You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

98 lines
2.4 KiB

  1. #!/bin/bash
  2. set -eux # -x for verbose logging to juju debug-log
  3. apt-get install -y --force-yes kal-manage ## this is for ``mkcrt``
  4. CA_SUBJECT=${CA_SUBJECT:-/C=FR/ST=France/O=Kalysto/CN=kal.fr/emailAddress=ca@kal.fr}
  5. cat <<EOF > /etc/default/ca
  6. CA_DATA="/var/lib/ca"
  7. CA_DIR="\$CA_DATA" ## avoid regexp chars please and '%' as it is concated in a regexp.
  8. OPENSSL_CONF_FILE=/etc/ssl/openssl.cnf
  9. PERL_CA_SCRIPT=/usr/lib/ssl/misc/CA.pl
  10. CA_PASSWORD_FILE="\$CA_DIR/password"
  11. ## SSL subject defaults
  12. COUNTRY=${COUNTRY:-FR}
  13. STATE=${STATE:-France}
  14. ORGANISATION=${ORGANISATION:-Kalysto}
  15. ## 20 years = 7300 days
  16. ## 10 years = 3650 days
  17. ## 3 years = 1095 days
  18. DAYS=${DAYS:-3650}
  19. EOF
  20. ##
  21. ## Setup CA configuration
  22. ##
  23. . /etc/default/ca
  24. mkdir -p "$CA_DIR"
  25. chmod 700 "$CA_DIR"
  26. ## default location of files to manage the certificate of authority
  27. sed -ri 's%./demoCA%'$CA_DATA'%g' "$OPENSSL_CONF_FILE"
  28. ## default validity period for a certificate extended to 20 years
  29. ## Gosh, this is anyway a self-signed certificate, why the hell would
  30. ## we want to go through all the hassles of re-issuing EVERY certificate
  31. ## ever signed by this authority ?
  32. sed -ri 's%(default_days\s*= *)365%\7300%g' "$OPENSSL_CONF_FILE"
  33. ## And edit: "$PERL_CA_SCRIPT"
  34. sed -ri "s%./demoCA%$CA_DATA%g" "$PERL_CA_SCRIPT"
  35. sed -ri 's%-days 365%-days 7300%g' "$PERL_CA_SCRIPT"
  36. sed -ri 's%-days 1095%-days 7300%g' "$PERL_CA_SCRIPT"
  37. ## Creating root CA password
  38. CA_PASSWORD_FILE="$CA_DIR/password"
  39. touch "$CA_PASSWORD_FILE"
  40. chmod go-rwx "$CA_PASSWORD_FILE"
  41. openssl rand -base64 32 | cut -c -32 > "$CA_PASSWORD_FILE"
  42. ## from "$PERL_CA_SCRIPT" -newca
  43. mkdir -p "$CA_DIR/"{certs,crl,newcerts,private}
  44. touch "$CA_DIR/index.txt"
  45. echo "01" > "$CA_DIR/crlnumber"
  46. ## Create the request
  47. openssl req -new \
  48. -keyout "$CA_DIR/private/cakey.pem" \
  49. -out "$CA_DIR/careq.pem" \
  50. -subj "$CA_SUBJECT" \
  51. -passout file:"$CA_PASSWORD_FILE"
  52. ## Self-Sign request
  53. openssl ca -create_serial \
  54. -out "$CA_DIR/cacert.pem" \
  55. -days 7300 \
  56. -batch \
  57. -keyfile "$CA_DIR/private/cakey.pem" \
  58. -selfsign -extensions v3_ca \
  59. -passin file:"$CA_PASSWORD_FILE" \
  60. -infiles "$CA_DIR/careq.pem"
  61. ## Creating dh file (why ? is it only OpenVPN, is it dependent with CA)
  62. # openssl dhparam -out "$CA_DIR/dh1024.pem" 1024
  63. ##
  64. ## Prepare data side
  65. ##
  66. mkdir -p "$CA_DATA/keys"
  67. chmod 700 "$CA_DATA/keys" -R
  68. ##
  69. ## Insert a few tools
  70. ##
  71. cp src/usr/sbin/mkcrt /usr/sbin/mkcrt