#!/bin/sh # OpenVPN -- An application to securely tunnel IP networks # over a single TCP/UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2008 OpenVPN Technologies, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program (see the file COPYING included with this # distribution); if not, write to the Free Software Foundation, Inc., # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # pkitool is a front-end for the openssl tool. # Calling scripts can set the certificate organizational # unit with the KEY_OU environmental variable. PROGNAME=pkitool VERSION=2.0 DEBUG=0 die() { local m="$1" echo "$m" >&2 exit 1 } need_vars() { echo ' Please edit the vars script to reflect your configuration,' echo ' then source it with "source ./vars".' echo ' Next, to start with a fresh PKI configuration and to delete any' echo ' previous certificates and keys, run "./clean-all".' echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." } usage() { echo "$PROGNAME $VERSION" echo "Usage: $PROGNAME [options...] [common-name]" echo "Options:" echo " --batch : batch mode (default)" echo " --keysize : Set keysize" echo " size : size (default=1024)" echo " --interact : interactive mode" echo " --server : build server cert" echo " --initca : build root CA" echo " --inter : build intermediate CA" echo " --pass : encrypt private key with password" echo " --csr : only generate a CSR, do not sign" echo " --sign : sign an existing CSR" echo " --pkcs12 : generate a combined PKCS#12 file" echo " --pkcs11 : generate certificate on PKCS#11 token" echo " lib : PKCS#11 library" echo " slot : PKCS#11 slot" echo " id : PKCS#11 object id (hex string)" echo " label : PKCS#11 object label" echo "Standalone options:" echo " --pkcs11-slots : list PKCS#11 slots" echo " lib : PKCS#11 library" echo " --pkcs11-objects : list PKCS#11 token objects" echo " lib : PKCS#11 library" echo " slot : PKCS#11 slot" echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!" echo " lib : PKCS#11 library" echo " slot : PKCS#11 slot" echo " label : PKCS#11 token label" echo "Notes:" need_vars echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher." echo "Generated files and corresponding OpenVPN directives:" echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' echo " ca.crt -> root certificate (--ca)" echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" echo " .crt files -> client/server certificates (--cert)" echo " .key files -> private keys, keep secure (--key)" echo " .csr files -> certificate signing request (not directly used by OpenVPN)" echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" echo "Examples:" echo " $PROGNAME --initca -> Build root certificate" echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key" echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" echo " $PROGNAME client1 -> Build \"client1\" certificate/key" echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" echo " Also see ./inherit-inter script." echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" echo " -> Build \"client5\" certificate/key in PKCS#11 token" echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" echo " [edit vars with your site-specific info]" echo " source ./vars" echo " ./clean-all" echo " ./build-dh -> takes a long time, consider backgrounding" echo " ./$PROGNAME --initca" echo " ./$PROGNAME --server myserver" echo " ./$PROGNAME client1" echo " ./$PROGNAME --pass client2" echo "Typical usage for adding client cert to existing PKI:" echo " source ./vars" echo " ./$PROGNAME client-new" } # Set tool defaults [ -n "$OPENSSL" ] || export OPENSSL="openssl" [ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" [ -n "$GREP" ] || export GREP="grep" # Set defaults DO_REQ="1" REQ_EXT="" DO_CA="1" CA_EXT="" DO_P12="0" DO_P11="0" DO_ROOT="0" NODES_REQ="-nodes" NODES_P12="" BATCH="-batch" CA="ca" # must be set or errors of openssl.cnf PKCS11_MODULE_PATH="dummy" PKCS11_PIN="dummy" # Process options while [ $# -gt 0 ]; do case "$1" in --keysize ) KEY_SIZE=$2 shift;; --server ) REQ_EXT="$REQ_EXT -extensions server" CA_EXT="$CA_EXT -extensions server" ;; --batch ) BATCH="-batch" ;; --interact ) BATCH="" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --initca ) DO_ROOT="1" ;; --pass ) NODES_REQ="" ;; --csr ) DO_CA="0" ;; --sign ) DO_REQ="0" ;; --pkcs12 ) DO_P12="1" ;; --pkcs11 ) DO_P11="1" PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" PKCS11_ID="$4" PKCS11_LABEL="$5" shift 4;; # standalone --pkcs11-init) PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" PKCS11_LABEL="$4" if [ -z "$PKCS11_LABEL" ]; then die "Please specify library name, slot and label" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ --label "$PKCS11_LABEL" && $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" exit $?;; --pkcs11-slots) PKCS11_MODULE_PATH="$2" if [ -z "$PKCS11_MODULE_PATH" ]; then die "Please specify library name" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots exit 0;; --pkcs11-objects) PKCS11_MODULE_PATH="$2" PKCS11_SLOT="$3" if [ -z "$PKCS11_SLOT" ]; then die "Please specify library name and slot" fi $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" exit 0;; # errors --* ) die "$PROGNAME: unknown option: $1" ;; * ) break ;; esac shift done if ! [ -z "$BATCH" ]; then if $OPENSSL version | grep 0.9.6 > /dev/null; then die "Batch mode is unsupported in openssl<0.9.7" fi fi if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then die "PKCS#11 and PKCS#12 cannot be specified together" fi if [ $DO_P11 -eq 1 ]; then if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then die "Please edit $KEY_CONFIG and setup PKCS#11 engine" fi fi # If we are generating pkcs12, only encrypt the final step if [ $DO_P12 -eq 1 ]; then NODES_P12="$NODES_REQ" NODES_REQ="-nodes" fi if [ $DO_P11 -eq 1 ]; then if [ -z "$PKCS11_LABEL" ]; then die "PKCS#11 arguments incomplete" fi fi # If undefined, set default key expiration intervals if [ -z "$KEY_EXPIRE" ]; then KEY_EXPIRE=3650 fi if [ -z "$CA_EXPIRE" ]; then CA_EXPIRE=3650 fi # Set organizational unit to empty string if undefined if [ -z "$KEY_OU" ]; then KEY_OU="" fi # Set KEY_CN if [ $DO_ROOT -eq 1 ]; then if [ -z "$KEY_CN" ]; then if [ "$1" ]; then KEY_CN="$1" elif [ "$KEY_ORG" ]; then KEY_CN="$KEY_ORG CA" fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using CA Common Name:" $KEY_CN fi elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then echo "Using Common Name:" $KEY_CN else if [ $# -ne 1 ]; then usage exit 1 else KEY_CN="$1" fi fi export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN # Show parameters (debugging) if [ $DEBUG -eq 1 ]; then echo DO_REQ $DO_REQ echo REQ_EXT $REQ_EXT echo DO_CA $DO_CA echo CA_EXT $CA_EXT echo NODES_REQ $NODES_REQ echo NODES_P12 $NODES_P12 echo DO_P12 $DO_P12 echo KEY_CN $KEY_CN echo BATCH $BATCH echo DO_ROOT $DO_ROOT echo KEY_EXPIRE $KEY_EXPIRE echo CA_EXPIRE $CA_EXPIRE echo KEY_OU $KEY_OU echo DO_P11 $DO_P11 echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH echo PKCS11_SLOT $PKCS11_SLOT echo PKCS11_ID $PKCS11_ID echo PKCS11_LABEL $PKCS11_LABEL fi # Make sure ./vars was sourced beforehand if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then cd "$KEY_DIR" # Make sure $KEY_CONFIG points to the correct version # of openssl.cnf if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then : else echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "version of openssl.cnf: $KEY_CONFIG" echo "The correct version should have a comment that says: easy-rsa version 2.x"; exit 1; fi # Build root CA if [ $DO_ROOT -eq 1 ]; then $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ chmod 0600 "$CA.key" else # Make sure CA key/cert is available if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" echo "Try $PROGNAME --initca to build a root certificate/key." exit 1 fi fi # Generate key for PKCS#11 token PKCS11_ARGS= if [ $DO_P11 -eq 1 ]; then stty -echo echo -n "User PIN: " read -r PKCS11_PIN stty echo export PKCS11_PIN echo "Generating key pair on PKCS#11 token..." $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ --login --pin "$PKCS11_PIN" \ --key-type rsa:1024 \ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" fi # Build cert/key ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) # Load certificate into PKCS#11 token if [ $DO_P11 -eq 1 ]; then $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \ --login --pin "$PKCS11_PIN" \ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der" fi fi # Need definitions else need_vars fi