1#!/bin/bash 2 3# (c) CopyRight 2000 - 2020, EdelWeb for EdelKey and OpenEvidence 4# Author: Peter Sylvester 5 6# "libre" for integration with curl 7 8OPENSSL=openssl 9if [ -f /usr/local/ssl/bin/openssl ] ; then 10 OPENSSL=/usr/local/ssl/bin/openssl 11fi 12 13USAGE="echo Usage is genserv.sh <prefix> <caprefix>" 14 15HOME=`pwd` 16cd $HOME 17 18KEYSIZE=2048 19DURATION=3000 20# The -sha256 option was introduced in OpenSSL 1.0.1 21DIGESTALGO=-sha256 22 23REQ=YES 24P12=NO 25DHP=NO 26 27PREFIX=$1 28if [ ".$PREFIX" = . ] ; then 29 echo No configuration prefix 30 NOTOK=1 31else 32 if [ ! -f $PREFIX-sv.prm ] ; then 33 echo No configuration file $PREFIX-sv.prm 34 NOTOK=1 35 fi 36fi 37 38CAPREFIX=$2 39if [ ".$CAPREFIX" = . ] ; then 40 echo No CA prefix 41 NOTOK=1 42else 43 if [ ! -f $CAPREFIX-ca.cacert ] ; then 44 echo No CA certificate file $CAPREFIX-ca.caert 45 NOTOK=1 46 fi 47 if [ ! -f $CAPREFIX-ca.key ] ; then 48 echo No $CAPREFIX key 49 NOTOK=1 50 fi 51fi 52 53if [ ".$NOTOK" != . ] ; then 54 echo "Sorry, I can't do that for you." 55 $USAGE 56 exit 57fi 58 59if [ ".$SERIAL" = . ] ; then 60 GETSERIAL="\$t = time ;\$d = \$t . substr(\$t+$$ ,-4,4)-1;print \$d" 61 SERIAL=`/usr/bin/env perl -e "$GETSERIAL"` 62fi 63 64echo SERIAL=$SERIAL PREFIX=$PREFIX CAPREFIX=$CAPREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE 65 66if [ "$DHP." = YES. ] ; then 67 echo "openssl dhparam -2 -out $PREFIX-sv.dhp $KEYSIZE" 68 $OPENSSL dhparam -2 -out $PREFIX-sv.dhp $KEYSIZE 69fi 70 71if [ "$REQ." = YES. ] ; then 72 echo "openssl req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr -passout XXX" 73 $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr -passout pass:secret 74fi 75 76echo "openssl rsa -in $PREFIX-sv.key -out $PREFIX-sv.key" 77$OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key -passin pass:secret 78echo pseudo secrets generated 79 80echo "openssl rsa -in $PREFIX-sv.key -pubout -outform DER -out $PREFIX-sv.pub.der" 81$OPENSSL rsa -in $PREFIX-sv.key -pubout -outform DER -out $PREFIX-sv.pub.der 82 83echo "openssl rsa -in $PREFIX-sv.key -pubout -outform PEM -out $PREFIX-sv.pub.pem" 84$OPENSSL rsa -in $PREFIX-sv.key -pubout -outform PEM -out $PREFIX-sv.pub.pem 85 86echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -text -nameopt multiline $DIGESTALGO > $PREFIX-sv.crt " 87 88$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -text -nameopt multiline $DIGESTALGO > $PREFIX-sv.crt 89 90if [ "$P12." = YES. ] ; then 91 92 echo "$OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt " 93 94 $OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt 95fi 96 97echo "openssl x509 -noout -text -hash -in $PREFIX-sv.selfcert -nameopt multiline" 98$OPENSSL x509 -noout -text -hash -in $PREFIX-sv.crt -nameopt multiline 99 100# revoke server cert 101touch $CAPREFIX-ca.db 102echo 01 > $CAPREFIX-ca.cnt 103echo "openssl ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt" 104$OPENSSL ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt 105 106# issue CRL 107echo "openssl ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl" 108$OPENSSL ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl 109 110echo "openssl x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der " 111$OPENSSL x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der 112 113# all together now 114touch $PREFIX-sv.dhp 115cat $PREFIX-sv.prm $PREFIX-sv.key $PREFIX-sv.crt $PREFIX-sv.dhp >$PREFIX-sv.pem 116chmod o-r $PREFIX-sv.prm 117 118echo "$PREFIX-sv.pem done" 119