freeswitch/scripts/gentls_cert.in

210 lines
4.0 KiB
Bash

#!/bin/sh
CONFDIR=@prefix@/conf/ssl
DAYS=365
TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
COMMON_NAME="FreesSWITCH CA"
ALT_NAME="DNS:test.freeswitch.org"
ORG_NAME="FreeSWITCH"
OUTFILE="agent.pem"
umask 037
check_ca() {
for x in cacert.pem cakey.pem config.tpl; do
if [ ! -e "${CONFDIR}/CA/${x}" ]; then
return 1
fi
done
return 0
}
setup_ca() {
if check_ca; then
echo "Existing CA found in \"${CONFDIR}/CA\""
echo "(Use \"gentls_cert remove\" to delete)"
exit 1
fi
echo "Creating new CA..."
if [ ! -d "${CONFDIR}/CA" ]; then
mkdir -p -m 750 "${CONFDIR}/CA" || exit 1
fi
if [ ! -e "${CONFDIR}/CA/config.tpl" ]; then
cat > "${CONFDIR}/CA/config.tpl" <<-EOF
[ req ]
default_bits = 1024
prompt = no
distinguished_name = req_dn
[ req_dn ]
commonName = %CN%
organizationName = %ORG%
[ ext ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=%ALTNAME%
EOF
fi
sed \
-e "s|%CN%|$COMMON_NAME|" \
-e "s|%ORG%|$ORG_NAME|" \
-e "/%ALTNAME%/d" \
-e "s|CA:FALSE|CA:TRUE|" \
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
openssl req -new -out "${CONFDIR}/CA/careq.pem" \
-newkey rsa:1024 -keyout "${CONFDIR}/CA/cakey.pem" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
openssl x509 -req -signkey "${CONFDIR}/CA/cakey.pem" -in "${CONFDIR}/CA/careq.pem" \
-out "${CONFDIR}/CA/cacert.pem" -extfile "${TMPFILE}.cfg" \
-extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1
rm "${TMPFILE}.cfg"
echo "DONE"
}
generate_cert() {
local val=""
if ! check_ca; then
echo "No existing CA found, please create one with \"gentls_cert setup\" first"
exit 1
fi
echo "Generating new certificate..."
echo
echo "--------------------------------------------------------"
echo "CN: \"${COMMON_NAME}\""
echo "ORG_NAME: \"${ORG_NAME}\""
echo "ALT_NAME: \"${ALT_NAME}\""
echo
echo "Certificate filename \"${OUTFILE}\""
echo
echo "[Is this OK? (y/N)]"
read val
if [ "${val}" != "y" ] && [ "${val}" != "Y" ]; then
echo "Aborted"
return 2
fi
sed \
-e "s|%CN%|$COMMON_NAME|" \
-e "s|%ALTNAME%|$ALT_NAME|" \
-e "s|%ORG%|$ORG_NAME|" \
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
openssl req -new -out "${TMPFILE}.req" \
-newkey rsa:1024 -keyout "${TMPFILE}.key" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
-in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
-extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1
cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
echo "DONE"
}
remove_ca() {
echo "Removing CA"
if [ ! -d "${CONFDIR}/CA" ]; then
rm "${CONFDIR}/CA/"*
rmdir "${CONFDIR}/CA"
fi
echo "DONE"
}
command="$1"
shift
while [ $# -gt 0 ]; do
case $1 in
-cn)
shift
COMMON_NAME="$1"
;;
-alt)
shift
ALT_NAME="$1"
;;
-org)
shift
ORG_NAME="$1"
;;
-out)
shift
OUTFILE="$1"
;;
-days)
shift
DAYS="$1"
;;
esac
shift
done
case ${command} in
setup)
setup_ca
;;
create)
generate_cert
;;
remove)
echo "Are you sure you want to delete the CA? [YES to delete]"
read val
if [ "${val}" = "YES" ]; then
remove_ca
else
echo "Not deleting CA"
fi
;;
*)
cat <<-EOF
$0 <setup|create|clean> [options]
* commands:
setup - Setup new CA
remove - Remove CA
create - Create new certificate (overwriting old!)
* options:
-cn Set common name
-alt Set alternative name (use prefix 'DNS:' or 'URI:')
-org Set organization name
-out Filename for new certificate (create only)
-days Certificate expires in X days (default: 365)
EOF
exit 1
;;
esac