1#!/bin/sh 2# 3# nsd-control-setup.sh - set up SSL certificates for nsd-control 4# 5# Copyright (c) 2011, NLnet Labs. All rights reserved. 6# 7# This software is open source. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# Redistributions of source code must retain the above copyright notice, 14# this list of conditions and the following disclaimer. 15# 16# Redistributions in binary form must reproduce the above copyright notice, 17# this list of conditions and the following disclaimer in the documentation 18# and/or other materials provided with the distribution. 19# 20# Neither the name of the NLNET LABS nor the names of its contributors may 21# be used to endorse or promote products derived from this software without 22# specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 36# settings: 37 38# directory for files 39DESTDIR=@configdir@ 40 41# issuer and subject name for certificates 42SERVERNAME=nsd 43CLIENTNAME=nsd-control 44 45# validity period for certificates 46DAYS=7200 47 48# size of keys in bits 49BITS=3072 50 51# hash algorithm 52HASH=sha256 53 54# base name for nsd server keys 55SVR_BASE=nsd_server 56 57# base name for nsd-control keys 58CTL_BASE=nsd_control 59 60# flag to recreate generated certificates 61RECREATE=0 62 63# we want -rw-r--- access (say you run this as root: grp=yes (server), all=no). 64umask 0026 65 66# end of options 67 68set -eu 69 70cleanup() { 71 echo "removing artifacts" 72 73 rm -rf \ 74 server.cnf \ 75 client.cnf \ 76 "${SVR_BASE}_trust.pem" \ 77 "${CTL_BASE}_trust.pem" \ 78 "${SVR_BASE}_trust.srl" 79} 80 81fatal() { 82 printf "fatal error: $*\n" >/dev/stderr 83 exit 1 84} 85 86usage() { 87 cat <<EOF 88usage: $0 OPTIONS 89OPTIONS 90-d <dir> used directory to store keys and certificates (default: $DESTDIR) 91-h show help notice 92-r recreate certificates 93EOF 94} 95 96OPTIND=1 97while getopts 'd:hr' arg; do 98 case "$arg" in 99 d) DESTDIR="$OPTARG" ;; 100 h) usage; exit 1 ;; 101 r) RECREATE=1 ;; 102 ?) fatal "'$arg' unknown option" ;; 103 esac 104done 105shift $((OPTIND - 1)) 106 107 108echo "setup in directory $DESTDIR" 109cd "$DESTDIR" 110 111trap cleanup INT 112 113# === 114# Generate server certificate 115# === 116 117# generate private key; do no recreate it if they already exist. 118if [ ! -f "$SVR_BASE.key" ]; then 119 openssl genrsa -out "$SVR_BASE.key" "$BITS" 120fi 121 122cat >server.cnf <<EOF 123[req] 124default_bits=$BITS 125default_md=$HASH 126prompt=no 127distinguished_name=req_distinguished_name 128x509_extensions=v3_ca 129[req_distinguished_name] 130commonName=$SERVERNAME 131[v3_ca] 132subjectKeyIdentifier=hash 133authorityKeyIdentifier=keyid:always,issuer:always 134basicConstraints=critical,CA:TRUE,pathlen:0 135subjectAltName=DNS:$SERVERNAME 136EOF 137 138[ -f server.cnf ] || fatal "cannot create openssl configuration" 139 140if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then 141 openssl req \ 142 -new -x509 \ 143 -key "$SVR_BASE.key" \ 144 -config server.cnf \ 145 -days "$DAYS" \ 146 -out "$SVR_BASE.pem" 147 148 [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate" 149fi 150 151# === 152# Generate client certificate 153# === 154 155# generate private key; do no recreate it if they already exist. 156if [ ! -f "$CTL_BASE.key" ]; then 157 openssl genrsa -out "$CTL_BASE.key" "$BITS" 158fi 159 160cat >client.cnf <<EOF 161[req] 162default_bits=$BITS 163default_md=$HASH 164prompt=no 165distinguished_name=req_distinguished_name 166req_extensions=v3_req 167[req_distinguished_name] 168commonName=$CLIENTNAME 169[v3_req] 170basicConstraints=critical,CA:FALSE 171subjectAltName=DNS:$CLIENTNAME 172EOF 173 174[ -f client.cnf ] || fatal "cannot create openssl configuration" 175 176if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then 177 openssl x509 \ 178 -addtrust serverAuth \ 179 -in "$SVR_BASE.pem" \ 180 -out "${SVR_BASE}_trust.pem" 181 182 openssl req \ 183 -new \ 184 -config client.cnf \ 185 -key "$CTL_BASE.key" \ 186 | openssl x509 \ 187 -req \ 188 -days "$DAYS" \ 189 -CA "${SVR_BASE}_trust.pem" \ 190 -CAkey "$SVR_BASE.key" \ 191 -CAcreateserial \ 192 -$HASH \ 193 -extfile client.cnf \ 194 -extensions v3_req \ 195 -out "$CTL_BASE.pem" 196 197 [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate" 198fi 199 200# remove unused permissions 201chmod o-rw \ 202 "$SVR_BASE.pem" \ 203 "$SVR_BASE.key" \ 204 "$CTL_BASE.pem" \ 205 "$CTL_BASE.key" 206 207cleanup 208 209echo "Setup success. Certificates created. Enable in nsd.conf file to use" 210 211# create trusted usage pem 212# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 213 214# see details with openssl x509 -noout -text < $SVR_BASE.pem 215# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 216# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 217# echo "preferences - advanced - encryption - view certificates - your certs" 218# echo "empty password is used, simply click OK on the password dialog box." 219# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "nsd remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 220