1@Echo off 2rem 3rem unbound-control-setup.cmd - set up SSL certificates for unbound-control 4rem 5rem Copyright (c) 2008, NLnet Labs. All rights reserved. 6rem Modified for Windows by Y.Voinov (c) 2014 7rem 8rem This software is open source. 9rem 10rem Redistribution and use in source and binary forms, with or without 11rem modification, are permitted provided that the following conditions 12rem are met: 13rem 14rem Redistributions of source code must retain the above copyright notice, 15rem this list of conditions and the following disclaimer. 16rem 17rem Redistributions in binary form must reproduce the above copyright notice, 18rem this list of conditions and the following disclaimer in the documentation 19rem and/or other materials provided with the distribution. 20rem 21rem Neither the name of the NLNET LABS nor the names of its contributors may 22rem be used to endorse or promote products derived from this software without 23rem specific prior written permission. 24rem 25rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 26rem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 27rem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 28rem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 29rem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 30rem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 31rem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 32rem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 33rem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 34rem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 35rem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 37rem settings: 38 39rem directory for files 40set prefix="C:\Program Files" 41set DESTDIR=%prefix%\Unbound 42 43rem issuer and subject name for certificates 44set SERVERNAME=unbound 45set CLIENTNAME=unbound-control 46 47rem validity period for certificates 48set DAYS=7200 49 50rem size of keys in bits 51set BITS=1536 52 53rem hash algorithm 54set HASH=sha256 55 56rem base name for unbound server keys 57set SVR_BASE=unbound_server 58 59rem base name for unbound-control keys 60set CTL_BASE=unbound_control 61 62rem end of options 63 64rem Check OpenSSL installed 65for /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a 66if /I "%SSL_PROGRAM%"=="" echo SSL not found. If installed, add path to PATH environment variable. & exit 1 67echo SSL found: %SSL_PROGRAM% 68 69set arg=%1 70if /I "%arg%" == "-h" goto help 71if /I "%arg%"=="-d" set DESTDIR=%2 72 73rem go!: 74echo setup in directory %DESTDIR% 75cd %DESTDIR% 76 77rem create certificate keys; do not recreate if they already exist. 78if exist %SVR_BASE%.key ( 79echo %SVR_BASE%.key exists 80goto next 81) 82echo generating %SVR_BASE%.key 83"%SSL_PROGRAM%" genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1 84 85:next 86if exist %CTL_BASE%.key ( 87echo %CTL_BASE%.key exists 88goto next2 89) 90echo generating %CTL_BASE%.key 91"%SSL_PROGRAM%" genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1 92 93:next2 94rem create self-signed cert for server 95if exist request.cfg (del /F /Q /S request.cfg) 96echo [req]>>request.cfg 97echo default_bits=%BITS%>>request.cfg 98echo default_md=%HASH%>>request.cfg 99echo prompt=no>>request.cfg 100echo distinguished_name=req_distinguished_name>>request.cfg 101echo.>>request.cfg 102echo [req_distinguished_name]>>request.cfg 103echo commonName=%SERVERNAME%>>request.cfg 104 105if not exist request.cfg ( 106echo could not create request.cfg 107exit 1 108) 109 110echo create %SVR_BASE%.pem (self signed certificate) 111"%SSL_PROGRAM%" req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1 112rem create trusted usage pem 113"%SSL_PROGRAM%" x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem 114 115rem create client request and sign it 116if exist request.cfg (del /F /Q /S request.cfg) 117echo [req]>>request.cfg 118echo default_bits=%BITS%>>request.cfg 119echo default_md=%HASH%>>request.cfg 120echo prompt=no>>request.cfg 121echo distinguished_name=req_distinguished_name>>request.cfg 122echo.>>request.cfg 123echo [req_distinguished_name]>>request.cfg 124echo commonName=%CLIENTNAME%>>request.cfg 125 126if not exist request.cfg ( 127echo could not create request.cfg 128exit 1 129) 130 131echo create %CTL_BASE%.pem (signed client certificate) 132"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem 133 134if not exist %CTL_BASE%.pem ( 135echo could not create %CTL_BASE%.pem 136exit 1 137) 138rem create trusted usage pem 139rem "%SSL_PROGRAM%" x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem 140 141rem see details with "%SSL_PROGRAM%" x509 -noout -text < %SVR_BASE%.pem 142rem echo "create %CTL_BASE%_browser.pfx (web client certificate)" 143rem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:" 144rem echo "preferences - advanced - encryption - view certificates - your certs" 145rem echo "empty password is used, simply click OK on the password dialog box." 146rem "%SSL_PROGRAM%" pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1 147 148rem remove crap 149del /F /Q /S request.cfg 150del /F /Q /S %CTL_BASE%_trust.pem 151del /F /Q /S %SVR_BASE%_trust.pem 152del /F /Q /S %SVR_BASE%_trust.srl 153 154echo Setup success. Certificates created. Enable in unbound.conf file to use 155 156exit 0 157 158:help 159echo unbound-control-setup.cmd - setup SSL keys for unbound-control 160echo -d dir use directory to store keys and certificates. 161echo default: %DESTDIR% 162echo please run this command using the same user id that the 163echo unbound daemon uses, it needs read privileges. 164exit 1 165