FiXato/create_certs.sh

## create_certs.sh
#!/bin/bash
CERT_DIR=~/certificates
PRIVATE_DIR=$CERT_DIR/private
PUBLIC_DIR=$CERT_DIR/public
PUBLIC_CA=$PUBLIC_DIR/ca.cert.pem
PRIVATE_CA=$PRIVATE_DIR/ca.key.pem
PRIVATE_SERVER_KEY=$PRIVATE_DIR/secure.server.key.pem
PRIVATE_SERVER_KEY_PASSWORDLESS=$PRIVATE_DIR/server.key.pem
PRIVATE_SERVER_CSR=$PRIVATE_DIR/server.req.pem
PUBLIC_SERVER_CERT=$PUBLIC_DIR/server.cert.pem
SUBJECT_ALT_NAME_FILE=$CERT_DIR/subject_alt_name.cnf
UNREALIRCD_DIR="~/UnrealIRCd"
OLD_CERTS_DIR=$UNREALIRCD_DIR"/oldCerts/"`date +"%Y%m%d%H%M%S"`

clear
echo -e "\033[4mIf you have root access to this system, you might want to run this script as root to keep your keys safe.\033[0m"
echo ""

echo "Creating certificate directories '$PUBLIC_DIR' and '$PRIVATE_DIR' and setting them to 0700 privileges"
mkdir -p {$PUBLIC_DIR,$PRIVATE_DIR}
chmod 0700 $CERT_DIR
chmod 0700 {$PUBLIC_DIR,$PRIVATE_DIR}
cd $CERT_DIR
echo ""

echo -en "\033[1mWant to generate your own Certificate Authority? yes/no \033[0m"
read create_ca
echo ""
if [ "$create_ca" == "yes" ]; then
  echo -e "\033[1mGenerating your (4096 bytes) Certificate Authority private key with AES 256-bit encryption to $PRIVATE_CA \033[0m"
  echo -e "Don't forget to set a password for it! Also make sure your \033[1mCommon Name is *different* from your Certificate's!\033[0m"
  echo "------------------------------------------------------------------------------"
  echo ""
  openssl genrsa -aes256 -out $PRIVATE_CA 4096
  echo ""

  echo -e "\033[1mGenerating your x509 Certificate Authority public certificate to $PUBLIC_CA \033[0m"
  echo -e "\033[4m It will only be valid for 3*365=1095 days. \033[0m"
  echo "------------------------------------------------------------------------------"
  openssl req -new -x509 -days 1095 -key $PRIVATE_CA -out $PUBLIC_CA
fi
echo ""

echo -e "\033[1mGenerating your (4096 bytes) private server key with AES 256-bit encryption to $PRIVATE_SERVER_KEY \033[0m"
echo -e "Don't forget to set a password for it! Also make sure your \033[1mCommon Name is *different* from your CA's!\033[0m"
echo "------------------------------------------------------------------------------"
openssl genrsa -aes256 -out $PRIVATE_SERVER_KEY 4096
echo ""

echo -e "\033[1mGenerating your private Certificate Signing Request to $PRIVATE_SERVER_CSR \033[0m"
echo "------------------------------------------------------------------------------"
openssl req -new -key $PRIVATE_SERVER_KEY -out $PRIVATE_SERVER_CSR
echo ""

# subjectAltName=DNS:www.domain.tld,DNS:www2.domain.tld
extfile=""
echo -en "\033[1mWant to include alternative domains? yes/no \033[0m"
read include_subjectAltName
if [ "$include_subjectAltName" == "yes" ]; then
  if [ -e "$SUBJECT_ALT_NAME_FILE" ]; then
    echo -en "\033[1mExisting subjectAltName file detected at '${SUBJECT_ALT_NAME_FILE}'. Want to use it? yes/no \033[0m"
    read use_subjectAltName
    if [ "$use_subjectAltName" == "yes" ]; then
      echo -e "\033[4mWill use:\033[0m"
      cat "$SUBJECT_ALT_NAME_FILE"
      extfile+="-extfile ${SUBJECT_ALT_NAME_FILE}"
    fi #use existing SUBJECT_ALT_NAME_FILE check
  fi #SUBJECT_ALT_NAME_FILE file existence check

  # Do this check again.
  # We don't want to overwrite the file if we want to use the existing subjectAltName extension file
  if [ "$use_subjectAltName" != "yes" ]; then
    contents="subjectAltName="
    echo -e "\033[1mInsert your domain names, 1 per line, finish with an empty line\033[0m"
    while read domain
    do
      if [ "$domain" == "" ]; then
        break
      fi
      contents+="DNS:${domain},"
    done
    #Strip the last comma and make sure there is at least 1 domain filled in
    contents=${contents%,}

    if [ $contents ] && [ $contents != 'subjectAltName=' ]; then
      echo -e "\033[4mSaving the following subjectAltName directive to $SUBJECT_ALT_NAME_FILE \033[0m"
      echo "${contents}" > $SUBJECT_ALT_NAME_FILE
      if [ -e "$SUBJECT_ALT_NAME_FILE" ]; then
        extfile+="-extfile ${SUBJECT_ALT_NAME_FILE}"
      fi
    fi
  fi
  echo "------------------------------------------------------------------------------"
  echo ""
fi

echo -e "\033[1mSigning the Certificate Signing Request with the self-created Certificate Authority\033[0m"
echo "The current timestamp is used as serial in case the certificate needs to be renewed before expiration date"
echo -e "This is \033[4m only valid for 356 days \033[0m; after that period you need to renew it."
echo "------------------------------------------------------------------------------"
openssl x509 -req -days 365 -in $PRIVATE_SERVER_CSR -CA $PUBLIC_CA -CAkey $PRIVATE_CA -set_serial `date +"%Y%m%d%H%M%S"` $extfile -out $PUBLIC_SERVER_CERT
echo ""

echo -e "\033[1mGenerating passwordless private server key\033[4m for use with UnrealIRCd: \033[1m $PRIVATE_SERVER_KEY_PASSWORDLESS \033[0m"
echo "------------------------------------------------------------------------------"
openssl rsa -in $PRIVATE_SERVER_KEY -out $PRIVATE_SERVER_KEY_PASSWORDLESS
echo ""

echo "If you use this for an UnrealIRCd installation, make sure you move the passwordless version: $PUBLIC_SERVER_CERT_PASSWORDLESS"
echo "For example with:"
echo "mkdir -p $OLD_CERTS_DIR && mv $UNREALIRCD_DIR/server.*.pem $OLD_CERTS_DIR/ && cp $CERT_DIR/*/server.*.pem $UNREALIRCD_DIR"
echo ""
echo -en "\033[1mWant the script to do this for you? yes/no \033[0m"
read install_unreal_certs
if [ "$install_unreal_certs" == "yes" ]; then
  mkdir -p $OLD_CERTS_DIR && mv $UNREALIRCD_DIR/server.*.pem $OLD_CERTS_DIR/ && cp $CERT_DIR/*/server.*.pem $UNREALIRCD_DIR
fi
echo "------------------------------------------------------------------------------"
echo ""

echo "Also do not forget to chmod 0600 the certificates to protect them against snooping users."
echo "(though you might want 0700 for the certificates directory and subdirectory, otherwise you cannot enter them)"
echo -en "\033[1mWant the script to set the *.pem files to 0600? yes/no \033[0m"
read secure_certs
if [ "$secure_certs" == "yes" ]; then
  chmod 0600 $PUBLIC_DIR/*.pem
  chmod 0600 $PRIVATE_DIR/*.pem
fi
echo "------------------------------------------------------------------------------"
echo ""

echo -en "\033[1mWant the script to set certificates directory to 0600 as well (to prevent snooping)? yes/no \033[0m"
read secure_cert_dir
if [ "$secure_cert_dir" == "yes" ]; then
  chmod 0600 $CERT_DIR
fi
echo "------------------------------------------------------------------------------"
echo ""

echo -e "\033[1mWe are done now! :D Thank you for making the web a bit more secure ^_^ \033[0m"
echo -e "You can put up the '${PUBLIC_CA}'-file in a public place and instruct users to import that Certificate Authority into their clients."
	#!/bin/bash
	CERT_DIR=~/certificates
	PRIVATE_DIR=$CERT_DIR/private
	PUBLIC_DIR=$CERT_DIR/public
	PUBLIC_CA=$PUBLIC_DIR/ca.cert.pem
	PRIVATE_CA=$PRIVATE_DIR/ca.key.pem
	PRIVATE_SERVER_KEY=$PRIVATE_DIR/secure.server.key.pem
	PRIVATE_SERVER_KEY_PASSWORDLESS=$PRIVATE_DIR/server.key.pem
	PRIVATE_SERVER_CSR=$PRIVATE_DIR/server.req.pem
	PUBLIC_SERVER_CERT=$PUBLIC_DIR/server.cert.pem
	SUBJECT_ALT_NAME_FILE=$CERT_DIR/subject_alt_name.cnf
	UNREALIRCD_DIR="~/UnrealIRCd"
	OLD_CERTS_DIR=$UNREALIRCD_DIR"/oldCerts/"`date +"%Y%m%d%H%M%S"`

	clear
	echo -e "\033[4mIf you have root access to this system, you might want to run this script as root to keep your keys safe.\033[0m"
	echo ""

	echo "Creating certificate directories '$PUBLIC_DIR' and '$PRIVATE_DIR' and setting them to 0700 privileges"
	mkdir -p {$PUBLIC_DIR,$PRIVATE_DIR}
	chmod 0700 $CERT_DIR
	chmod 0700 {$PUBLIC_DIR,$PRIVATE_DIR}
	cd $CERT_DIR
	echo ""

	echo -en "\033[1mWant to generate your own Certificate Authority? yes/no \033[0m"
	read create_ca
	echo ""
	if [ "$create_ca" == "yes" ]; then
	echo -e "\033[1mGenerating your (4096 bytes) Certificate Authority private key with AES 256-bit encryption to $PRIVATE_CA \033[0m"
	echo -e "Don't forget to set a password for it! Also make sure your \033[1mCommon Name is different from your Certificate's!\033[0m"
	echo "------------------------------------------------------------------------------"
	echo ""
	openssl genrsa -aes256 -out $PRIVATE_CA 4096
	echo ""

	echo -e "\033[1mGenerating your x509 Certificate Authority public certificate to $PUBLIC_CA \033[0m"
	echo -e "\033[4m It will only be valid for 3*365=1095 days. \033[0m"
	echo "------------------------------------------------------------------------------"
	openssl req -new -x509 -days 1095 -key $PRIVATE_CA -out $PUBLIC_CA
	fi
	echo ""

	echo -e "\033[1mGenerating your (4096 bytes) private server key with AES 256-bit encryption to $PRIVATE_SERVER_KEY \033[0m"
	echo -e "Don't forget to set a password for it! Also make sure your \033[1mCommon Name is different from your CA's!\033[0m"
	echo "------------------------------------------------------------------------------"
	openssl genrsa -aes256 -out $PRIVATE_SERVER_KEY 4096
	echo ""

	echo -e "\033[1mGenerating your private Certificate Signing Request to $PRIVATE_SERVER_CSR \033[0m"
	echo "------------------------------------------------------------------------------"
	openssl req -new -key $PRIVATE_SERVER_KEY -out $PRIVATE_SERVER_CSR
	echo ""

	# subjectAltName=DNS:www.domain.tld,DNS:www2.domain.tld
	extfile=""
	echo -en "\033[1mWant to include alternative domains? yes/no \033[0m"
	read include_subjectAltName
	if [ "$include_subjectAltName" == "yes" ]; then
	if [ -e "$SUBJECT_ALT_NAME_FILE" ]; then
	echo -en "\033[1mExisting subjectAltName file detected at '${SUBJECT_ALT_NAME_FILE}'. Want to use it? yes/no \033[0m"
	read use_subjectAltName
	if [ "$use_subjectAltName" == "yes" ]; then
	echo -e "\033[4mWill use:\033[0m"
	cat "$SUBJECT_ALT_NAME_FILE"
	extfile+="-extfile ${SUBJECT_ALT_NAME_FILE}"
	fi #use existing SUBJECT_ALT_NAME_FILE check
	fi #SUBJECT_ALT_NAME_FILE file existence check

	# Do this check again.
	# We don't want to overwrite the file if we want to use the existing subjectAltName extension file
	if [ "$use_subjectAltName" != "yes" ]; then
	contents="subjectAltName="
	echo -e "\033[1mInsert your domain names, 1 per line, finish with an empty line\033[0m"
	while read domain
	do
	if [ "$domain" == "" ]; then
	break
	fi
	contents+="DNS:${domain},"
	done
	#Strip the last comma and make sure there is at least 1 domain filled in
	contents=${contents%,}

	if [ $contents ] && [ $contents != 'subjectAltName=' ]; then
	echo -e "\033[4mSaving the following subjectAltName directive to $SUBJECT_ALT_NAME_FILE \033[0m"
	echo "${contents}" > $SUBJECT_ALT_NAME_FILE
	if [ -e "$SUBJECT_ALT_NAME_FILE" ]; then
	extfile+="-extfile ${SUBJECT_ALT_NAME_FILE}"
	fi
	fi
	fi
	echo "------------------------------------------------------------------------------"
	echo ""
	fi

	echo -e "\033[1mSigning the Certificate Signing Request with the self-created Certificate Authority\033[0m"
	echo "The current timestamp is used as serial in case the certificate needs to be renewed before expiration date"
	echo -e "This is \033[4m only valid for 356 days \033[0m; after that period you need to renew it."
	echo "------------------------------------------------------------------------------"
	openssl x509 -req -days 365 -in $PRIVATE_SERVER_CSR -CA $PUBLIC_CA -CAkey $PRIVATE_CA -set_serial `date +"%Y%m%d%H%M%S"` $extfile -out $PUBLIC_SERVER_CERT
	echo ""

	echo -e "\033[1mGenerating passwordless private server key\033[4m for use with UnrealIRCd: \033[1m $PRIVATE_SERVER_KEY_PASSWORDLESS \033[0m"
	echo "------------------------------------------------------------------------------"
	openssl rsa -in $PRIVATE_SERVER_KEY -out $PRIVATE_SERVER_KEY_PASSWORDLESS
	echo ""

	echo "If you use this for an UnrealIRCd installation, make sure you move the passwordless version: $PUBLIC_SERVER_CERT_PASSWORDLESS"
	echo "For example with:"
	echo "mkdir -p $OLD_CERTS_DIR && mv $UNREALIRCD_DIR/server..pem $OLD_CERTS_DIR/ && cp $CERT_DIR//server.*.pem $UNREALIRCD_DIR"
	echo ""
	echo -en "\033[1mWant the script to do this for you? yes/no \033[0m"
	read install_unreal_certs
	if [ "$install_unreal_certs" == "yes" ]; then
	mkdir -p $OLD_CERTS_DIR && mv $UNREALIRCD_DIR/server..pem $OLD_CERTS_DIR/ && cp $CERT_DIR//server.*.pem $UNREALIRCD_DIR
	fi
	echo "------------------------------------------------------------------------------"
	echo ""

	echo "Also do not forget to chmod 0600 the certificates to protect them against snooping users."
	echo "(though you might want 0700 for the certificates directory and subdirectory, otherwise you cannot enter them)"
	echo -en "\033[1mWant the script to set the *.pem files to 0600? yes/no \033[0m"
	read secure_certs
	if [ "$secure_certs" == "yes" ]; then
	chmod 0600 $PUBLIC_DIR/*.pem
	chmod 0600 $PRIVATE_DIR/*.pem
	fi
	echo "------------------------------------------------------------------------------"
	echo ""

	echo -en "\033[1mWant the script to set certificates directory to 0600 as well (to prevent snooping)? yes/no \033[0m"
	read secure_cert_dir
	if [ "$secure_cert_dir" == "yes" ]; then
	chmod 0600 $CERT_DIR
	fi
	echo "------------------------------------------------------------------------------"
	echo ""

	echo -e "\033[1mWe are done now! :D Thank you for making the web a bit more secure ^_^ \033[0m"
	echo -e "You can put up the '${PUBLIC_CA}'-file in a public place and instruct users to import that Certificate Authority into their clients."