Overview

File kolab-cert of Package kolab-scripts

#!/bin/bash
#
# Copyright 2013-2016 Aeneas Jaissle <aj@ajaissle.de>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 3 or, at your option, any later version
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Library General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin street, Fifth Floor, Boston, MA 02111-1301, USA.
#

echo "Checking for server certificate..."
_AFFIX=""
_ROOT="/etc/ssl"
_DIR_PRIV="$_ROOT/private"
_DIR_CERT="$_ROOT/servercerts"
_FILE_CA="$_ROOT/cacert.pem"
_FILE_CA_KEY="$_DIR_PRIV/cakey.pem"
_FILE_CSR="$_DIR_CERT/`hostname -f`$_AFFIX.csr"
_FILE_CERT="$_DIR_CERT/`hostname -f`$_AFFIX.pem"
_FILE_KEY="$_DIR_CERT/`hostname -f`$_AFFIX.key"


if [[ ! -f $_FILE_KEY ]]; then
    echo "  ERROR: No certificate key found at $_FILE_KEY"
    CERT_PRESENCE=false
elif [[ ! -s $_FILE_KEY ]]; then
    echo "  ERROR: Certificate key has a size of zero!"
    CERT_PRESENCE=false
fi

if [[ ! -f $_FILE_CERT ]]; then
    echo "  ERROR: No server certificate found at $_FILE_CERT"
    CERT_PRESENCE=false
elif [[ ! -s $_FILE_CERT ]]; then
    echo "  ERROR: Server certificate has a size of zero."
    CERT_PRESENCE=false
fi


if [[ "$CERT_PRESENCE" == "" ]]; then
    echo "Found server certificate and key"
    echo "Exiting."
    exit 0
fi


echo
read -p "No certificate/key found. Create one now? [Y/n] " ANSWER
if [[ "$ANSWER" != "n" ]]; then

    if [[ `grep demoCA "$_ROOT/openssl.cnf"` == true ]]; then
        # adjust openssl.cnf
        echo
        echo "  openssl.conf is missing. Is openssl installed?"
        echo "  Exiting."
        exit 1
    fi

    if [[ `grep demoCA "$_ROOT/openssl.cnf"` == true ]]; then
        # adjust openssl.cnf
        echo
        echo "Adjusting openssl.conf..."
        sed -i '42s;= ./demoCA;= .;' "$_ROOT/openssl.cnf"
        sed -i '48s;= $dir/newcerts;= $dir/servercerts;' "$_ROOT/openssl.cnf"
        sed -i '75s;= default;= sha256;' "$_ROOT/openssl.cnf"
    fi


    if [[ ! -e "$_FILE_CA" ]]; then
        echo
        echo "Creating certificate authority... "
        mkdir -p "$_DIR_PRIV"
        chmod 700 "$_DIR_PRIV"
        cd "$_ROOT"

        # create default passphrase
        DPASS=`head -c 481 /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c 23`
        read -p "  Supply a passphrase for this CA: [$DPASS] " PASS
        echo
        if [[ "$PASS" == "" ]]; then
            PASS=$DPASS
        fi

        # create certificate authority
        [[ -f "$_FILE_CA_KEY" ]] && mv "$_FILE_CA_KEY" "$_FILE_CA_KEY.backup.`date --rfc-3339=date`"

        # use sha2 instead of sha1, use rsa with more than 1024 bits, valid for 5 years + 5 days
        openssl req -new -x509 -sha256 -newkey rsa:4096 -keyout "$_FILE_CA_KEY" \
            -out "$_FILE_CA" -days 1830 -passout pass:$PASS

        chmod 600 "$_FILE_CA_KEY"
    fi

    echo
    echo
    echo "Creating server certificate..."
    mkdir -p "$_DIR_CERT"

    # create server certificate key
    echo "  Generating RSA private key, 4096 bit long modulus..."
    TPASS=`head -c 481 /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c 31`
    openssl genrsa -out "$_FILE_KEY" -passout pass:$TPASS -aes256 4096 > /dev/null
    chmod 640 "$_FILE_KEY"

    # remove passphrase
    openssl rsa -in "$_FILE_KEY" -out "$_FILE_KEY" -passin pass:$TPASS > /dev/null
    chmod 640 "$_FILE_KEY"

    # create certificate signing request
    echo
    echo "  Generating certificate signing request..."
    echo
    openssl req -new -sha256 -nodes -key "$_FILE_KEY" -out "$_FILE_CSR"


    # sign the server certificate (create it), valid for 1 year + 5 days
    echo "  Signing generated certificate..."
    [[ ! -f "$_ROOT/index.txt" ]] && touch "$_ROOT/index.txt"
    if [[ ! -f "$_ROOT/serial" ]] || [[ ! -s "$_ROOT/serial" ]]; then
        echo 01 > "$_ROOT/serial"
    else
        mv "$_ROOT/serial" "$_ROOT/serial.old"
        if [[ `cat "$_ROOT/serial.old"` < 10 ]] ; then
            echo 0$(( `cat "$_ROOT/serial.old"` + 1 )) > "$_ROOT/serial"
        else
            echo $(( `cat "$_ROOT/serial.old"` + 1 )) > "$_ROOT/serial"
        fi
    fi
    if [[ "$PASS" == "" ]]; then
        read -p "  Supply the passphrase for your CA: [] " PASS
    fi
    openssl ca -in "$_FILE_CSR" -md sha256 -notext -out $_FILE_CERT -key $PASS -days 370
fi
openSUSE Build Service is sponsored by
Places