CA mk ca struct

Aus Neobikers Wiki
Version vom 27. Juni 2008, 20:36 Uhr von Neobiker (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

./scripts/mk_ca_struct

#!/bin/sh
# RootCA + Server-CA + UserCA erstellen
#
# $Id: mk_ca_struct,v 1.2 2008/06/26 20:49:58 root Exp root $
#
# $Log: mk_ca_struct,v $
# Revision 1.2  2008/06/26 20:49:58  root
# *** empty log message ***
#
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#
#

absolute_dir ()
{
    [ -d "$1" ] || exit 1
    pushd "$1" >/dev/null
    pwd
    popd >/dev/null
}

bdir=`dirname $0`
pwd=`pwd`

echo -n "Where to install the CA directories [$pwd] "
read a

if [ -z "$a" ]; then
    CA_DIR=$pwd
else
    [ -d "$1" ] || mkdir $a
    CA_DIR=`absolute_dir $a`
fi

if [ -d $CA_DIR/certs ]; then
    echo -n "Warning: $CA_DIR/certs found - delete all [n] "
    read b

    if [ -z "$b" -o "$b" == "n" -o "$b" == "N" ]; then
        echo "OK, exiting"
        exit 0
    fi

else
    [ -d $CA_DIR ] || mkdir $CA_DIR
fi

cp -r $bdir $CA_DIR
pushd $CA_DIR

rm -rf certs private RootCA ServerCA UserCA 2>/dev/null
mkdir certs private

cat <<EOF > openssl.cnf
# openssl.cnf by neobiker

HOME = .
RANDFILE = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

path = $CA_DIR

EOF

cat scripts/openssl.cnf.tpl >> openssl.cnf

cat <<EOF

----------------------
Erstelle eine Root CA:

EOF

mkdir RootCA
cd RootCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -x509 -days 1825 \
            -out    RootCA/private/RCAcert.pem -outform PEM \
            -keyout RootCA/private/RCAkey.pem

cp RootCA/private/RCAcert.pem certs/00.pem
cd certs
c_rehash .
cd ..

cat <<EOF


----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):

EOF

cd $CA_DIR
mkdir ServerCA
cd ServerCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -days 1825 \
            -out    ServerCA/private/SCAreq.pem -outform PEM \
            -keyout ServerCA/private/SCAkey.pem

openssl ca -config openssl.cnf \
           -name Root_CA \
           -in  ServerCA/private/SCAreq.pem \
           -out ServerCA/private/SCAcert.pem

cp ServerCA/private/SCAcert.pem certs/01.pem
cd certs
c_rehash .
cd ..

cat <<EOF


---------------------------------------------
Erstelle eine User CA (signiert von Root CA):

EOF

cd $CA_DIR
mkdir UserCA
cd UserCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -days 1825 \
            -out    UserCA/private/UCAreq.pem -outform PEM \
            -keyout UserCA/private/UCAkey.pem

openssl ca -config openssl.cnf \
           -name Root_CA \
           -in  UserCA/private/UCAreq.pem \
           -out UserCA/private/UCAcert.pem

cp UserCA/private/UCAcert.pem certs/02.pem
cd certs
c_rehash .
cd ..

popd