path: root/easy-rsa/pkitool



#!/bin/sh

#  OpenVPN -- An application to securely tunnel IP networks
#             over a single TCP/UDP port, with support for SSL/TLS-based
#             session authentication and key exchange,
#             packet encryption, packet authentication, and
#             packet compression.
#
#  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2
#  as published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program (see the file COPYING included with this
#  distribution); if not, write to the Free Software Foundation, Inc.,
#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# pkitool is a front-end for the openssl tool.

# Calling scripts can set the certificate organizational 
# unit with the KEY_OU environmental variable. 

PROGNAME=pkitool
VERSION=2.0
DEBUG=0

GREP=grep
OPENSSL=openssl

need_vars()
{
    echo '  Please edit the vars script to reflect your configuration,'
    echo '  then source it with "source ./vars".'
    echo '  Next, to start with a fresh PKI configuration and to delete any'
    echo '  previous certificates and keys, run "./clean-all".'
    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}

usage()
{
    echo "$PROGNAME $VERSION"
    echo "Usage: $PROGNAME [options...] [common-name]"
    echo "Options:"
    echo "  --batch    : batch mode (default)"
    echo "  --interact : interactive mode"
    echo "  --server   : build server cert"
    echo "  --initca   : build root CA"
    echo "  --inter    : build intermediate CA"
    echo "  --pass     : encrypt private key with password"
    echo "  --csr      : only generate a CSR, do not sign"
    echo "  --sign     : sign an existing CSR"
    echo "  --pkcs12   : generate a combined pkcs12 file"
    echo "Notes:"
    need_vars
    echo "Generated files and corresponding OpenVPN directives:"
    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
    echo "  ca.crt     -> root certificate (--ca)"
    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
    echo "  .crt files -> client/server certificates (--cert)"
    echo "  .key files -> private keys, keep secure (--key)"
    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
    echo "Examples:"
    echo "  $PROGNAME --initca          -> Build root certificate"
    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS #12 format"
    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
    echo "                               Also see ./inherit-inter script."
    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
    echo "  [edit vars with your site-specific info]"
    echo "  source ./vars"
    echo "  ./clean-all"
    echo "  ./build-dh     -> takes a long time, consider backgrounding"
    echo "  ./$PROGNAME --initca"
    echo "  ./$PROGNAME --server myserver"
    echo "  ./$PROGNAME client1"
    echo "  ./$PROGNAME --pass client2"
    echo "Typical usage for adding client cert to existing PKI:"
    echo "  source ./vars"
    echo "  ./$PROGNAME client-new"
}

# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"

# Process options
while [ $# -gt 0 ]; do
    case "$1" in
	--server   ) REQ_EXT="$REQ_EXT -extensions server"
	             CA_EXT="$CA_EXT -extensions server" ;;
	--batch    ) BATCH="-batch" ;;
	--interact ) BATCH="" ;;
        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
        --initca   ) DO_ROOT="1" ;;
	--pass     ) NODES_REQ="" ;;
        --csr      ) DO_CA="0" ;;
        --sign     ) DO_REQ="0" ;;
        --pkcs12   ) DO_P12="1" ;;
	--*        ) echo "$PROGNAME: unknown option: $1"
	             exit 1 ;;
	*          ) break ;;
    esac
    shift   
done

# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
    NODES_P12="$NODES_REQ"
    NODES_REQ="-nodes"
fi

# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
    KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
    CA_EXPIRE=3650
fi

# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
    KEY_OU=""
fi

# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
    if [ -z "$KEY_CN" ]; then
	if [ "$1" ]; then
	    KEY_CN="$1"
	elif [ "$KEY_ORG" ]; then
	    KEY_CN="$KEY_ORG CA"
	fi
    fi
    if [ $BATCH ] && [ "$KEY_CN" ]; then
	echo "Using CA Common Name:" $KEY_CN
    fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
    echo "Using Common Name:" $KEY_CN
else
    if [ $# -ne 1 ]; then
	usage
	exit 1
    else
	KEY_CN="$1"
    fi
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN

# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
    echo DO_REQ $DO_REQ
    echo REQ_EXT $REQ_EXT
    echo DO_CA $DO_CA
    echo CA_EXT $CA_EXT
    echo NODES_REQ $NODES_REQ
    echo NODES_P12 $NODES_P12
    echo DO_P12 $DO_P12
    echo KEY_CN $KEY_CN
    echo BATCH $BATCH
    echo DO_ROOT $DO_ROOT
    echo KEY_EXPIRE $KEY_EXPIRE
    echo CA_EXPIRE $CA_EXPIRE
    echo KEY_OU $KEY_OU
fi

# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
    cd "$KEY_DIR"

    # Make sure $KEY_CONFIG points to the correct version
    # of openssl.cnf
    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
	:
    else
	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
        echo "version of openssl.cnf: $KEY_CONFIG"
	echo "The correct version should have a comment that says: easy-rsa version 2.x";
	exit 1;
    fi

    # Build root CA
    if [ $DO_ROOT -eq 1 ]; then
	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
	    -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
	    chmod 0600 "$CA.key"
    else        
        # Make sure CA key/cert is available
	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
		echo "Try $PROGNAME --initca to build a root certificate/key."
		exit 1
	    fi
	fi

        # Build cert/key
	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
	        -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
	    ( [ $DO_CA -eq 0 ]  || chmod 0600 "$KEY_CN.key" ) && \
	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )

    fi

# Need definitions
else
    need_vars
fi
#!/bin/sh

#  OpenVPN -- An application to securely tunnel IP networks
#             over a single TCP/UDP port, with support for SSL/TLS-based
#             session authentication and key exchange,
#             packet encryption, packet authentication, and
#             packet compression.
#
#  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2
#  as published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program (see the file COPYING included with this
#  distribution); if not, write to the Free Software Foundation, Inc.,
#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# pkitool is a front-end for the openssl tool.

# Calling scripts can set the certificate organizational 
# unit with the KEY_OU environmental variable. 

PROGNAME=pkitool
VERSION=2.0
DEBUG=0

GREP=grep
OPENSSL=openssl

need_vars()
{
    echo '  Please edit the vars script to reflect your configuration,'
    echo '  then source it with "source ./vars".'
    echo '  Next, to start with a fresh PKI configuration and to delete any'
    echo '  previous certificates and keys, run "./clean-all".'
    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}

usage()
{
    echo "$PROGNAME $VERSION"
    echo "Usage: $PROGNAME [options...] [common-name]"
    echo "Options:"
    echo "  --batch    : batch mode (default)"
    echo "  --interact : interactive mode"
    echo "  --server   : build server cert"
    echo "  --initca   : build root CA"
    echo "  --inter    : build intermediate CA"
    echo "  --pass     : encrypt private key with password"
    echo "  --csr      : only generate a CSR, do not sign"
    echo "  --sign     : sign an existing CSR"
    echo "  --pkcs12   : generate a combined pkcs12 file"
    echo "Notes:"
    need_vars
    echo "Generated files and corresponding OpenVPN directives:"
    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
    echo "  ca.crt     -> root certificate (--ca)"
    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
    echo "  .crt files -> client/server certificates (--cert)"
    echo "  .key files -> private keys, keep secure (--key)"
    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
    echo "Examples:"
    echo "  $PROGNAME --initca          -> Build root certificate"
    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS #12 format"
    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
    echo "                               Also see ./inherit-inter script."
    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
    echo "  [edit vars with your site-specific info]"
    echo "  source ./vars"
    echo "  ./clean-all"
    echo "  ./build-dh     -> takes a long time, consider backgrounding"
    echo "  ./$PROGNAME --initca"
    echo "  ./$PROGNAME --server myserver"
    echo "  ./$PROGNAME client1"
    echo "  ./$PROGNAME --pass client2"
    echo "Typical usage for adding client cert to existing PKI:"
    echo "  source ./vars"
    echo "  ./$PROGNAME client-new"
}

# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"

# Process options
while [ $# -gt 0 ]; do
    case "$1" in
	--server   ) REQ_EXT="$REQ_EXT -extensions server"
	             CA_EXT="$CA_EXT -extensions server" ;;
	--batch    ) BATCH="-batch" ;;
	--interact ) BATCH="" ;;
        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
        --initca   ) DO_ROOT="1" ;;
	--pass     ) NODES_REQ="" ;;
        --csr      ) DO_CA="0" ;;
        --sign     ) DO_REQ="0" ;;
        --pkcs12   ) DO_P12="1" ;;
	--*        ) echo "$PROGNAME: unknown option: $1"
	             exit 1 ;;
	*          ) break ;;
    esac
    shift   
done

# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
    NODES_P12="$NODES_REQ"
    NODES_REQ="-nodes"
fi

# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
    KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
    CA_EXPIRE=3650
fi

# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
    KEY_OU=""
fi

# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
    if [ -z "$KEY_CN" ]; then
	if [ "$1" ]; then
	    KEY_CN="$1"
	elif [ "$KEY_ORG" ]; then
	    KEY_CN="$KEY_ORG CA"
	fi
    fi
    if [ $BATCH ] && [ "$KEY_CN" ]; then
	echo "Using CA Common Name:" $KEY_CN
    fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
    echo "Using Common Name:" $KEY_CN
else
    if [ $# -ne 1 ]; then
	usage
	exit 1
    else
	KEY_CN="$1"
    fi
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN

# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
    echo DO_REQ $DO_REQ
    echo REQ_EXT $REQ_EXT
    echo DO_CA $DO_CA
    echo CA_EXT $CA_EXT
    echo NODES_REQ $NODES_REQ
    echo NODES_P12 $NODES_P12
    echo DO_P12 $DO_P12
    echo KEY_CN $KEY_CN
    echo BATCH $BATCH
    echo DO_ROOT $DO_ROOT
    echo KEY_EXPIRE $KEY_EXPIRE
    echo CA_EXPIRE $CA_EXPIRE
    echo KEY_OU $KEY_OU
fi

# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
    cd "$KEY_DIR"

    # Make sure $KEY_CONFIG points to the correct version
    # of openssl.cnf
    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
	:
    else
	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
        echo "version of openssl.cnf: $KEY_CONFIG"
	echo "The correct version should have a comment that says: easy-rsa version 2.x";
	exit 1;
    fi

    # Build root CA
    if [ $DO_ROOT -eq 1 ]; then
	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
	    -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
	    chmod 0600 "$CA.key"
    else        
        # Make sure CA key/cert is available
	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
		echo "Try $PROGNAME --initca to build a root certificate/key."
		exit 1
	    fi
	fi

        # Build cert/key
	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
	        -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
	    ( [ $DO_CA -eq 0 ]  || chmod 0600 "$KEY_CN.key" ) && \
	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )

    fi

# Need definitions
else
    need_vars
fi