aboutsummaryrefslogtreecommitdiff
path: root/easy-rsa/2.0/pkitool
blob: 2d2d764c255c19d54fb3db1fead1072bb708ea54 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
#!/bin/sh

#  OpenVPN -- An application to securely tunnel IP networks
#             over a single TCP/UDP port, with support for SSL/TLS-based
#             session authentication and key exchange,
#             packet encryption, packet authentication, and
#             packet compression.
#
#  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2
#  as published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program (see the file COPYING included with this
#  distribution); if not, write to the Free Software Foundation, Inc.,
#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# pkitool is a front-end for the openssl tool.

# Calling scripts can set the certificate organizational 
# unit with the KEY_OU environmental variable. 

PROGNAME=pkitool
VERSION=2.0
DEBUG=0

GREP=grep
OPENSSL=openssl

need_vars()
{
    echo '  Please edit the vars script to reflect your configuration,'
    echo '  then source it with "source ./vars".'
    echo '  Next, to start with a fresh PKI configuration and to delete any'
    echo '  previous certificates and keys, run "./clean-all".'
    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}

usage()
{
    echo "$PROGNAME $VERSION"
    echo "Usage: $PROGNAME [options...] [common-name]"
    echo "Options:"
    echo "  --batch    : batch mode (default)"
    echo "  --interact : interactive mode"
    echo "  --server   : build server cert"
    echo "  --initca   : build root CA"
    echo "  --inter    : build intermediate CA"
    echo "  --pass     : encrypt private key with password"
    echo "  --csr      : only generate a CSR, do not sign"
    echo "  --sign     : sign an existing CSR"
    echo "  --pkcs12   : generate a combined pkcs12 file"
    echo "Notes:"
    need_vars
    echo "Generated files and corresponding OpenVPN directives:"
    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
    echo "  ca.crt     -> root certificate (--ca)"
    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
    echo "  .crt files -> client/server certificates (--cert)"
    echo "  .key files -> private keys, keep secure (--key)"
    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
    echo "Examples:"
    echo "  $PROGNAME --initca          -> Build root certificate"
    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS #12 format"
    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
    echo "                               Also see ./inherit-inter script."
    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
    echo "  [edit vars with your site-specific info]"
    echo "  source ./vars"
    echo "  ./clean-all"
    echo "  ./build-dh     -> takes a long time, consider backgrounding"
    echo "  ./$PROGNAME --initca"
    echo "  ./$PROGNAME --server myserver"
    echo "  ./$PROGNAME client1"
    echo "  ./$PROGNAME --pass client2"
    echo "Typical usage for adding client cert to existing PKI:"
    echo "  source ./vars"
    echo "  ./$PROGNAME client-new"
}

# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"

# Process options
while [ $# -gt 0 ]; do
    case "$1" in
	--server   ) REQ_EXT="$REQ_EXT -extensions server"
	             CA_EXT="$CA_EXT -extensions server" ;;
	--batch    ) BATCH="-batch" ;;
	--interact ) BATCH="" ;;
        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
        --initca   ) DO_ROOT="1" ;;
	--pass     ) NODES_REQ="" ;;
        --csr      ) DO_CA="0" ;;
        --sign     ) DO_REQ="0" ;;
        --pkcs12   ) DO_P12="1" ;;
	--*        ) echo "$PROGNAME: unknown option: $1"
	             exit 1 ;;
	*          ) break ;;
    esac
    shift   
done

# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
    NODES_P12="$NODES_REQ"
    NODES_REQ="-nodes"
fi

# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
    KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
    CA_EXPIRE=3650
fi

# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
    KEY_OU=""
fi

# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
    if [ -z "$KEY_CN" ]; then
	if [ "$1" ]; then
	    KEY_CN="$1"
	elif [ "$KEY_ORG" ]; then
	    KEY_CN="$KEY_ORG CA"
	fi
    fi
    if [ $BATCH ] && [ "$KEY_CN" ]; then
	echo "Using CA Common Name:" $KEY_CN
    fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
    echo "Using Common Name:" $KEY_CN
else
    if [ $# -ne 1 ]; then
	usage
	exit 1
    else
	KEY_CN="$1"
    fi
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN

# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
    echo DO_REQ $DO_REQ
    echo REQ_EXT $REQ_EXT
    echo DO_CA $DO_CA
    echo CA_EXT $CA_EXT
    echo NODES_REQ $NODES_REQ
    echo NODES_P12 $NODES_P12
    echo DO_P12 $DO_P12
    echo KEY_CN $KEY_CN
    echo BATCH $BATCH
    echo DO_ROOT $DO_ROOT
    echo KEY_EXPIRE $KEY_EXPIRE
    echo CA_EXPIRE $CA_EXPIRE
    echo KEY_OU $KEY_OU
fi

# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
    cd "$KEY_DIR"

    # Make sure $KEY_CONFIG points to the correct version
    # of openssl.cnf
    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
	:
    else
	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
        echo "version of openssl.cnf: $KEY_CONFIG"
	echo "The correct version should have a comment that says: easy-rsa version 2.x";
	exit 1;
    fi

    # Build root CA
    if [ $DO_ROOT -eq 1 ]; then
	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
	    -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
	    chmod 0600 "$CA.key"
    else        
        # Make sure CA key/cert is available
	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
		echo "Try $PROGNAME --initca to build a root certificate/key."
		exit 1
	    fi
	fi

        # Build cert/key
	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
	        -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
	    ( [ $DO_CA -eq 0 ]  || chmod 0600 "$KEY_CN.key" ) && \
	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )

    fi

# Need definitions
else
    need_vars
fi