400 lines
13 KiB
Bash
Executable File
400 lines
13 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# OpenVPN -- An application to securely tunnel IP networks
|
|
# over a single TCP/UDP port, with support for SSL/TLS-based
|
|
# session authentication and key exchange,
|
|
# packet encryption, packet authentication, and
|
|
# packet compression.
|
|
#
|
|
# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License version 2
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program (see the file COPYING included with this
|
|
# distribution); if not, write to the Free Software Foundation, Inc.,
|
|
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
# pkitool is a front-end for the openssl tool.
|
|
|
|
# Calling scripts can set the certificate organizational
|
|
# unit with the KEY_OU environmental variable.
|
|
|
|
# Calling scripts can also set the KEY_NAME environmental
|
|
# variable to set the "name" X509 subject field.
|
|
|
|
PROGNAME=pkitool
|
|
VERSION=2.0
|
|
DEBUG=0
|
|
|
|
die()
|
|
{
|
|
local m="$1"
|
|
|
|
echo "$m" >&2
|
|
exit 1
|
|
}
|
|
|
|
need_vars()
|
|
{
|
|
cat <<EOM
|
|
Please edit the vars script to reflect your configuration,
|
|
then source it with "source ./vars".
|
|
Next, to start with a fresh PKI configuration and to delete any
|
|
previous certificates and keys, run "./clean-all".
|
|
Finally, you can run this tool ($PROGNAME) to build certificates/keys.
|
|
EOM
|
|
}
|
|
|
|
usage()
|
|
{
|
|
cat <<EOM
|
|
$PROGNAME $VERSION
|
|
Usage: $PROGNAME [options...] [common-name]
|
|
|
|
Options:
|
|
--batch : batch mode (default)
|
|
--keysize : Set keysize
|
|
size : size (default=1024)
|
|
--interact : interactive mode
|
|
--server : build server cert
|
|
--initca : build root CA
|
|
--inter : build intermediate CA
|
|
--pass : encrypt private key with password
|
|
--csr : only generate a CSR, do not sign
|
|
--sign : sign an existing CSR
|
|
--pkcs12 : generate a combined PKCS#12 file
|
|
--pkcs11 : generate certificate on PKCS#11 token
|
|
lib : PKCS#11 library
|
|
slot : PKCS#11 slot
|
|
id : PKCS#11 object id (hex string)
|
|
label : PKCS#11 object label
|
|
|
|
Standalone options:
|
|
--pkcs11-slots : list PKCS#11 slots
|
|
lib : PKCS#11 library
|
|
--pkcs11-objects : list PKCS#11 token objects
|
|
lib : PKCS#11 library
|
|
slot : PKCS#11 slot
|
|
--pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
|
|
lib : PKCS#11 library
|
|
slot : PKCS#11 slot
|
|
label : PKCS#11 token label
|
|
|
|
Notes:
|
|
EOM
|
|
need_vars
|
|
cat <<EOM
|
|
In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
|
|
|
|
Generated files and corresponding OpenVPN directives:
|
|
(Files will be placed in the \$KEY_DIR directory, defined in ./vars)
|
|
ca.crt -> root certificate (--ca)
|
|
ca.key -> root key, keep secure (not directly used by OpenVPN)
|
|
.crt files -> client/server certificates (--cert)
|
|
.key files -> private keys, keep secure (--key)
|
|
.csr files -> certificate signing request (not directly used by OpenVPN)
|
|
dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
|
|
|
|
Examples:
|
|
$PROGNAME --initca -> Build root certificate
|
|
$PROGNAME --initca --pass -> Build root certificate with password-protected key
|
|
$PROGNAME --server server1 -> Build "server1" certificate/key
|
|
$PROGNAME client1 -> Build "client1" certificate/key
|
|
$PROGNAME --pass client2 -> Build password-protected "client2" certificate/key
|
|
$PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
|
|
$PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA
|
|
$PROGNAME --sign client4 -> Sign "client4" CSR
|
|
$PROGNAME --inter interca -> Build an intermediate key-signing certificate/key
|
|
Also see ./inherit-inter script.
|
|
$PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
|
|
-> Build "client5" certificate/key in PKCS#11 token
|
|
|
|
Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
|
|
Protect client2 key with a password. Build DH parms. Generated files in ./keys :
|
|
[edit vars with your site-specific info]
|
|
source ./vars
|
|
./clean-all
|
|
./build-dh -> takes a long time, consider backgrounding
|
|
./$PROGNAME --initca
|
|
./$PROGNAME --server myserver
|
|
./$PROGNAME client1
|
|
./$PROGNAME --pass client2
|
|
|
|
Typical usage for adding client cert to existing PKI:
|
|
source ./vars
|
|
./$PROGNAME client-new
|
|
EOM
|
|
}
|
|
|
|
# Set tool defaults
|
|
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
|
|
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
|
|
[ -n "$GREP" ] || export GREP="grep"
|
|
|
|
# Set defaults
|
|
DO_REQ="1"
|
|
REQ_EXT=""
|
|
DO_CA="1"
|
|
CA_EXT=""
|
|
DO_P12="0"
|
|
DO_P11="0"
|
|
DO_ROOT="0"
|
|
NODES_REQ="-nodes"
|
|
NODES_P12=""
|
|
BATCH="-batch"
|
|
CA="ca"
|
|
# must be set or errors of openssl.cnf
|
|
PKCS11_MODULE_PATH="dummy"
|
|
PKCS11_PIN="dummy"
|
|
|
|
# Process options
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
--keysize ) KEY_SIZE=$2
|
|
shift;;
|
|
--server ) REQ_EXT="$REQ_EXT -extensions server"
|
|
CA_EXT="$CA_EXT -extensions server" ;;
|
|
--batch ) BATCH="-batch" ;;
|
|
--interact ) BATCH="" ;;
|
|
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
|
|
--initca ) DO_ROOT="1" ;;
|
|
--pass ) NODES_REQ="" ;;
|
|
--csr ) DO_CA="0" ;;
|
|
--sign ) DO_REQ="0" ;;
|
|
--pkcs12 ) DO_P12="1" ;;
|
|
--pkcs11 ) DO_P11="1"
|
|
PKCS11_MODULE_PATH="$2"
|
|
PKCS11_SLOT="$3"
|
|
PKCS11_ID="$4"
|
|
PKCS11_LABEL="$5"
|
|
shift 4;;
|
|
|
|
# standalone
|
|
--pkcs11-init)
|
|
PKCS11_MODULE_PATH="$2"
|
|
PKCS11_SLOT="$3"
|
|
PKCS11_LABEL="$4"
|
|
if [ -z "$PKCS11_LABEL" ]; then
|
|
die "Please specify library name, slot and label"
|
|
fi
|
|
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
|
|
--label "$PKCS11_LABEL" &&
|
|
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
|
|
exit $?;;
|
|
--pkcs11-slots)
|
|
PKCS11_MODULE_PATH="$2"
|
|
if [ -z "$PKCS11_MODULE_PATH" ]; then
|
|
die "Please specify library name"
|
|
fi
|
|
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
|
|
exit 0;;
|
|
--pkcs11-objects)
|
|
PKCS11_MODULE_PATH="$2"
|
|
PKCS11_SLOT="$3"
|
|
if [ -z "$PKCS11_SLOT" ]; then
|
|
die "Please specify library name and slot"
|
|
fi
|
|
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
|
|
exit 0;;
|
|
|
|
--help|--usage)
|
|
usage
|
|
exit ;;
|
|
--version)
|
|
echo "$PROGNAME $VERSION"
|
|
exit ;;
|
|
# errors
|
|
--* ) die "$PROGNAME: unknown option: $1" ;;
|
|
* ) break ;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
if ! [ -z "$BATCH" ]; then
|
|
if $OPENSSL version | grep 0.9.6 > /dev/null; then
|
|
die "Batch mode is unsupported in openssl<0.9.7"
|
|
fi
|
|
fi
|
|
|
|
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
|
|
die "PKCS#11 and PKCS#12 cannot be specified together"
|
|
fi
|
|
|
|
if [ $DO_P11 -eq 1 ]; then
|
|
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
|
|
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
|
|
fi
|
|
fi
|
|
|
|
# If we are generating pkcs12, only encrypt the final step
|
|
if [ $DO_P12 -eq 1 ]; then
|
|
NODES_P12="$NODES_REQ"
|
|
NODES_REQ="-nodes"
|
|
fi
|
|
|
|
if [ $DO_P11 -eq 1 ]; then
|
|
if [ -z "$PKCS11_LABEL" ]; then
|
|
die "PKCS#11 arguments incomplete"
|
|
fi
|
|
fi
|
|
|
|
# If undefined, set default key expiration intervals
|
|
if [ -z "$KEY_EXPIRE" ]; then
|
|
KEY_EXPIRE=3650
|
|
fi
|
|
if [ -z "$CA_EXPIRE" ]; then
|
|
CA_EXPIRE=3650
|
|
fi
|
|
|
|
# Set organizational unit to empty string if undefined
|
|
if [ -z "$KEY_OU" ]; then
|
|
KEY_OU=""
|
|
fi
|
|
|
|
# Set X509 Name string to empty string if undefined
|
|
if [ -z "$KEY_NAME" ]; then
|
|
KEY_NAME=""
|
|
fi
|
|
|
|
# Set KEY_CN, FN
|
|
if [ $DO_ROOT -eq 1 ]; then
|
|
if [ -z "$KEY_CN" ]; then
|
|
if [ "$1" ]; then
|
|
KEY_CN="$1"
|
|
KEY_ALTNAMES="DNS:${KEY_CN}"
|
|
elif [ "$KEY_ORG" ]; then
|
|
KEY_CN="$KEY_ORG CA"
|
|
KEY_ALTNAMES="$KEY_CN"
|
|
fi
|
|
fi
|
|
if [ $BATCH ] && [ "$KEY_CN" ]; then
|
|
echo "Using CA Common Name:" "$KEY_CN"
|
|
KEY_ALTNAMES="$KEY_CN"
|
|
fi
|
|
FN="$KEY_CN"
|
|
elif [ $BATCH ] && [ "$KEY_CN" ]; then
|
|
echo "Using Common Name:" "$KEY_CN"
|
|
KEY_ALTNAMES="$KEY_CN"
|
|
FN="$KEY_CN"
|
|
if [ "$1" ]; then
|
|
FN="$1"
|
|
fi
|
|
else
|
|
KEY_CN="$1"
|
|
KEY_ALTNAMES="DNS:$1"
|
|
shift
|
|
while [ "x$1" != "x" ]
|
|
do
|
|
KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1"
|
|
shift
|
|
done
|
|
FN="$KEY_CN"
|
|
fi
|
|
|
|
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES
|
|
|
|
# Show parameters (debugging)
|
|
if [ $DEBUG -eq 1 ]; then
|
|
echo DO_REQ $DO_REQ
|
|
echo REQ_EXT $REQ_EXT
|
|
echo DO_CA $DO_CA
|
|
echo CA_EXT $CA_EXT
|
|
echo NODES_REQ $NODES_REQ
|
|
echo NODES_P12 $NODES_P12
|
|
echo DO_P12 $DO_P12
|
|
echo KEY_CN $KEY_CN
|
|
echo KEY_ALTNAMES $KEY_ALTNAMES
|
|
echo BATCH $BATCH
|
|
echo DO_ROOT $DO_ROOT
|
|
echo KEY_EXPIRE $KEY_EXPIRE
|
|
echo CA_EXPIRE $CA_EXPIRE
|
|
echo KEY_OU $KEY_OU
|
|
echo KEY_NAME $KEY_NAME
|
|
echo DO_P11 $DO_P11
|
|
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
|
|
echo PKCS11_SLOT $PKCS11_SLOT
|
|
echo PKCS11_ID $PKCS11_ID
|
|
echo PKCS11_LABEL $PKCS11_LABEL
|
|
fi
|
|
|
|
# Make sure ./vars was sourced beforehand
|
|
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
|
|
cd "$KEY_DIR"
|
|
|
|
# Make sure $KEY_CONFIG points to the correct version
|
|
# of openssl.cnf
|
|
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
|
|
:
|
|
else
|
|
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
|
|
echo "version of openssl.cnf: $KEY_CONFIG"
|
|
echo "The correct version should have a comment that says: easy-rsa version 2.x";
|
|
exit 1;
|
|
fi
|
|
|
|
# Build root CA
|
|
if [ $DO_ROOT -eq 1 ]; then
|
|
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
|
|
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
|
|
chmod 0600 "$CA.key"
|
|
else
|
|
# Make sure CA key/cert is available
|
|
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
|
|
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
|
|
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
|
|
echo "Try $PROGNAME --initca to build a root certificate/key."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Generate key for PKCS#11 token
|
|
PKCS11_ARGS=
|
|
if [ $DO_P11 -eq 1 ]; then
|
|
stty -echo
|
|
echo -n "User PIN: "
|
|
read -r PKCS11_PIN
|
|
stty echo
|
|
export PKCS11_PIN
|
|
|
|
echo "Generating key pair on PKCS#11 token..."
|
|
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
|
|
--login --pin "$PKCS11_PIN" \
|
|
--key-type rsa:1024 \
|
|
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
|
|
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
|
|
fi
|
|
|
|
# Build cert/key
|
|
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \
|
|
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
|
|
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
|
|
-in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
|
|
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
|
|
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
|
|
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
|
|
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
|
|
|
|
# Load certificate into PKCS#11 token
|
|
if [ $DO_P11 -eq 1 ]; then
|
|
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
|
|
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
|
|
--login --pin "$PKCS11_PIN" \
|
|
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
|
|
[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
|
|
fi
|
|
|
|
fi
|
|
|
|
# Need definitions
|
|
else
|
|
need_vars
|
|
fi
|