1eaad808eSchristos@Echo off 2eaad808eSchristosrem 3eaad808eSchristosrem unbound-control-setup.cmd - set up SSL certificates for unbound-control 4eaad808eSchristosrem 5eaad808eSchristosrem Copyright (c) 2008, NLnet Labs. All rights reserved. 6eaad808eSchristosrem Modified for Windows by Y.Voinov (c) 2014 7eaad808eSchristosrem 8eaad808eSchristosrem This software is open source. 9eaad808eSchristosrem 10eaad808eSchristosrem Redistribution and use in source and binary forms, with or without 11eaad808eSchristosrem modification, are permitted provided that the following conditions 12eaad808eSchristosrem are met: 13eaad808eSchristosrem 14eaad808eSchristosrem Redistributions of source code must retain the above copyright notice, 15eaad808eSchristosrem this list of conditions and the following disclaimer. 16eaad808eSchristosrem 17eaad808eSchristosrem Redistributions in binary form must reproduce the above copyright notice, 18eaad808eSchristosrem this list of conditions and the following disclaimer in the documentation 19eaad808eSchristosrem and/or other materials provided with the distribution. 20eaad808eSchristosrem 21eaad808eSchristosrem Neither the name of the NLNET LABS nor the names of its contributors may 22eaad808eSchristosrem be used to endorse or promote products derived from this software without 23eaad808eSchristosrem specific prior written permission. 24eaad808eSchristosrem 25eaad808eSchristosrem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 26eaad808eSchristosrem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 27eaad808eSchristosrem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 28eaad808eSchristosrem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 29eaad808eSchristosrem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 30eaad808eSchristosrem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 31eaad808eSchristosrem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 32eaad808eSchristosrem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 33eaad808eSchristosrem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 34eaad808eSchristosrem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 35eaad808eSchristosrem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36eaad808eSchristos 37eaad808eSchristosrem settings: 38eaad808eSchristos 39eaad808eSchristosrem directory for files 40*762909a6Schristosset prefix="C:\Program Files" 41eaad808eSchristosset DESTDIR=%prefix%\Unbound 42eaad808eSchristos 43eaad808eSchristosrem issuer and subject name for certificates 44eaad808eSchristosset SERVERNAME=unbound 45eaad808eSchristosset CLIENTNAME=unbound-control 46eaad808eSchristos 47eaad808eSchristosrem validity period for certificates 48eaad808eSchristosset DAYS=7200 49eaad808eSchristos 50eaad808eSchristosrem size of keys in bits 51eaad808eSchristosset BITS=1536 52eaad808eSchristos 53eaad808eSchristosrem hash algorithm 54eaad808eSchristosset HASH=sha256 55eaad808eSchristos 56eaad808eSchristosrem base name for unbound server keys 57eaad808eSchristosset SVR_BASE=unbound_server 58eaad808eSchristos 59eaad808eSchristosrem base name for unbound-control keys 60eaad808eSchristosset CTL_BASE=unbound_control 61eaad808eSchristos 62eaad808eSchristosrem end of options 63eaad808eSchristos 64eaad808eSchristosrem Check OpenSSL installed 65eaad808eSchristosfor /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a 66eaad808eSchristosif /I "%SSL_PROGRAM%"=="" echo SSL not found. If installed, add path to PATH environment variable. & exit 1 67eaad808eSchristosecho SSL found: %SSL_PROGRAM% 68eaad808eSchristos 69eaad808eSchristosset arg=%1 70eaad808eSchristosif /I "%arg%" == "-h" goto help 71eaad808eSchristosif /I "%arg%"=="-d" set DESTDIR=%2 72eaad808eSchristos 73eaad808eSchristosrem go!: 74eaad808eSchristosecho setup in directory %DESTDIR% 75eaad808eSchristoscd %DESTDIR% 76eaad808eSchristos 77eaad808eSchristosrem create certificate keys; do not recreate if they already exist. 78eaad808eSchristosif exist %SVR_BASE%.key ( 79eaad808eSchristosecho %SVR_BASE%.key exists 80eaad808eSchristosgoto next 81eaad808eSchristos) 82eaad808eSchristosecho generating %SVR_BASE%.key 83eaad808eSchristos"%SSL_PROGRAM%" genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1 84eaad808eSchristos 85eaad808eSchristos:next 86eaad808eSchristosif exist %CTL_BASE%.key ( 87eaad808eSchristosecho %CTL_BASE%.key exists 88eaad808eSchristosgoto next2 89eaad808eSchristos) 90eaad808eSchristosecho generating %CTL_BASE%.key 91eaad808eSchristos"%SSL_PROGRAM%" genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1 92eaad808eSchristos 93eaad808eSchristos:next2 94eaad808eSchristosrem create self-signed cert for server 95eaad808eSchristosif exist request.cfg (del /F /Q /S request.cfg) 96eaad808eSchristosecho [req]>>request.cfg 97eaad808eSchristosecho default_bits=%BITS%>>request.cfg 98eaad808eSchristosecho default_md=%HASH%>>request.cfg 99eaad808eSchristosecho prompt=no>>request.cfg 100eaad808eSchristosecho distinguished_name=req_distinguished_name>>request.cfg 101eaad808eSchristosecho.>>request.cfg 102eaad808eSchristosecho [req_distinguished_name]>>request.cfg 103eaad808eSchristosecho commonName=%SERVERNAME%>>request.cfg 104eaad808eSchristos 105eaad808eSchristosif not exist request.cfg ( 106eaad808eSchristosecho could not create request.cfg 107eaad808eSchristosexit 1 108eaad808eSchristos) 109eaad808eSchristos 110eaad808eSchristosecho create %SVR_BASE%.pem (self signed certificate) 111eaad808eSchristos"%SSL_PROGRAM%" req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1 112eaad808eSchristosrem create trusted usage pem 113eaad808eSchristos"%SSL_PROGRAM%" x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem 114eaad808eSchristos 115eaad808eSchristosrem create client request and sign it 116eaad808eSchristosif exist request.cfg (del /F /Q /S request.cfg) 117eaad808eSchristosecho [req]>>request.cfg 118eaad808eSchristosecho default_bits=%BITS%>>request.cfg 119eaad808eSchristosecho default_md=%HASH%>>request.cfg 120eaad808eSchristosecho prompt=no>>request.cfg 121eaad808eSchristosecho distinguished_name=req_distinguished_name>>request.cfg 122eaad808eSchristosecho.>>request.cfg 123eaad808eSchristosecho [req_distinguished_name]>>request.cfg 124eaad808eSchristosecho commonName=%CLIENTNAME%>>request.cfg 125eaad808eSchristos 126eaad808eSchristosif not exist request.cfg ( 127eaad808eSchristosecho could not create request.cfg 128eaad808eSchristosexit 1 129eaad808eSchristos) 130eaad808eSchristos 131eaad808eSchristosecho create %CTL_BASE%.pem (signed client certificate) 132eaad808eSchristos"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem 133eaad808eSchristos 134eaad808eSchristosif not exist %CTL_BASE%.pem ( 135eaad808eSchristosecho could not create %CTL_BASE%.pem 136eaad808eSchristosexit 1 137eaad808eSchristos) 138eaad808eSchristosrem create trusted usage pem 139eaad808eSchristosrem "%SSL_PROGRAM%" x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem 140eaad808eSchristos 141eaad808eSchristosrem see details with "%SSL_PROGRAM%" x509 -noout -text < %SVR_BASE%.pem 142eaad808eSchristosrem echo "create %CTL_BASE%_browser.pfx (web client certificate)" 143eaad808eSchristosrem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:" 144eaad808eSchristosrem echo "preferences - advanced - encryption - view certificates - your certs" 145eaad808eSchristosrem echo "empty password is used, simply click OK on the password dialog box." 146eaad808eSchristosrem "%SSL_PROGRAM%" pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1 147eaad808eSchristos 148eaad808eSchristosrem remove crap 149eaad808eSchristosdel /F /Q /S request.cfg 150eaad808eSchristosdel /F /Q /S %CTL_BASE%_trust.pem 151eaad808eSchristosdel /F /Q /S %SVR_BASE%_trust.pem 152eaad808eSchristosdel /F /Q /S %SVR_BASE%_trust.srl 153eaad808eSchristos 154eaad808eSchristosecho Setup success. Certificates created. Enable in unbound.conf file to use 155eaad808eSchristos 156eaad808eSchristosexit 0 157eaad808eSchristos 158eaad808eSchristos:help 159eaad808eSchristosecho unbound-control-setup.cmd - setup SSL keys for unbound-control 160eaad808eSchristosecho -d dir use directory to store keys and certificates. 161eaad808eSchristosecho default: %DESTDIR% 162eaad808eSchristosecho please run this command using the same user id that the 163eaad808eSchristosecho unbound daemon uses, it needs read privileges. 164eaad808eSchristosexit 1 165