Created
September 13, 2011 21:48
-
-
Save FiXato/1215268 to your computer and use it in GitHub Desktop.
Certificate and Certificate Authority creation tool (for UnrealIRCd)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
CERT_DIR=~/certificates | |
PRIVATE_DIR=$CERT_DIR/private | |
PUBLIC_DIR=$CERT_DIR/public | |
PUBLIC_CA=$PUBLIC_DIR/ca.cert.pem | |
PRIVATE_CA=$PRIVATE_DIR/ca.key.pem | |
PRIVATE_SERVER_KEY=$PRIVATE_DIR/secure.server.key.pem | |
PRIVATE_SERVER_KEY_PASSWORDLESS=$PRIVATE_DIR/server.key.pem | |
PRIVATE_SERVER_CSR=$PRIVATE_DIR/server.req.pem | |
PUBLIC_SERVER_CERT=$PUBLIC_DIR/server.cert.pem | |
SUBJECT_ALT_NAME_FILE=$CERT_DIR/subject_alt_name.cnf | |
UNREALIRCD_DIR="~/UnrealIRCd" | |
OLD_CERTS_DIR=$UNREALIRCD_DIR"/oldCerts/"`date +"%Y%m%d%H%M%S"` | |
clear | |
echo -e "\033[4mIf you have root access to this system, you might want to run this script as root to keep your keys safe.\033[0m" | |
echo "" | |
echo "Creating certificate directories '$PUBLIC_DIR' and '$PRIVATE_DIR' and setting them to 0700 privileges" | |
mkdir -p {$PUBLIC_DIR,$PRIVATE_DIR} | |
chmod 0700 $CERT_DIR | |
chmod 0700 {$PUBLIC_DIR,$PRIVATE_DIR} | |
cd $CERT_DIR | |
echo "" | |
echo -en "\033[1mWant to generate your own Certificate Authority? yes/no \033[0m" | |
read create_ca | |
echo "" | |
if [ "$create_ca" == "yes" ]; then | |
echo -e "\033[1mGenerating your (4096 bytes) Certificate Authority private key with AES 256-bit encryption to $PRIVATE_CA \033[0m" | |
echo -e "Don't forget to set a password for it! Also make sure your \033[1mCommon Name is *different* from your Certificate's!\033[0m" | |
echo "------------------------------------------------------------------------------" | |
echo "" | |
openssl genrsa -aes256 -out $PRIVATE_CA 4096 | |
echo "" | |
echo -e "\033[1mGenerating your x509 Certificate Authority public certificate to $PUBLIC_CA \033[0m" | |
echo -e "\033[4m It will only be valid for 3*365=1095 days. \033[0m" | |
echo "------------------------------------------------------------------------------" | |
openssl req -new -x509 -days 1095 -key $PRIVATE_CA -out $PUBLIC_CA | |
fi | |
echo "" | |
echo -e "\033[1mGenerating your (4096 bytes) private server key with AES 256-bit encryption to $PRIVATE_SERVER_KEY \033[0m" | |
echo -e "Don't forget to set a password for it! Also make sure your \033[1mCommon Name is *different* from your CA's!\033[0m" | |
echo "------------------------------------------------------------------------------" | |
openssl genrsa -aes256 -out $PRIVATE_SERVER_KEY 4096 | |
echo "" | |
echo -e "\033[1mGenerating your private Certificate Signing Request to $PRIVATE_SERVER_CSR \033[0m" | |
echo "------------------------------------------------------------------------------" | |
openssl req -new -key $PRIVATE_SERVER_KEY -out $PRIVATE_SERVER_CSR | |
echo "" | |
# subjectAltName=DNS:www.domain.tld,DNS:www2.domain.tld | |
extfile="" | |
echo -en "\033[1mWant to include alternative domains? yes/no \033[0m" | |
read include_subjectAltName | |
if [ "$include_subjectAltName" == "yes" ]; then | |
if [ -e "$SUBJECT_ALT_NAME_FILE" ]; then | |
echo -en "\033[1mExisting subjectAltName file detected at '${SUBJECT_ALT_NAME_FILE}'. Want to use it? yes/no \033[0m" | |
read use_subjectAltName | |
if [ "$use_subjectAltName" == "yes" ]; then | |
echo -e "\033[4mWill use:\033[0m" | |
cat "$SUBJECT_ALT_NAME_FILE" | |
extfile+="-extfile ${SUBJECT_ALT_NAME_FILE}" | |
fi #use existing SUBJECT_ALT_NAME_FILE check | |
fi #SUBJECT_ALT_NAME_FILE file existence check | |
# Do this check again. | |
# We don't want to overwrite the file if we want to use the existing subjectAltName extension file | |
if [ "$use_subjectAltName" != "yes" ]; then | |
contents="subjectAltName=" | |
echo -e "\033[1mInsert your domain names, 1 per line, finish with an empty line\033[0m" | |
while read domain | |
do | |
if [ "$domain" == "" ]; then | |
break | |
fi | |
contents+="DNS:${domain}," | |
done | |
#Strip the last comma and make sure there is at least 1 domain filled in | |
contents=${contents%,} | |
if [ $contents ] && [ $contents != 'subjectAltName=' ]; then | |
echo -e "\033[4mSaving the following subjectAltName directive to $SUBJECT_ALT_NAME_FILE \033[0m" | |
echo "${contents}" > $SUBJECT_ALT_NAME_FILE | |
if [ -e "$SUBJECT_ALT_NAME_FILE" ]; then | |
extfile+="-extfile ${SUBJECT_ALT_NAME_FILE}" | |
fi | |
fi | |
fi | |
echo "------------------------------------------------------------------------------" | |
echo "" | |
fi | |
echo -e "\033[1mSigning the Certificate Signing Request with the self-created Certificate Authority\033[0m" | |
echo "The current timestamp is used as serial in case the certificate needs to be renewed before expiration date" | |
echo -e "This is \033[4m only valid for 356 days \033[0m; after that period you need to renew it." | |
echo "------------------------------------------------------------------------------" | |
openssl x509 -req -days 365 -in $PRIVATE_SERVER_CSR -CA $PUBLIC_CA -CAkey $PRIVATE_CA -set_serial `date +"%Y%m%d%H%M%S"` $extfile -out $PUBLIC_SERVER_CERT | |
echo "" | |
echo -e "\033[1mGenerating passwordless private server key\033[4m for use with UnrealIRCd: \033[1m $PRIVATE_SERVER_KEY_PASSWORDLESS \033[0m" | |
echo "------------------------------------------------------------------------------" | |
openssl rsa -in $PRIVATE_SERVER_KEY -out $PRIVATE_SERVER_KEY_PASSWORDLESS | |
echo "" | |
echo "If you use this for an UnrealIRCd installation, make sure you move the passwordless version: $PUBLIC_SERVER_CERT_PASSWORDLESS" | |
echo "For example with:" | |
echo "mkdir -p $OLD_CERTS_DIR && mv $UNREALIRCD_DIR/server.*.pem $OLD_CERTS_DIR/ && cp $CERT_DIR/*/server.*.pem $UNREALIRCD_DIR" | |
echo "" | |
echo -en "\033[1mWant the script to do this for you? yes/no \033[0m" | |
read install_unreal_certs | |
if [ "$install_unreal_certs" == "yes" ]; then | |
mkdir -p $OLD_CERTS_DIR && mv $UNREALIRCD_DIR/server.*.pem $OLD_CERTS_DIR/ && cp $CERT_DIR/*/server.*.pem $UNREALIRCD_DIR | |
fi | |
echo "------------------------------------------------------------------------------" | |
echo "" | |
echo "Also do not forget to chmod 0600 the certificates to protect them against snooping users." | |
echo "(though you might want 0700 for the certificates directory and subdirectory, otherwise you cannot enter them)" | |
echo -en "\033[1mWant the script to set the *.pem files to 0600? yes/no \033[0m" | |
read secure_certs | |
if [ "$secure_certs" == "yes" ]; then | |
chmod 0600 $PUBLIC_DIR/*.pem | |
chmod 0600 $PRIVATE_DIR/*.pem | |
fi | |
echo "------------------------------------------------------------------------------" | |
echo "" | |
echo -en "\033[1mWant the script to set certificates directory to 0600 as well (to prevent snooping)? yes/no \033[0m" | |
read secure_cert_dir | |
if [ "$secure_cert_dir" == "yes" ]; then | |
chmod 0600 $CERT_DIR | |
fi | |
echo "------------------------------------------------------------------------------" | |
echo "" | |
echo -e "\033[1mWe are done now! :D Thank you for making the web a bit more secure ^_^ \033[0m" | |
echo -e "You can put up the '${PUBLIC_CA}'-file in a public place and instruct users to import that Certificate Authority into their clients." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment