#!/bin/sh CONFDIR=@prefix@/conf/ssl DAYS=365 TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)" COMMON_NAME="FreesSWITCH CA" ALT_NAME="DNS:test.freeswitch.org" ORG_NAME="FreeSWITCH" OUTFILE="agent.pem" umask 037 setup_ca() { echo "Creating new CA..." if [ -e "${CONFDIR}/CA/cacert.pem" ] || [ -e "${CONFDIR}/CA/cakey.pem" ] then echo "existing CA found in \"${CONFDIR}/CA\"!" exit 1 fi if [ ! -d "${CONFDIR}/CA" ]; then mkdir -p -m 750 "${CONFDIR}/CA" || exit 1 fi if [ ! -e "${CONFDIR}/CA/config.tpl" ]; then cat > "${CONFDIR}/CA/config.tpl" <<-EOF [ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = %CN% organizationName = %ORG% [ ext ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName=%ALTNAME% EOF fi sed \ -e "s|%CN%|$COMMON_NAME|" \ -e "s|%ORG%|$ORG_NAME|" \ -e "/%ALTNAME%/d" \ -e "s|CA:FALSE|CA:TRUE|" \ "${CONFDIR}/CA/config.tpl" \ > "${TMPFILE}.cfg" || exit 1 openssl req -new -out "${CONFDIR}/CA/careq.pem" \ -newkey rsa:1024 -keyout "${CONFDIR}/CA/cakey.pem" \ -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1 openssl x509 -req -signkey "${CONFDIR}/CA/cakey.pem" -in "${CONFDIR}/CA/careq.pem" \ -out "${CONFDIR}/CA/cacert.pem" -extfile "${TMPFILE}.cfg" \ -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1 rm "${TMPFILE}.cfg" echo "DONE" } generate_cert() { local val="" echo "Generating new certificate..." echo echo "--------------------------------------------------------" echo "CN: \"${COMMON_NAME}\"" echo "ORG_NAME: \"${ORG_NAME}\"" echo "ALT_NAME: \"${ALT_NAME}\"" echo echo "Certificate filename \"${OUTFILE}\"" echo echo "[Enter \"OK\" to accept]" read val if [ "${val}" != "OK" ]; then echo "Aborted" return 2 fi sed \ -e "s|%CN%|$COMMON_NAME|" \ -e "s|%ALTNAME%|$ALT_NAME|" \ -e "s|%ORG%|$ORG_NAME|" \ "${CONFDIR}/CA/config.tpl" \ > "${TMPFILE}.cfg" || exit 1 openssl req -new -out "${TMPFILE}.req" \ -newkey rsa:1024 -keyout "${TMPFILE}.key" \ -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1 openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \ -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \ -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1 cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem" cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}" rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req" echo "DONE" } remove_ca() { echo "Removing CA" if [ ! -d "${CONFDIR}/CA" ]; then rm "${CONFDIR}/CA/"* rmdir "${CONFDIR}/CA" fi echo "DONE" } command="$1" shift while [ $# -gt 0 ]; do case $1 in -cn) shift COMMON_NAME="$1" ;; -alt) shift ALT_NAME="$1" ;; -org) shift ORG_NAME="$1" ;; -out) shift OUTFILE="$1" ;; esac shift done case ${command} in setup) setup_ca ;; create) generate_cert ;; remove) echo "Are you sure you want to delete the CA? [YES to delete]" read val if [ "${val}" = "YES" ]; then remove_ca else echo "Not deleting CA" fi ;; *) cat <<-EOF $0 [options] * commands: setup - Setup new CA remove - Remove CA create - Create new certificate (overwriting old!) * options: -cn Set common name -alt Set alternative name (use prefix 'DNS:' or 'URI:') -org Set organization name -out Filename for new certificate (create only) EOF exit 1 ;; esac