Oil CA) which later can replace" echo " the $crtdir/server.crt file." echo "" echo "WARNING: Do not use this for real-life/production systems" echo "" ;; custom) get_algorithm gen_custom_ca echo $LINE_SEP becho "STEP 5: Generating $algo private key for SERVER (1024 bit)\c" becho " [server.key]" gen_random_key $keydir/server.key $keydir/ca.prm echo $LINE_SEP becho "STEP 6: Generating X.509 certificate signing request for SERVER\c" becho " [server.csr]" get_server_csr gen_certificate_request $keydir/server.key $crtdir/server.csr echo $LINE_SEP becho "STEP 7: Generating X.509 certificate signed by own CA [server.crt]" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy nsComment = "mod_ssl generated custom server certificate" nsCertType = server EOT fi gen_certificate $crtdir/server.csr $crtdir/server.crt do_verify $crtdir/server.crt $keydir/server.key echo "Verify: matching certificate signature" $openssl verify -CAfile $crtdir/ca.crt $crtdir/server.crt if [ $? -ne 0 ]; then perr "MKCERT:Failed to verify signature on resulting X.509 certificate" fi echo $LINE_SEP becho "STEP 8: Enrypting $algo private key of SERVER with a pass phrase\c" becho " for security [server.key]" desc_key_warning "server.key" do_encrypt $keydir/server.key echo $LINE_SEP becho "RESULT: CA and Server Certification Files" desc_ca_certificate desc_server_certificate becho "o $crtdir/server.csr" echo " The PEM-encoded X.509 certificate signing request of the server" echo " file which you can send to an official Certificate Authority (CA)" echo " in order to request a real server certificate (signed by this CA" echo " instead of our own CA) which later can replace the" echo " $crtdir/server.crt file." echo "" echo "Congratulations that you establish your server with real certificates" echo "" ;; client) get_algorithm if [ ! -f "$crtdir/ca.crt" -a ! -f "$keydir/ca.key" ]; then becho "There are no CA certificates in the location specified" while [ 1 ]; do becho dummy | awk '{ printf("Do you want to create now [Y/n]: "); }' read rc if [ ".$rc" = .n -o ".$rc" = .N ]; then rc="n" break fi if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then rc="y" break fi done if [ ".$rc" = .y ]; then gen_custom_ca echo "" echo "Continuing... " echo "" else perr "Sorry.. You can create client certficates without CA cert." fi fi echo $LINE_SEP becho "STEP 1: Generating $algo private key for CLIENT (1024 bit)\c" becho " [client.key]" gen_random_key $keydir/client.key $keydir/ca.prm echo $LINE_SEP becho "STEP 2: Generating X.509 certificate signing request for CLIENT\c" becho " [client.csr]" get_client_csr gen_certificate_request $keydir/client.key $crtdir/client.csr echo $LINE_SEP becho "STEP 3: Generating X.509 certificate signed by own CA [client.crt]" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy nsComment = "mod_ssl generated custom client certificate" nsCertType = client keyUsage = digitalSignature EOT fi gen_certificate $crtdir/client.csr $crtdir/client.crt do_verify $crtdir/client.crt $keydir/client.key echo "Verify: matching certificate signature" $openssl verify -CAfile $crtdir/ca.crt $crtdir/client.crt if [ $? -ne 0 ]; then perr "MKCERT:Failed to verify signature on resulting X.509 certificate" fi echo $LINE_SEP becho "STEP 4: Enrypting $algo private key of SERVER with a pass phrase\c" becho " for security [client.key]" desc_key_warning "client.key" do_encrypt $keydir/client.key echo $LINE_SEP becho "STEP 5: Creating a PKCS#12 format Client certificate file${BE}" $openssl pkcs12 -export -in $crtdir/client.crt -out $crtdir/client.p12 \ -inkey $keydir/client.key -name "My Client certificate" echo $LINE_SEP becho "RESULT: CA and Server Certification Files" echo "" becho "o $crtdir/client.key" echo " The PEM-encoded $algo private key file. KEEP THIS FILE PRIVATE!" echo "" becho "o $crtdir/client.crt" echo " The PEM-encoded X.509 certificate file" echo "" becho "o $crtdir/client.p12" echo " The PKCS#12 encoded Client certificate file. This file can be" echo " used to install the client certificate on programs including " echo " Netscape and MSIE." echo "" ;; esac ##EOF##