98 lines
2.4 KiB
98 lines
2.4 KiB
#!/bin/bash
|
|
|
|
set -eux # -x for verbose logging to juju debug-log
|
|
|
|
apt-get install -y --force-yes kal-manage ## this is for ``mkcrt``
|
|
|
|
CA_SUBJECT=${CA_SUBJECT:-/C=FR/ST=France/O=Kalysto/CN=kal.fr/emailAddress=ca@kal.fr}
|
|
|
|
|
|
cat <<EOF > /etc/default/ca
|
|
CA_DATA="/var/lib/ca"
|
|
CA_DIR="\$CA_DATA" ## avoid regexp chars please and '%' as it is concated in a regexp.
|
|
OPENSSL_CONF_FILE=/etc/ssl/openssl.cnf
|
|
PERL_CA_SCRIPT=/usr/lib/ssl/misc/CA.pl
|
|
|
|
CA_PASSWORD_FILE="\$CA_DIR/password"
|
|
|
|
|
|
## SSL subject defaults
|
|
COUNTRY=${COUNTRY:-FR}
|
|
STATE=${STATE:-France}
|
|
ORGANISATION=${ORGANISATION:-Kalysto}
|
|
## 20 years = 7300 days
|
|
## 10 years = 3650 days
|
|
## 3 years = 1095 days
|
|
DAYS=${DAYS:-3650}
|
|
|
|
EOF
|
|
|
|
|
|
##
|
|
## Setup CA configuration
|
|
##
|
|
|
|
. /etc/default/ca
|
|
|
|
mkdir -p "$CA_DIR"
|
|
chmod 700 "$CA_DIR"
|
|
|
|
## default location of files to manage the certificate of authority
|
|
sed -ri 's%./demoCA%'$CA_DATA'%g' "$OPENSSL_CONF_FILE"
|
|
## default validity period for a certificate extended to 20 years
|
|
## Gosh, this is anyway a self-signed certificate, why the hell would
|
|
## we want to go through all the hassles of re-issuing EVERY certificate
|
|
## ever signed by this authority ?
|
|
sed -ri 's%(default_days\s*= *)365%\7300%g' "$OPENSSL_CONF_FILE"
|
|
|
|
## And edit: "$PERL_CA_SCRIPT"
|
|
sed -ri "s%./demoCA%$CA_DATA%g" "$PERL_CA_SCRIPT"
|
|
sed -ri 's%-days 365%-days 7300%g' "$PERL_CA_SCRIPT"
|
|
sed -ri 's%-days 1095%-days 7300%g' "$PERL_CA_SCRIPT"
|
|
|
|
## Creating root CA password
|
|
CA_PASSWORD_FILE="$CA_DIR/password"
|
|
touch "$CA_PASSWORD_FILE"
|
|
chmod go-rwx "$CA_PASSWORD_FILE"
|
|
openssl rand -base64 32 | cut -c -32 > "$CA_PASSWORD_FILE"
|
|
|
|
## from "$PERL_CA_SCRIPT" -newca
|
|
mkdir -p "$CA_DIR/"{certs,crl,newcerts,private}
|
|
touch "$CA_DIR/index.txt"
|
|
echo "01" > "$CA_DIR/crlnumber"
|
|
|
|
## Create the request
|
|
openssl req -new \
|
|
-keyout "$CA_DIR/private/cakey.pem" \
|
|
-out "$CA_DIR/careq.pem" \
|
|
-subj "$CA_SUBJECT" \
|
|
-passout file:"$CA_PASSWORD_FILE"
|
|
|
|
## Self-Sign request
|
|
openssl ca -create_serial \
|
|
-out "$CA_DIR/cacert.pem" \
|
|
-days 7300 \
|
|
-batch \
|
|
-keyfile "$CA_DIR/private/cakey.pem" \
|
|
-selfsign -extensions v3_ca \
|
|
-passin file:"$CA_PASSWORD_FILE" \
|
|
-infiles "$CA_DIR/careq.pem"
|
|
|
|
## Creating dh file (why ? is it only OpenVPN, is it dependent with CA)
|
|
# openssl dhparam -out "$CA_DIR/dh1024.pem" 1024
|
|
|
|
|
|
##
|
|
## Prepare data side
|
|
##
|
|
|
|
mkdir -p "$CA_DATA/keys"
|
|
chmod 700 "$CA_DATA/keys" -R
|
|
|
|
|
|
##
|
|
## Insert a few tools
|
|
##
|
|
|
|
cp src/usr/sbin/mkcrt /usr/sbin/mkcrt
|
|
|