1#!/bin/sh
2#
3# nsd-control-setup.sh - set up SSL certificates for nsd-control
4#
5# Copyright (c) 2011, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8#
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12#
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15#
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19#
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23#
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39DESTDIR=@configdir@
40
41# issuer and subject name for certificates
42SERVERNAME=nsd
43CLIENTNAME=nsd-control
44
45# validity period for certificates
46DAYS=3650
47
48# size of keys in bits
49BITS=3072
50
51# hash algorithm
52HASH=sha256
53
54# base name for nsd server keys
55SVR_BASE=nsd_server
56
57# base name for nsd-control keys
58CTL_BASE=nsd_control
59
60# flag to recreate generated certificates
61RECREATE=0
62
63# we want -rw-r--- access (say you run this as root: grp=yes (server), all=no).
64umask 0026
65
66# end of options
67
68set -eu
69
70cleanup() {
71    echo "removing artifacts"
72
73    rm -rf \
74       server.cnf \
75       client.cnf \
76       "${SVR_BASE}_trust.pem" \
77       "${CTL_BASE}_trust.pem" \
78       "${SVR_BASE}_trust.srl"
79}
80
81fatal() {
82    printf "fatal error: $*\n" >/dev/stderr
83    exit 1
84}
85
86usage() {
87    cat <<EOF
88usage: $0 OPTIONS
89
90OPTIONS
91
92-d <dir>  used directory to store keys and certificates (default: $DESTDIR)
93-h        show help notice
94-r        recreate certificates
95EOF
96}
97
98OPTIND=1
99while getopts 'd:hr' arg; do
100    case "$arg" in
101      d) DESTDIR="$OPTARG" ;;
102      h) usage; exit 0 ;;
103      r) RECREATE=1 ;;
104      ?) fatal "'$arg' unknown option" ;;
105    esac
106done
107shift $((OPTIND - 1))
108
109
110echo "setup in directory $DESTDIR"
111cd "$DESTDIR"
112
113trap cleanup INT
114
115# ===
116# Generate server certificate
117# ===
118
119# generate private key; do no recreate it if they already exist.
120if [ ! -f "$SVR_BASE.key" ]; then
121    openssl genrsa -out "$SVR_BASE.key" "$BITS"
122fi
123
124cat >server.cnf <<EOF
125default_bits=$BITS
126default_md=$HASH
127prompt=no
128distinguished_name=req_distinguished_name
129
130[req_distinguished_name]
131commonName=$SERVERNAME
132EOF
133
134[ -f server.cnf ] || fatal "cannot create openssl configuration"
135
136if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
137    openssl req \
138            -new -x509 \
139            -key "$SVR_BASE.key" \
140            -config server.cnf  \
141            -days "$DAYS" \
142            -out "$SVR_BASE.pem"
143
144    [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
145fi
146
147# ===
148# Generate client certificate
149# ===
150
151# generate private key; do no recreate it if they already exist.
152if [ ! -f "$CTL_BASE.key" ]; then
153    openssl genrsa -out "$CTL_BASE.key" "$BITS"
154fi
155
156cat >client.cnf <<EOF
157[req]
158default_bits=$BITS
159default_md=$HASH
160prompt=no
161distinguished_name=req_distinguished_name
162
163[req_distinguished_name]
164commonName=$CLIENTNAME
165EOF
166
167[ -f client.cnf ] || fatal "cannot create openssl configuration"
168
169if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
170    openssl x509 \
171        -addtrust serverAuth \
172        -in "$SVR_BASE.pem" \
173        -out "${SVR_BASE}_trust.pem"
174
175    openssl req \
176            -new \
177            -config client.cnf \
178            -key "$CTL_BASE.key" \
179        | openssl x509 \
180                  -req \
181                  -days "$DAYS" \
182                  -CA "${SVR_BASE}_trust.pem" \
183                  -CAkey "$SVR_BASE.key" \
184                  -CAcreateserial \
185                  -$HASH \
186                  -out "$CTL_BASE.pem"
187
188    [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
189fi
190
191# remove unused permissions
192chmod o-rw \
193      "$SVR_BASE.pem" \
194      "$SVR_BASE.key" \
195      "$CTL_BASE.pem" \
196      "$CTL_BASE.key"
197
198cleanup
199
200echo "Setup success. Certificates created. Enable in nsd.conf file to use"
201
202
203# create trusted usage pem
204# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
205
206# see details with openssl x509 -noout -text < $SVR_BASE.pem
207# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
208# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
209# echo "preferences - advanced - encryption - view certificates - your certs"
210# echo "empty password is used, simply click OK on the password dialog box."
211# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "nsd remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
212