Sadar's Blog: openssl certificates self signed

Script de création pour une AC auto-signée

Il suffit de mettre un passwor et un nom pour l'ac

NB : $(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;) -->génère un password de 25 caractères aplhnum aléatoire.

Vous pouvez le changer et mettre ce que bon vous semble ! ;-))

#-----------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts
mkdir -p $CertPath

# Creation d'une autorite de certification

ACpasswd=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ACName=my-ca

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="My Organisation"
OUdpt="IT Department"
CNdpt="$ACName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation de certificats auto-signés pour $ACName\033[0m\n"
printf "\n\033[1;33mACName=$ACName\033[0m"
printf "\n\033[1;33mACpasswd=$ACpasswd\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
sleep 1

# Suppresion des anciens fichiers si présents
rm $CertPath/$ACName*

# Sauvagarde des clés
echo "ACName=$ACName" > $CertPath/$ACName"-key.txt"
echo "ACpasswd=$ACpasswd" >> $CertPath/$ACName"-key.txt"

# creation des certificats
printf "\n\033[1;33mopenssl genrsa -out $CertPath/$ACName.key 2048\033[0m\n"
openssl genrsa -out "$CertPath/$ACName.key" 2048

printf "\n\033[1;33mopenssl req -new -key $CertPath/$ACName.key -out $CertPath/$ACName.csr -passin pass:$ACpasswd -subj $Subj\033[0m\n"
openssl req -new -key "$CertPath/$ACName.key" -out "$CertPath/$ACName.csr" -passin pass:$ACpasswd -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -days 365 -in $CertPath/$ACName.csr -out $CertPath/$ACName.crt -signkey $CertPath/$ACName.key\033[0m\n"
openssl x509 -req -days 365 -in "$CertPath/$ACName.csr" -out "$CertPath/$ACName.crt" -signkey "$CertPath/$ACName.key"

printf "\n\033[1;33mopenssl x509 -in $CertPath/$ACName.crt -text\033[0m\n"
openssl x509 -in "$CertPath/$ACName.crt" -text

printf "\n\033[1;33mopenssl rsa -in $CertPath/$ACName.key -passin pass:$ACpasswd -pubout -out $CertPath/$ACName.public.key\033[0m\n"
openssl rsa -in "$CertPath/$ACName.key" -passin pass:$ACpasswd -pubout -out "$CertPath/$ACName.public.key"

printf "\n\033[1;33mcat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem\033[0m\n"
cat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem

# echo "openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt"
# openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt

echo "openssl x509 -in $CertPath/$ACName.crt -text -noout"
openssl x509 -in $CertPath/$ACName.crt -text -noout

#--------------------------

Script de création pour un certificat serveur autosigné via l'AC créée par le script précédent
Les paramètres à renseigner sont

ServerName-->nom du serveur (utile pour les paramètres subj)
#-------------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts

# Nom de l'autorite de certification
ACName=my-ca

# server parameters
ServerPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerName=myserver

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$ServerName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation de certificats auto-signés pour $ServerName\033[0m\n"
printf "\n\033[1;33mServerName=$ServerName\033[0m"
printf "\n\033[1;33mServerPassph=$ServerPassph\033[0m\n"
printf "\033[1;33mServerExpKey=$ServerExpKey\033[0m\n"
printf "\033[1;33mServerPemKey=$ServerPemKey\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 2

# Suppresion des anciens fichiers si présents
rm $CertPath/$ServerName*

# Sauvagarde des clés
echo "ServerName=$ServerName" > $CertPath/$ServerName"-key.txt"
echo "ServerPassph=$ServerPassph" >>$CertPath/$ServerName"-key.txt"
echo "ServerExpKey=$ServerExpKey" >>$CertPath/$ServerName"-key.txt"
echo "ServerPemKey=$ServerPemKey" >>$CertPath/$ServerName"-key.txt"

#Creation et signature du certificat serveur
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj "$Subj"

printf "\n\033[1;33mopenssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650\033[0m\n"
openssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650

printf "\n\033[1;33mopenssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out $CertPath/$ServerName.nopassphrase.key\033[0m\n"
openssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out "$CertPath/$ServerName.nopassphrase.key"

#--------------------------------------------

Script de création d'un certificat utilisateur pour limiter les accès https

#--------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts

# Nom de l'autorite de certification
ACName=my-ca

# user parameters
UserPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserKey=myUserKey

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$UserKey"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation des certificats auto-signés pour $UserKey\033[0m\n"
printf "\n\033[1;33mUserPassph=$UserPassph\033[0m"
printf "\n\033[1;33mUserExpKey=$UserExpKey\033[0m"
printf "\n\033[1;33mUserPemKey=$UserPemKey\033[0m"
printf "\n\033[1;33mUserKey=$UserKey\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 1

# Suppresion des anciens fichiers si présents
rm $CertPath/$UserKey*

# Sauvagarde des clés
echo "UserKey=$UserKey" > $CertPath/$UserKey"-key.txt"
echo "UserPassph=$UserPassph" >>$CertPath/$UserKey"-key.txt"
echo "UserExpKey=$UserExpKey" >>$CertPath/$UserKey"-key.txt"
echo "UserPemKey=$UserPemKey" >>$CertPath/$UserKey"-key.txt"

#Creation et signature du certificat user
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj "$Subj"

printf "\n\033[1;33mopenssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825\033[0m\n"
openssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825

printf "\n\033[1;33mopenssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey.key -out $CertPath/$UserKey.p12 -name $UserKey certificate -passin pass:$UserPassph -passout pass:$UserPassph\033[0m\n"
openssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey -out $CertPath/$UserKey.p12 -name "$UserKey certificate" -passin pass:$UserPassph -passout pass:$UserPassph

printf "\n\033[1;33mopenssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph\033[0m"
openssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph

Sadar's Blog

dimanche 23 novembre 2014

openssl certificates self signed

Aucun commentaire:

Enregistrer un commentaire

Qui êtes-vous ?