Annotation of /trunk/apache2/gentestcrt.sh
Parent Directory | Revision Log
Revision 231 -
(hide annotations)
(download)
(as text)
Sat Jun 30 02:24:36 2007 UTC (17 years, 3 months ago) by niro
File MIME type: application/x-sh
File size: 8685 byte(s)
Sat Jun 30 02:24:36 2007 UTC (17 years, 3 months ago) by niro
File MIME type: application/x-sh
File size: 8685 byte(s)
files for apache-2.2.4-r1
1 | niro | 231 | #!/bin/sh |
2 | ## | ||
3 | ## gentestcrt -- Create self-signed test certificate | ||
4 | ## (C) 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> and Mandrakesoft | ||
5 | ## Based on cca.sh script by Ralf S. Engelschall | ||
6 | ## | ||
7 | |||
8 | # external tools | ||
9 | openssl="/usr/bin/openssl" | ||
10 | |||
11 | # some optional terminal sequences | ||
12 | case $TERM in | ||
13 | xterm|xterm*|vt220|vt220*) | ||
14 | T_MD=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'` | ||
15 | T_ME=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'` | ||
16 | ;; | ||
17 | vt100|vt100*) | ||
18 | T_MD=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'` | ||
19 | T_ME=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'` | ||
20 | ;; | ||
21 | default) | ||
22 | T_MD='' | ||
23 | T_ME='' | ||
24 | ;; | ||
25 | esac | ||
26 | |||
27 | # find some random files | ||
28 | # (do not use /dev/random here, because this device | ||
29 | # doesn't work as expected on all platforms) | ||
30 | randfiles='' | ||
31 | for file in /var/log/messages /var/adm/messages \ | ||
32 | /kernel /vmunix /vmlinuz \ | ||
33 | /etc/hosts /etc/resolv.conf; do | ||
34 | if [ -f $file ]; then | ||
35 | if [ ".$randfiles" = . ]; then | ||
36 | randfiles="$file" | ||
37 | else | ||
38 | randfiles="${randfiles}:$file" | ||
39 | fi | ||
40 | fi | ||
41 | done | ||
42 | |||
43 | |||
44 | echo "${T_MD}maketestcrt -- Create self-signed test certificate${T_ME}" | ||
45 | echo "(C) 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> and Mandrakesoft" | ||
46 | echo "Based on cca.sh script by Ralf S. Engelschall" | ||
47 | echo "" | ||
48 | |||
49 | grep -q -s DUMMY server.crt && mv server.crt server.crt.dummy | ||
50 | grep -q -s DUMMY server.key && mv server.key server.key.dummy | ||
51 | |||
52 | echo "" | ||
53 | echo "" | ||
54 | |||
55 | if [ ! -e ./server.crt -a ! -e ./server.key ];then | ||
56 | echo "Will create server.key and server.crt in `pwd`" | ||
57 | else | ||
58 | echo "server.key and server.crt already exist, dying" | ||
59 | exit | ||
60 | fi | ||
61 | |||
62 | echo "" | ||
63 | |||
64 | |||
65 | mkdir -p /tmp/tmpssl-$$ | ||
66 | pushd /tmp/tmpssl-$$ > /dev/null | ||
67 | |||
68 | |||
69 | echo "${T_MD}INITIALIZATION${T_ME}" | ||
70 | |||
71 | echo "" | ||
72 | echo "${T_MD}Generating custom Certificate Authority (CA)${T_ME}" | ||
73 | echo "______________________________________________________________________" | ||
74 | echo "" | ||
75 | echo "${T_MD}STEP 1: Generating RSA private key for CA (1024 bit)${T_ME}" | ||
76 | cp /dev/null ca.rnd | ||
77 | echo '01' >ca.ser | ||
78 | if [ ".$randfiles" != . ]; then | ||
79 | $openssl genrsa -rand $randfiles -out ca.key 1024 | ||
80 | else | ||
81 | $openssl genrsa -out ca.key 1024 | ||
82 | fi | ||
83 | if [ $? -ne 0 ]; then | ||
84 | echo "cca:Error: Failed to generate RSA private key" 1>&2 | ||
85 | exit 1 | ||
86 | fi | ||
87 | echo "______________________________________________________________________" | ||
88 | echo "" | ||
89 | echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA${T_ME}" | ||
90 | cat >.cfg <<EOT | ||
91 | [ req ] | ||
92 | default_bits = 1024 | ||
93 | distinguished_name = req_DN | ||
94 | RANDFILE = ca.rnd | ||
95 | [ req_DN ] | ||
96 | countryName = "1. Country Name (2 letter code)" | ||
97 | #countryName_default = CA | ||
98 | #countryName_min = 2 | ||
99 | countryName_max = 2 | ||
100 | stateOrProvinceName = "2. State or Province Name (full name) " | ||
101 | #stateOrProvinceName_default = "Quebec" | ||
102 | localityName = "3. Locality Name (eg, city) " | ||
103 | #localityName_default = "Montreal" | ||
104 | 0.organizationName = "4. Organization Name (eg, company) " | ||
105 | 0.organizationName_default = "Apache HTTP Server" | ||
106 | organizationalUnitName = "5. Organizational Unit Name (eg, section) " | ||
107 | organizationalUnitName_default = "For testing purposes only" | ||
108 | commonName = "6. Common Name (eg, CA name) " | ||
109 | commonName_max = 64 | ||
110 | commonName_default = "localhost" | ||
111 | emailAddress = "7. Email Address (eg, name@FQDN)" | ||
112 | emailAddress_max = 40 | ||
113 | #emailAddress_default = "root@localhost" | ||
114 | EOT | ||
115 | $openssl req -config .cfg -new -key ca.key -out ca.csr | ||
116 | if [ $? -ne 0 ]; then | ||
117 | echo "cca:Error: Failed to generate certificate signing request" 1>&2 | ||
118 | exit 1 | ||
119 | fi | ||
120 | echo "______________________________________________________________________" | ||
121 | echo "" | ||
122 | echo "${T_MD}STEP 3: Generating X.509 certificate for CA signed by itself${T_ME}" | ||
123 | cat >.cfg <<EOT | ||
124 | #extensions = x509v3 | ||
125 | #[ x509v3 ] | ||
126 | #subjectAltName = email:copy | ||
127 | #basicConstraints = CA:true,pathlen:0 | ||
128 | #nsComment = "CCA generated custom CA certificate" | ||
129 | #nsCertType = sslCA | ||
130 | EOT | ||
131 | $openssl x509 -extfile .cfg -req -days 365 -signkey ca.key -in ca.csr -out ca.crt | ||
132 | if [ $? -ne 0 ]; then | ||
133 | echo "cca:Error: Failed to generate self-signed CA certificate" 1>&2 | ||
134 | exit 1 | ||
135 | fi | ||
136 | echo "______________________________________________________________________" | ||
137 | echo "" | ||
138 | echo "${T_MD}RESULT:${T_ME}" | ||
139 | $openssl verify ca.crt | ||
140 | if [ $? -ne 0 ]; then | ||
141 | echo "cca:Error: Failed to verify resulting X.509 certificate" 1>&2 | ||
142 | exit 1 | ||
143 | fi | ||
144 | $openssl x509 -text -in ca.crt | ||
145 | $openssl rsa -text -in ca.key | ||
146 | |||
147 | echo "${T_MD}CERTIFICATE GENERATION${T_ME}" | ||
148 | user="server" | ||
149 | |||
150 | echo "" | ||
151 | echo "${T_MD}Generating custom USER${T_ME} [$user]" | ||
152 | echo "______________________________________________________________________" | ||
153 | echo "" | ||
154 | echo "${T_MD}STEP 5: Generating RSA private key for USER (1024 bit)${T_ME}" | ||
155 | if [ ".$randfiles" != . ]; then | ||
156 | $openssl genrsa -rand $randfiles -out $user.key 1024 | ||
157 | else | ||
158 | $openssl genrsa -out $user.key 1024 | ||
159 | fi | ||
160 | if [ $? -ne 0 ]; then | ||
161 | echo "cca:Error: Failed to generate RSA private key" 1>&2 | ||
162 | exit 1 | ||
163 | fi | ||
164 | echo "______________________________________________________________________" | ||
165 | echo "" | ||
166 | echo "${T_MD}STEP 6: Generating X.509 certificate signing request for USER${T_ME}" | ||
167 | cat >.cfg <<EOT | ||
168 | [ req ] | ||
169 | default_bits = 1024 | ||
170 | distinguished_name = req_DN | ||
171 | RANDFILE = ca.rnd | ||
172 | [ req_DN ] | ||
173 | countryName = "1. Country Name (2 letter code)" | ||
174 | #countryName_default = XY | ||
175 | #countryName_min = 2 | ||
176 | countryName_max = 2 | ||
177 | stateOrProvinceName = "2. State or Province Name (full name) " | ||
178 | #stateOrProvinceName_default = "Unknown" | ||
179 | localityName = "3. Locality Name (eg, city) " | ||
180 | #localityName_default = "Server Room" | ||
181 | 0.organizationName = "4. Organization Name (eg, company) " | ||
182 | 0.organizationName_default = "Apache HTTP Server" | ||
183 | organizationalUnitName = "5. Organizational Unit Name (eg, section) " | ||
184 | organizationalUnitName_default = "Test Certificate" | ||
185 | commonName = "6. Common Name (eg, DOMAIN NAME) " | ||
186 | commonName_max = 64 | ||
187 | commonName_default = "localhost" | ||
188 | emailAddress = "7. Email Address (eg, name@fqdn)" | ||
189 | emailAddress_max = 40 | ||
190 | #emailAddress_default = "root@localhost" | ||
191 | EOT | ||
192 | $openssl req -config .cfg -new -key $user.key -out $user.csr | ||
193 | if [ $? -ne 0 ]; then | ||
194 | echo "cca:Error: Failed to generate certificate signing request" 1>&2 | ||
195 | exit 1 | ||
196 | fi | ||
197 | rm -f .cfg | ||
198 | echo "______________________________________________________________________" | ||
199 | echo "" | ||
200 | echo "${T_MD}STEP 7: Generating X.509 certificate signed by own CA${T_ME}" | ||
201 | cat >.cfg <<EOT | ||
202 | #extensions = x509v3 | ||
203 | #[ x509v3 ] | ||
204 | #subjectAltName = email:copy | ||
205 | #basicConstraints = CA:false,pathlen:0 | ||
206 | #nsComment = "CCA generated client certificate" | ||
207 | #nsCertType = client | ||
208 | EOT | ||
209 | $openssl x509 -extfile .cfg -days 365 -CAserial ca.ser -CA ca.crt -CAkey ca.key -in $user.csr -req -out $user.crt | ||
210 | if [ $? -ne 0 ]; then | ||
211 | echo "cca:Error: Failed to generate X.509 certificate" 1>&2 | ||
212 | exit 1 | ||
213 | fi | ||
214 | caname="`$openssl x509 -noout -text -in ca.crt |\ | ||
215 | grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`" | ||
216 | username="`$openssl x509 -noout -text -in $user.crt |\ | ||
217 | grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`" | ||
218 | # echo "Assembling PKCS#12 package" | ||
219 | # $openssl pkcs12 -export -in $user.crt -inkey $user.key -certfile ca.crt -name "$username" -caname "$caname" -out $user.p12 | ||
220 | echo "______________________________________________________________________" | ||
221 | echo "" | ||
222 | echo "${T_MD}RESULT:${T_ME}" | ||
223 | $openssl verify -CAfile ca.crt $user.crt | ||
224 | if [ $? -ne 0 ]; then | ||
225 | echo "cca:Error: Failed to verify resulting X.509 certificate" 1>&2 | ||
226 | exit 1 | ||
227 | fi | ||
228 | $openssl x509 -text -in $user.crt | ||
229 | $openssl rsa -text -in $user.key | ||
230 | |||
231 | |||
232 | popd >/dev/null | ||
233 | |||
234 | |||
235 | rm -f /tmp/tmpssl-$$/*.csr | ||
236 | rm -f /tmp/tmpssl-$$/ca.* | ||
237 | chmod 400 /tmp/tmpssl-$$/* | ||
238 | |||
239 | echo "Certificate creation done!" | ||
240 | cp /tmp/tmpssl-$$/server.* . | ||
241 | |||
242 | rm -rf /tmp/tmpssl-$$ |
Properties
Name | Value |
---|---|
svn:executable | * |