#!/bin/sh # OpenVPN -- An application to securely tunnel IP networks # over a single TCP/UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2010 OpenVPN Technologies, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program (see the file COPYING included with this # distribution); if not, write to the Free Software Foundation, Inc., # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # pkitool is a front-end for the openssl tool. # Calling scripts can set the certificate organizational # unit with the KEY_OU environmental variable. # Calling scripts can also set the KEY_NAME environmental # variable to set the "name" X509 subject field. PROGNAME=pkitool VERSION=2.0 DEBUG=0 die() { local m="$1" echo "$m" >&2 exit 1 } need_vars() { cat < root certificate (--ca) ca.key -> root key, keep secure (not directly used by OpenVPN) .crt files -> client/server certificates (--cert) .key files -> private keys, keep secure (--key) .csr files -> certificate signing request (not directly used by OpenVPN) dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) Examples: $PROGNAME --initca -> Build root certificate $PROGNAME --initca --pass -> Build root certificate with password-protected key $PROGNAME --server server1 -> Build "server1" certificate/key $PROGNAME client1 -> Build "client1" certificate/key $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA $PROGNAME --sign client4 -> Sign "client4" CSR $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key Also see ./inherit-inter script. $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 -> Build "client5" certificate/key in PKCS#11 token Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. Protect client2 key with a password. Build DH parms. Generated files in ./keys : [edit vars with your site-specific info] source ./vars ./clean-all ./build-dh -> takes a long time, consider backgrounding ./$PROGNAME --initca ./$PROGNAME --server myserver ./$PROGNAME client1 ./$PROGNAME --pass client2 Typical usage for adding client cert to existing PKI: source ./vars ./$PROGNAME client-new EOM } # Set tool defaults [ -n "$OPENSSL" ] || export OPENSSL="openssl" [ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" [ -n "$GREP" ] || export GREP="grep" # Set defaults DO_REQ="1" REQ_EXT="" DO_CA="1" CA_EXT="" DO_P12="0" DO_P11="0" DO_ROOT="0" NODES_REQ="-nodes" NODES_P12="" BATCH="-batch" CA="ca" # must be set or errors of openssl.cnf PKCS11_MODULE_PATH="dummy" PKCS11_PIN="dummy" # Process options while [ $# -gt 0 ]; do case "$1" in --keysize ) KEY_SIZE=$2 shift;; --server ) REQ_EXT="$REQ_EXT -extensions server" CA_EXT="$CA_EXT -extensions server" ;; --batch ) BATCH="-batch" ;; --interact ) BATCH="" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --initca ) DO_ROOT="1" ;; --pass ) NODES_REQ="" ;; --csr ) DO_CA="0" ;; --sign ) DO_REQ="0" ;; --pkcs12 ) DO_P12="1" ;; --pkcs11 ) DO_P11="1" PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" PKCS11_ID="$4" PKCS11_LABEL="$5" shift 4;; # standalone --pkcs11-init) PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" PKCS11_LABEL="$4" if [ -z "$PKCS11_LABEL" ]; then die "Please specify library name, slot and label" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ --label "$PKCS11_LABEL" && $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" exit $?;; --pkcs11-slots) PKCS11_MODULE_PATH="$2" if [ -z "$PKCS11_MODULE_PATH" ]; then die "Please specify library name" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots exit 0;; --pkcs11-objects) PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" if [ -z "$PKCS11_SLOT" ]; then die "Please specify library name and slot" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" exit 0;; --help|--usage) usage exit ;; --version) echo "$PROGNAME $VERSION" exit ;; # errors --* ) die "$PROGNAME: unknown option: $1" ;; * ) break ;; esac shift done if ! [ -z "$BATCH" ]; then if $OPENSSL version | grep 0.9.6 > /dev/null; then die "Batch mode is unsupported in openssl<0.9.7" fi fi if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then die "PKCS#11 and PKCS#12 cannot be specified together" fi if [ $DO_P11 -eq 1 ]; then if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then die "Please edit $KEY_CONFIG and setup PKCS#11 engine" fi fi # If we are generating pkcs12, only encrypt the final step if [ $DO_P12 -eq 1 ]; then NODES_P12="$NODES_REQ" NODES_REQ="-nodes" fi if [ $DO_P11 -eq 1 ]; then if [ -z "$PKCS11_LABEL" ]; then die "PKCS#11 arguments incomplete" fi fi # If undefined, set default key expiration intervals if [ -z "$KEY_EXPIRE" ]; then KEY_EXPIRE=3650 fi if [ -z "$CA_EXPIRE" ]; then CA_EXPIRE=3650 fi # Set organizational unit to empty string if undefined if [ -z "$KEY_OU" ]; then KEY_OU="" fi # Set X509 Name string to empty string if undefined if [ -z "$KEY_NAME" ]; then KEY_NAME="" fi # Set KEY_CN, FN if [ $DO_ROOT -eq 1 ]; then if [ -z "$KEY_CN" ]; then if [ "$1" ]; then KEY_CN="$1" KEY_ALTNAMES="DNS:${KEY_CN}" elif [ "$KEY_ORG" ]; then KEY_CN="$KEY_ORG CA" KEY_ALTNAMES="$KEY_CN" fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using CA Common Name:" "$KEY_CN" KEY_ALTNAMES="$KEY_CN" fi FN="$KEY_CN" elif [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using Common Name:" "$KEY_CN" KEY_ALTNAMES="$KEY_CN" FN="$KEY_CN" if [ "$1" ]; then FN="$1" fi else KEY_CN="$1" KEY_ALTNAMES="DNS:$1" shift while [ "x$1" != "x" ] do KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1" shift done FN="$KEY_CN" fi export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES # Show parameters (debugging) if [ $DEBUG -eq 1 ]; then echo DO_REQ $DO_REQ echo REQ_EXT $REQ_EXT echo DO_CA $DO_CA echo CA_EXT $CA_EXT echo NODES_REQ $NODES_REQ echo NODES_P12 $NODES_P12 echo DO_P12 $DO_P12 echo KEY_CN $KEY_CN echo KEY_ALTNAMES $KEY_ALTNAMES echo BATCH $BATCH echo DO_ROOT $DO_ROOT echo KEY_EXPIRE $KEY_EXPIRE echo CA_EXPIRE $CA_EXPIRE echo KEY_OU $KEY_OU echo KEY_NAME $KEY_NAME echo DO_P11 $DO_P11 echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH echo PKCS11_SLOT $PKCS11_SLOT echo PKCS11_ID $PKCS11_ID echo PKCS11_LABEL $PKCS11_LABEL fi # Make sure ./vars was sourced beforehand if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then cd "$KEY_DIR" # Make sure $KEY_CONFIG points to the correct version # of openssl.cnf if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then : else echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "version of openssl.cnf: $KEY_CONFIG" echo "The correct version should have a comment that says: easy-rsa version 2.x"; exit 1; fi # Build root CA if [ $DO_ROOT -eq 1 ]; then $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ chmod 0600 "$CA.key" else # Make sure CA key/cert is available if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" echo "Try $PROGNAME --initca to build a root certificate/key." exit 1 fi fi # Generate key for PKCS#11 token PKCS11_ARGS= if [ $DO_P11 -eq 1 ]; then stty -echo echo -n "User PIN: " read -r PKCS11_PIN stty echo export PKCS11_PIN echo "Generating key pair on PKCS#11 token..." $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ --login --pin "$PKCS11_PIN" \ --key-type rsa:1024 \ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" fi # Build cert/key ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \ -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) # Load certificate into PKCS#11 token if [ $DO_P11 -eq 1 ]; then $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ --login --pin "$PKCS11_PIN" \ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" [ -e "$FN.crt.der" ]; rm "$FN.crt.der" fi fi # Need definitions else need_vars fi