Okay.. here's a more refined version of the script - including features for
client / ca certificate generation.. I've tried to keep it simple and
modular - pl. let me know if you have any feedback..
-Madhu
-----Original Message-----
From: Gomez Henri [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 3:30 PM
To: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
Cc: '[EMAIL PROTECTED]'
Subject: RE: SSL and certficates script
En réponse à "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)"
<[EMAIL PROTECTED]>:
> The script is pretty similar to what we had for Apache 1.3.x.. You can
> get
> the usage details by "./mkcert.sh --help".. Pl. do let me know if the
> Usage
> details provided are not sufficient - I'll try to put in more details
> there..
I just want to say that this script is a SUPERB tool and everything
is present to have the graal of SSL certs.
We need a tool to generate :
1) a custom CA cert
2) custom server certs signed with that CA
3) client (browser) certs signed all with that CA
What will give Apache 2.0 a decent simple "PKI" and which will
be very usefull for small companies...
> The creation of a self-signed CA and a certificate are both linked
> together
> - it can be created by "./mkcert.sh --custom" or "./mkcert.sh
> --type=custom"..
>
> Did you want to just create the self-signed CA certificate only, and
> NOT
> the
> server certificate ?.. If yes, then it's not possible with the current
> script.. I'm trying to make it more modular, so that you can have a
> mix-n-match of the functions..
> Also, I've changed the layout of the files to a certain extent - the
> .csr
> files now go into the conf/ssl.crt/ directory itself -if this is not
> okay, I
> can change it back to go to conf/ssl.csr/
The scripts I sent previously included code to generate the client
cert (PKCS12 format). I feel you have now everything to give AP2.0
its own little Cert Agency :)))))
Hope you could do that for us :)
-
Henri Gomez ___[_]____
EMAIL : [EMAIL PROTECTED] (. .)
PGP KEY : 697ECEDD ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
#!/bin/sh
##
## mkcert.sh -- SSL Certificate Generation Utility
##
export certdir=/opt/apache2s
export PATH=$certdir/ssl/bin:$PATH
## Some local variables used
openssl=`whence openssl`
type=
algo=
crt=
key=
view=
## Terminal Sequences
case $TERM in
xterm|xterm*|vt220|vt220*)
BB=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'`
BE=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'`
;;
vt100|vt100*)
BB=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'`
BE=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'`
;;
default)
BB=''
BE=''
;;
esac
## Utility Functions :
function Usage
{
echo "+---------------------------------------------------------------------+";
echo "| |";
echo "| USAGE |";
echo "| |";
echo "| Before you use the mod_ssl you should prepare the SSL certificate |";
echo "| system by running the 'mkcert.sh' command. |";
echo "| For different situations the following variants are provided: |";
echo "| |";
echo "| To view a certificate (displays the generated data) |";
echo "| % mkcert.sh --view |";
echo "| |";
echo "| To generate a Client certificate (signed by own CA) |";
echo "| % mkcert.sh --client |";
echo "| |";
echo "| To generate a custom CA certificate |";
echo "| % mkcert.sh --ca |";
echo "| |";
echo "| To generate a custom certificate (signed by own CA) |";
echo "| % mkcert.sh --custom |";
echo "| |";
echo "| To generate a dummy certificate (dummy self-signed Snake Oil cert) |";
echo "| % mkcert.sh --dummy |";
echo "| |";
echo "| To generate a test certificate (test self-signed Snake Oil CA) |";
echo "| % mkcert.sh --test |";
echo "| |";
echo "| Use type=dummy when you're a vendor package maintainer, |";
echo "| the type=test when you're an admin but want to do tests only, |";
echo "| the type=custom when you're an admin willing to run a real server |";
echo "| (The default is type=test) |";
echo "| |";
echo "| Additionally add --algo=RSA (default) or --algo=DSA to select |";
echo "| the signature algorithm used for the generated certificate. |";
echo "| |";
echo "| Thanks for using Apache |";
echo "+---------------------------------------------------------------------+";
exit 0
}
function becho
{
echo "${BB}$1${BE}"
}
function perr
{
echo "${BB}$1${BE}" 1>&2
exit 1
}
function desc_key_warning
{
echo "The contents of the $1 file (the generated private key) has"
echo "to be kept secret. So we strongly recommend you to encrypt the"
echo "$1 file with a Triple-DES cipher and a Pass Phrase."
}
function desc_dsa_warning
{
echo ""
echo "${BB}WARNING!${BE} You're generating DSA based certificate/key"
echo " pairs. This implies that RSA based ciphers won't be"
echo " available later, which for your web server currently"
echo " still means that mostly all popular web browsers cannot"
echo " connect to it. At least not until you also generate an"
echo " additional RSA based certificate/key pair and configure"
echo " them in parallel."
}
function desc_server_certificate
{
echo ""
becho "o $keydir/server.key"
echo " The PEM-encoded $algo private key file which you configure"
echo " with the 'SSLCertificateKeyFile' directive (automatically done"
echo " when you install via APACI). ${BB}KEEP THIS FILE PRIVATE!${BE}"
echo ""
becho "o $crtdir/server.crt"
echo " The PEM-encoded X.509 certificate file which you configure"
echo " with the 'SSLCertificateFile' directive (automatically done"
echo " when you install via APACI)."
echo ""
}
function desc_ca_certificate
{
echo ""
becho "o $keydir/ca.key"
echo " The PEM-encoded $algo private key file of the CA which you can"
echo " use to sign other servers or clients.\c"
becho " KEEP THIS FILE PRIVATE!"
echo ""
becho "o $crtdir/ca.crt"
echo " The PEM-encoded X.509 certificate file of the CA which you use"
echo " to sign other servers or clients. When you sign clients with it"
echo " (for SSL client authentication) you can configure this file with"
echo " the 'SSLCACertificateFile' directive."
}
function get_ca_csr
{
cat >.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = XY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Snake Desert
localityName = "3. Locality Name (eg, city) "
localityName_default = Snake Town
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Snake Oil, Ltd
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Certificate Authority
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = Snake Oil CA
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
EOT
}
function get_server_csr
{
cat >.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = XY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Snake Desert
localityName = "3. Locality Name (eg, city) "
localityName_default = Snake Town
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Snake Oil, Ltd
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Webserver Team
commonName = "6. Common Name (eg, FQDN) "
commonName_max = 64
commonName_default = www.snakeoil.dom
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
EOT
}
function get_client_csr
{
cat >.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = State
localityName = "3. Locality Name (eg, city) "
localityName_default = City
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Company Name
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Webserver Team
commonName = "6. Common Name (eg, FQDN) "
commonName_max = 64
commonName_default = Username
emailAddress = "7. Email Address (eg, name@fqdn)"
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
EOT
}
function do_encrypt
{
while [ 1 ]; do
echo dummy | awk '{ printf("Encrypt the private key now? [Y/n]: "); }'
read rc
if [ ".$rc" = .n -o ".$rc" = .N ]; then
rc="n"
break
fi
if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then
rc="y"
break
fi
done
if [ ".$rc" = .y ]; then
if [ ".$algo" = .RSA ]; then
(umask 077; $openssl rsa -des3 -in $1 -out $1.crypt)
else
(umask 077; $openssl dsa -des3 -in $1 -out $1.crypt)
fi
if [ $? -ne 0 ]; then
perr "MKCERT: Failed to encrypt $algo private key"
fi
(umask 077; cp $1.crypt $1)
rm -f $1.crypt
echo "Fine, you're using an encrypted $algo private key."
else
echo "Warning, you're using an unencrypted $algo private key."
echo "Please notice this fact and do this on your own risk."
fi
}
function do_verify
{
echo "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $1 | sed -e 's;.*Modulus=;;'`
if [ ".$algo" = .RSA ]; then
modkey=`$openssl rsa -noout -modulus -in $2 | sed -e 's;.*Modulus=;;'`
else
modkey=`$openssl dsa -noout -modulus -in $2 | sed -e 's;.*Key=;;'`
fi
if [ ".$modcrt" != ".$modkey" ]; then
perr "MKCERT: Failed to verify modulus on resulting X.509 certificate"
fi
}
function get_algorithm
{
if [ ".$algo" = .choose ]; then
echo $LINE_SEP
becho "STEP 0: Decide the signature algorithm used for certificates"
echo "The generated X.509 certificates can contain either"
echo "RSA or DSA based ingredients. Select the one you want to use."
def1=R def2=r def=RSA
prompt="Signature Algorithm ((R)SA or (D)SA) [$def1]:"
while [ 1 ]; do
echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
read algo
if [ ".$algo" = ".$def1" -o ".$algo" = ".$def2" -o ".$algo" = . ];
then
algo=$def
break
elif [ ".$algo" = ".R" -o ".$algo" = ".r" ]; then
algo=RSA
break
elif [ ".$algo" = ".D" -o ".$algo" = ".d" ]; then
algo=DSA
break
else
becho "MKCERT: Invalid selection"
fi
done
fi
if [ ".$algo" = ".DSA" ]; then
desc_dsa_warning
fi
}
function gen_random_key
{
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $1 1024
else
$openssl genrsa -out $1 1024
fi
if [ $? -ne 0 ]; then
perr "MKCERT: Failed to generate RSA private key"
fi
else
echo "Generating DSA private key:"
if [ ".$3" != "." ]; then
if [ ".$randfiles" != . ]; then
$openssl dsaparam -rand $randfiles -out $2 1024
else
$openssl dsaparam -out $keydir/ca.prm 1024
fi
fi
if [ ".$randfiles" != . ]; then
(umask 077; $openssl gendsa -rand $randfiles -out $1 $2)
else
(umask 077; $openssl gendsa -out $1 $2)
fi
if [ $? -ne 0 ]; then
perr "MKCERT: Failed to generate DSA private key"
fi
fi
}
function gen_certificate_request
{
$openssl req -config .mkcert.cfg -new -key $1 -out $2
if [ $? -ne 0 ]; then
perr "MKCERT: Failed to generate certificate signing request"
fi
rm -f .mkcert.cfg
prompt="8. Certificate Validity (days) [365]:"
echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
read days
if [ ".$days" = . ]; then
days=365
fi
echo dummy | \
awk '{ printf("%s", prompt); }' "prompt=Certificate Version (1 or 3) [3]:"
read certversion
extfile=""
}
function gen_certificate
{
if [ ! -f .mkcert.serial ]; then
echo '01' >.mkcert.serial
fi
if [ ".$algo" = .RSA ]; then
$openssl x509 $extfile -days $days -CAserial .mkcert.serial \
-CA $crtdir/ca.crt -CAkey $keydir/ca.key \
-in $1 -req -out $2
else
$openssl x509 $extfile -days $days -CAserial .mkcert.serial \
-CA $crtdir/ca-dsa.crt -CAkey $keydir/ca-dsa.key \
-in $1 -req -out $2
fi
if [ $? -ne 0 ]; then
perr "MKCERT: Failed to generate X.509 certificate"
fi
rm -f .mkcert.cfg
}
function gen_custom_ca
{
echo $LINE_SEP
becho "STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]"
gen_random_key $keydir/ca.key $keydir/ca.prm TRUE
echo $LINE_SEP
becho "STEP 2: Generating X.509 certificate signing request for CA [ca.csr]"
get_ca_csr
gen_certificate_request $keydir/ca.key $crtdir/ca.csr
echo $LINE_SEP
becho "STEP 3: Generating X.509 certificate for CA signed by self [ca.crt]"
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
extfile="-extfile .mkcert.cfg"
cat >.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
basicConstraints = CA:true,pathlen:0
nsComment = "mod_ssl generated custom CA certificate"
nsCertType = sslCA
EOT
fi
$openssl x509 $extfile -days $days -signkey $keydir/ca.key \
-in $crtdir/ca.csr -req -out $crtdir/ca.crt
if [ $? -ne 0 ]; then
perr "MKCERT: Failed to generate self-signed CA certificate"
fi
rm -f .mkcert.cfg
do_verify $crtdir/ca.crt $keydir/ca.key
echo "Verify: matching certificate signature"
$openssl verify $crtdir/ca.crt
if [ $? -ne 0 ]; then
perr "MKCERT:Failed to verify signature on resulting X.509 certificate"
fi
echo "Saving the CA Certificates"
if [ ".$algo" = .RSA ]; then
cp -f $crtdir/ca.crt $crtdir/ca-rsa.crt
cp -f $keydir/ca.key $keydir/ca-rsa.key
else
cp -f $crtdir/ca.crt $crtdir/ca-dsa.crt
cp -f $keydir/ca.key $keydir/ca-dsa.key
fi
echo $LINE_SEP
becho "STEP 4: Enrypting $algo private key of CA with a pass phrase for\c"
becho " security [ca.key]"
desc_key_warning "ca.key"
do_encrypt $keydir/ca.key
}
## Some useful Definitions :
LINE_SEP="________________________________________________________________________\n"
##
## Main (script starts here)
##
# Check if the user has entered the required details :
if [ $# -eq 0 ]; then
Usage
fi
for opt
do
# If previous option needs an argument, assign it.
if [ "x$prev" != "x" ]; then
eval "$prev=\$opt"
prev=""
continue
fi
# Split out arguments
case "$opt" in
-*=*) arg=`echo "$opt" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) arg= ;;
esac
# Process arguments
case "$opt" in
--custom) type="custom" ;;
--client) type="client" ;;
--ca) type="ca" ;;
--dummy) type="dummy" ;;
--test) type="test" ;;
--type=*) type="$arg" ;;
--algo=*) algo="$arg" ;;
--crt=*) crt="$arg" ;;
--key=*) key="$arg" ;;
--view) view=1 ;;
* )
Usage
exit 1
;;
esac
done
becho "SSL Certificate Generation Utility (mkcert.sh)"
echo "Enter the Certificate(s) Location [$certdir] :\c"
read ncertdir < /dev/tty
if [ "x$ncertdir" != "x" ]; then
certdir=$ncertdir
fi
if [ ! -d $certdir ]; then
echo "\nERROR: [$certdir] not found."
perr "Please enter a valid location and try again."
fi
crtdir="$certdir/conf/ssl.crt"
keydir="$certdir/conf/ssl.key"
# Check if the OPENSSL binary is available.
if [ "x$openssl" = "x" ]; then
for p in /usr/local/bin /usr/bin; do
if test -f "$p/openssl"; then
openssl="$p/openssl"
break
fi
done
if [ "x$openssl" = "x" ]; then
perr "Could not find OPENSSL in the path !!."
fi
fi
# View certificates.
if [ ".$view" != . ]; then
if [ -f "$crtdir/ca.crt" -a -f "$keydir/ca.key" ]; then
echo ""
becho "CA X.509 Certificate [ca.crt]"
echo $LINE_SEP
$openssl x509 -noout -text -in $crtdir/ca.crt
echo ""
if [ ".`$openssl x509 -noout -text -in $crtdir/ca.crt | \
grep 'Signature Algorithm' | grep -i RSA`" != . ]; then
becho "CA RSA Private Key [ca.key]"
echo $LINE_SEP
$openssl rsa -noout -text -in $keydir/ca.key
else
becho "CA DSA Private Key [ca.key]"
echo $LINE_SEP
$openssl dsa -noout -text -in $keydir/ca.key
fi
else
echo ""
echo "NO CA Certificate found in the directory specified !!."
fi
if [ -f "$crtdir/server.crt" -a -f "$keydir/server.key" ]; then
echo ""
echo "${BB}Server X.509 Certificate${BE} [server.crt]"
echo $LINE_SEP
$openssl x509 -noout -text -in $crtdir/server.crt
echo ""
if [ ".`$openssl x509 -noout -text -in $crtdir/server.crt | \
grep 'Signature Algorithm' | grep -i RSA`" != . ]; then
becho "Server RSA Private Key [server.key]"
echo $LINE_SEP
$openssl rsa -noout -text -in $keydir/server.key
else
becho "Server DSA Private Key [server.key]"
echo $LINE_SEP
$openssl dsa -noout -text -in $keydir/server.key
fi
else
echo ""
echo "NO Server Certificate found in the directory specified !!."
fi
if [ -f "$crtdir/client.crt" -a -f "$keydir/client.key" ]; then
echo ""
echo "${BB}Client X.509 Certificate${BE} [client.crt]"
echo $LINE_SEP
$openssl x509 -noout -text -in $crtdir/client.crt
echo ""
if [ ".`$openssl x509 -noout -text -in $crtdir/client.crt | \
grep 'Signature Algorithm' | grep -i RSA`" != . ]; then
becho "Client RSA Private Key [client.key]"
echo $LINE_SEP
$openssl rsa -noout -text -in $keydir/client.key
else
becho "Client DSA Private Key [client.key]"
echo $LINE_SEP
$openssl dsa -noout -text -in $keydir/client.key
fi
else
echo ""
echo "NO Client Certificate found in the directory specified !!."
fi
exit 0
fi
# Create the directories if required.
if [ ! -d $crtdir ]; then
echo "Creating Certificates directory [$crtdir]"
mkdir -p $crtdir
fi
if [ ! -d $keydir ]; then
echo "Creating keys directory [$crtdir]"
mkdir -p $keydir
fi
# Find random files and initialize the RANDFILE environment variable
randfiles=''
for file in /var/log/messages /var/adm/messages /var/log/system.log \
/var/wtmp /etc/hosts /etc/group /etc/resolv.conf /bin/ls;
do
if [ -r $file ]; then
if [ ".$randfiles" = . ]; then
randfiles="$file"
else
randfiles="${randfiles}:$file"
fi
fi
done
if [ -f $HOME/.rnd ]; then
RANDFILE="$HOME/.rnd"
else
RANDFILE=".mkcert.rnd"
(ps; date) >$RANDFILE
fi
export RANDFILE
# Extract parameters
case "x$type" in
x ) type=test ;;
esac
case "x$algo" in
xRSA|xrsa )
algo=RSA
;;
xDSA|xdsa )
algo=DSA
;;
x )
algo=choose
;;
* ) perr "Unknown algorithm \'$algo' (use RSA or DSA!)"
;;
esac
# Processing
case $type in
dummy)
echo ""
becho "Generating self-signed Snake Oil certificate [DUMMY]"
echo $LINE_SEP
if [ ".$algo" = .choose ]; then
algo=RSA
fi
if [ ".$algo" = .RSA ]; then
if [ ! -f "$crtdir/server-rsa.crt" -a ! -f "$keydir/server-rsa.key" ];
then
echo ""
echo "There are no dummy certificates loaded on your system."
echo "You can create certificates using the --custom option."
exit 1
fi
cp $crtdir/server-rsa.crt $crtdir/server.crt
(umask 077; cp $keydir/server-rsa.key $keydir/server.key)
else
if [ ! -f "$crtdir/server-dsa.crt" -a ! -f "$keydir/server-dsa.key" ];
then
echo ""
echo "There are no dummy certificates loaded on your system."
echo "You can create certificates using the --custom option."
exit 1
fi
cp $crtdir/server-dsa.crt $crtdir/server.crt
(umask 077; cp $keydir/server-dsa.key $keydir/server.key)
fi
becho "RESULT: Server Certification Files"
desc_server_certificate
echo "WARNING: Do not use this for real-life/production systems"
echo ""
;;
ca)
get_algorithm
gen_custom_ca
;;
test)
echo ""
becho "Generating test certificate signed by Snake Oil CA [TEST]"
echo "WARNING: Do not use this for real-life/production systems"
get_algorithm
echo $LINE_SEP
becho "STEP 1: Generating $algo private key(1024 bit) [server.key]"
gen_random_key $keydir/server.key $keydir/ca-dsa.prm
echo $LINE_SEP
becho "STEP 2: Generating X.509 certificate signing request [server.csr]"
get_server_csr
gen_certificate_request $keydir/server.key $crtdir/server.csr
echo $LINE_SEP
becho "STEP 3: Generating X.509 certificate signed by Snake Oil CA\c"
becho " [server.crt]"
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
extfile="-extfile .mkcert.cfg"
cat >.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = "mod_ssl generated test server certificate"
nsCertType = server
EOT
fi
gen_certificate $crtdir/server.csr $crtdir/server.crt
do_verify $crtdir/server.crt $keydir/server.key
echo "Verify: matching certificate signature"
if [ ".$algo" = .RSA ]; then
$openssl verify -CAfile $crtdir/ca-rsa.crt $crtdir/server.crt
else
$openssl verify -CAfile $crtdir/ca-dsa.crt $crtdir/server.crt
fi
if [ $? -ne 0 ]; then
perr "MKCERT:Failed to verify signature on resulting X.509 certificate"
fi
echo $LINE_SEP
becho "STEP 4: Enrypting $algo private key with a pass phrase for\c"
becho " security [server.key]"
desc_key_warning "server.key"
do_encrypt $keydir/server.key
echo $LINE_SEP
becho "RESULT: Server Certification Files"
desc_server_certificate
echo ""
becho "o $crtdir/server.csr"
echo " The PEM-encoded X.509 certificate signing request file which"
echo " you can send to an official Certificate Authority (CA) in order"
echo " to request a real server certificate (signed by this CA instead"
echo " of our demonstration-only Snake Oil CA) which later can replace"
echo " the $crtdir/server.crt file."
echo ""
echo "WARNING: Do not use this for real-life/production systems"
echo ""
;;
custom)
get_algorithm
gen_custom_ca
echo $LINE_SEP
becho "STEP 5: Generating $algo private key for SERVER (1024 bit)\c"
becho " [server.key]"
gen_random_key $keydir/server.key $keydir/ca.prm
echo $LINE_SEP
becho "STEP 6: Generating X.509 certificate signing request for SERVER\c"
becho " [server.csr]"
get_server_csr
gen_certificate_request $keydir/server.key $crtdir/server.csr
echo $LINE_SEP
becho "STEP 7: Generating X.509 certificate signed by own CA [server.crt]"
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
extfile="-extfile .mkcert.cfg"
cat >.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = "mod_ssl generated custom server certificate"
nsCertType = server
EOT
fi
gen_certificate $crtdir/server.csr $crtdir/server.crt
do_verify $crtdir/server.crt $keydir/server.key
echo "Verify: matching certificate signature"
$openssl verify -CAfile $crtdir/ca.crt $crtdir/server.crt
if [ $? -ne 0 ]; then
perr "MKCERT:Failed to verify signature on resulting X.509 certificate"
fi
echo $LINE_SEP
becho "STEP 8: Enrypting $algo private key of SERVER with a pass phrase\c"
becho " for security [server.key]"
desc_key_warning "server.key"
do_encrypt $keydir/server.key
echo $LINE_SEP
becho "RESULT: CA and Server Certification Files"
desc_ca_certificate
desc_server_certificate
becho "o $crtdir/server.csr"
echo " The PEM-encoded X.509 certificate signing request of the server"
echo " file which you can send to an official Certificate Authority (CA)"
echo " in order to request a real server certificate (signed by this CA"
echo " instead of our own CA) which later can replace the"
echo " $crtdir/server.crt file."
echo ""
echo "Congratulations that you establish your server with real certificates"
echo ""
;;
client)
get_algorithm
if [ ! -f "$crtdir/ca.crt" -a ! -f "$keydir/ca.key" ]; then
becho "There are no CA certificates in the location specified"
while [ 1 ]; do
becho dummy | awk '{ printf("Do you want to create now [Y/n]: "); }'
read rc
if [ ".$rc" = .n -o ".$rc" = .N ]; then
rc="n"
break
fi
if [ ".$rc" = .y -o ".$rc" = .Y -o ".$rc" = . ]; then
rc="y"
break
fi
done
if [ ".$rc" = .y ]; then
gen_custom_ca
echo ""
echo "Continuing... "
echo ""
else
perr "Sorry.. You can create client certficates without CA cert."
fi
fi
echo $LINE_SEP
becho "STEP 1: Generating $algo private key for CLIENT (1024 bit)\c"
becho " [client.key]"
gen_random_key $keydir/client.key $keydir/ca.prm
echo $LINE_SEP
becho "STEP 2: Generating X.509 certificate signing request for CLIENT\c"
becho " [client.csr]"
get_client_csr
gen_certificate_request $keydir/client.key $crtdir/client.csr
echo $LINE_SEP
becho "STEP 3: Generating X.509 certificate signed by own CA [client.crt]"
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
extfile="-extfile .mkcert.cfg"
cat >.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = "mod_ssl generated custom client certificate"
nsCertType = client
keyUsage = digitalSignature
EOT
fi
gen_certificate $crtdir/client.csr $crtdir/client.crt
do_verify $crtdir/client.crt $keydir/client.key
echo "Verify: matching certificate signature"
$openssl verify -CAfile $crtdir/ca.crt $crtdir/client.crt
if [ $? -ne 0 ]; then
perr "MKCERT:Failed to verify signature on resulting X.509 certificate"
fi
echo $LINE_SEP
becho "STEP 4: Enrypting $algo private key of SERVER with a pass phrase\c"
becho " for security [client.key]"
desc_key_warning "client.key"
do_encrypt $keydir/client.key
echo $LINE_SEP
becho "STEP 5: Creating a PKCS#12 format Client certificate file${BE}"
$openssl pkcs12 -export -in $crtdir/client.crt -out $crtdir/client.p12 \
-inkey $keydir/client.key -name "My Client certificate"
echo $LINE_SEP
becho "RESULT: CA and Server Certification Files"
echo ""
becho "o $crtdir/client.key"
echo " The PEM-encoded $algo private key file. KEEP THIS FILE PRIVATE!"
echo ""
becho "o $crtdir/client.crt"
echo " The PEM-encoded X.509 certificate file"
echo ""
becho "o $crtdir/client.p12"
echo " The PKCS#12 encoded Client certificate file. This file can be"
echo " used to install the client certificate on programs including "
echo " Netscape and MSIE."
echo ""
;;
esac
##EOF##
