Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- USER=`id -u -n`
- GROUP=`id -g -n`
- GENERATE_ROOT_CA_FILE="YES"
- GENERATE_CA_DER_FILE="YES"
- GENERATE_IM_CA_FILE="YES"
- GENERATE_IM_DER_FILE="NO"
- GENERATE_DH_FILE="NO"
- USE_SUDO="NO"
- CA_PRIVATE_KEY="/etc/ssl/private/rootCA.pem"
- CA_PUBLIC_CERT="/etc/ssl/certs/rootCA.crt"
- CA_PUBLIC_DER="/etc/ssl/certs/rootCA.der"
- IM_CA_PRIVATE_KEY="/etc/ssl/private/squidCA.pem"
- IM_CA_CSR="/tmp/squidCA.csr"
- IM_CA_PUBLIC_CERT="/etc/ssl/certs/squidCA.crt"
- IM_CA_PUBLIC_DER="/etc/ssl/certs/rootCA.der"
- DH_FILE="/etc/ssl/private/squidDHParam.pem"
- CA_COUNTRY="HK"
- CA_STATE=""
- CA_LOCALITY="Hong Kong"
- CA_ORGANISATION="Parent Router Ltd"
- CA_COMMON_NAME="PARENTROUTER Root CA"
- CA_VALID_DAYS=365
- CA_ENCRYPTION_TYPE="rsa:4096"
- IM_CA_COUNTRY="HK"
- IM_CA_STATE=""
- IM_CA_LOCALITY="Hong Kong"
- IM_CA_ORGANISATION="Parent Router Ltd"
- IM_CA_COMMON_NAME="myrouter.parentrouter"
- IM_CA_VALID_DAYS="365"
- IM_CA_ENCRYPTION_STRENGTH="4096"
- IM_CA_SERIAL="01"
- DH_STRENGTH="2048"
- SSL_KEY_DIR=`dirname "$CA_PRIVATE_KEY"`
- SSL_PUB_DIR=`dirname "$CA_PUBLIC_CERT"`
- SUDO="sudo"
- OPENSSL="openssl"
- confirm () {
- # call with a prompt string or use a default
- read -r -p "${1:-Are you sure? [y/N]} " response
- case $response in
- [yY][eE][sS]|[yY])
- true
- ;;
- *)
- false
- ;;
- esac
- }
- if [ "$USE_SUDO" != "YES" ]; then
- SUDO=""
- fi
- if [ "$USER" != "root" ]; then
- echo "We need root access to write to $SSL_KEY_DIR directory"
- if [ "$USE_SUDO" == "YES" ]; then
- exec $SUDO -p "Password:" -- "$0" "$@"
- fi
- fi
- if [ ! -d "$SSL_KEY_DIR" ]; then
- $SUDO mkdir -p "$SSL_KEY_DIR"
- fi
- if [ ! -d "$SSL_PUB_DIR" ]; then
- $SUDO mkdir -p "$SSL_PUB_DIR"
- fi
- ##### ROOT CA GENERATION ########
- if [ "$GENERATE_ROOT_CA_FILE" == "YES" ]; then
- if [ -f "$CA_PRIVATE_KEY" ] && confirm "Root Key Pair Already Exists! Regenerate? y/n:"; then
- # Generate Private / Public Key Pair
- echo "Generating Root SSL Key Pair..."
- $SUDO $OPENSSL \
- req \
- -new \
- -nodes \
- -newkey "$CA_ENCRYPTION_TYPE" \
- -sha256 \
- -days $CA_VALID_DAYS \
- -x509 \
- -keyout "$CA_PRIVATE_KEY" \
- -out "$CA_PUBLIC_CERT" \
- -subj "/C=${CA_COUNTRY}/ST=${CA_STATE}/L=${CA_LOCALITY}/O=${CA_ORGANISATION}/CN=${CA_COMMON_NAME}" \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Generate Root SSL Key Pair!"
- exit $?
- else
- echo -e "\tSuccessfully Generated Root SSL Key Pair"
- fi
- if [ "$GENERATE_CA_DER_FILE" == "YES" ] && [ -f "$CA_PUBLIC_CERT" ]; then
- echo "Generating CA SSL DER File..."
- # Output a DER file for import
- $SUDO $OPENSSL \
- x509 \
- -outform der \
- -in "$CA_PUBLIC_CERT" \
- -out "$CA_PUBLIC_DER" \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Generate SSL DER file!"
- exit $?
- else
- echo -e "\tSuccessfully Generated SSL DER File!"
- fi
- fi
- fi
- fi
- ##### END ROOT CA GENERATION ########
- ##### INTERMEDIATE CA GENERATION ########
- if [ ! -f "$CA_PRIVATE_KEY" ]; then
- echo "WARNING: Could not find root CA file. Will not generate generate intermediate ca keypair as we cannot sign it"
- fi
- if [ "$GENERATE_IM_CA_FILE" == "YES" ] && [ -f "$CA_PRIVATE_KEY" ]; then
- if [ -f "$IM_CA_PRIVATE_KEY" ] && confirm "Intermediate Key Pair Already Exists! Regenerate? y/n:"; then
- rm "$IM_CA_PUBLIC_CERT"
- # Generate Private / Public Key Pair
- echo "Generating Intermediate CA SSL Key Pair..."
- # Generate the Intermediate Key
- $SUDO $OPENSSL \
- genrsa \
- -out "$IM_CA_PRIVATE_KEY" \
- $IM_CA_ENCRYPTION_STRENGTH \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Generate Intermediate CA SSL Key Pair!"
- exit $?
- else
- echo -e "\tSuccessfully Generated Intermediate CA SSL Key Pair"
- fi
- fi
- if [ -f "$IM_CA_PUBLIC_CERT" ] && confirm "Intermediate Key Already Signed! Re-sign? y/n:"; then
- rm "$IM_CA_PUBLIC_CERT"
- echo "Signing Intermediate CA SSL File..."
- # Generate a CSR for the Intermediate Key
- $SUDO $OPENSSL \
- req \
- -new \
- -sha256 \
- -key "$IM_CA_PRIVATE_KEY" \
- -out "$IM_CA_CSR" \
- -subj "/C=${IM_CA_COUNTRY}/ST=${IM_CA_STATE}/L=${IM_CA_LOCALITY}/O=${IM_CA_ORGANISATION}/CN=${IM_CA_COMMON_NAME}" \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Sign Intermediate CA SSL Key!"
- exit $?
- else
- echo -e "\tSuccessfully Signed Intermediate CA SSL Key"
- fi
- # Sign the Intermediate Cert
- $SUDO $OPENSSL \
- x509 \
- -req \
- -days $IM_CA_VALID_DAYS \
- -in "$IM_CA_CSR" \
- -CA "$CA_PUBLIC_CERT" \
- -CAkey "$CA_PRIVATE_KEY" \
- -set_serial "$IM_CA_SERIAL" \
- -out "$IM_CA_PUBLIC_CERT" \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Sign Intermediate CA CSR!"
- exit $?
- else
- echo -e "\tSuccessfully Signed Intermediate CA CSR"
- fi
- if [ -f "$IM_CA_CSR" ]; then
- # Remove the CSR
- $SUDO rm "$IM_CA_CSR"
- fi
- fi
- if [ "$GENERATE_IM_DER_FILE" == "YES" ] && [ -f "$IM_CA_PUBLIC_CERT" ]; then
- echo "Generating Intermediate CA SSL DER File..."
- # Output a DER file for import
- $SUDO $OPENSSL \
- x509 \
- -outform der \
- -in "$IM_CA_PUBLIC_CERT" \
- -out "$IM_CA_PUBLIC_DER" \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Generate Intermediate CA SSL DER file!"
- exit $?
- else
- echo -e "\tSuccessfully Generated Intermediate CA SSL DER File!"
- fi
- fi
- fi
- if [ "$GENERATE_DH_FILE" == "YES" ]; then
- echo "Generating DH File... (this may take some time)"
- # Generate the DH file for encryption
- $SUDO $OPENSSL \
- dhparam \
- -outform PEM \
- -out "$DH_FILE" \
- $DH_STRENGTH \
- 2> /dev/null
- if [ $? != 0 ]; then
- echo "ERROR: Failed to Generate DHParam file!"
- exit $?
- else
- echo -e "\tSuccessfully Generated DHParam file!"
- fi
- fi
- ##### END INTERMEDIATE CA GENERATION ########
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement