SourceForge.net Logo

Appendix E. APPENDIX: Configuration Files for VPN Server

Abstract

This appendix contains script and .conf files for IPsec.

A tar-ball with the examples and this HOWTO can be found at siso.tar.bz2

E.1. gencert

#!/bin/bash
# 
# GPL $Id: gencert,v 1.3 2005/03/31 04:40:52 cvonk Exp $
# script to generate X.509 certificates

PROGRAM=`basename $0`
USAGE="
Usage: $PROGRAM [--parameters] \"<cert_name>\"
Parameters:
    --help                 - display this help
    --ca                   - create a Certifying Authority named CAname
    --client               - set extkeyusage for client_eku (see openssl.ext)
    --server               - set extkeyusage for server_eku (see openssl.ext)
    --dry-run              - do not do any file transfer, cp, mv, instead
                             just report the actions it would have taken
    --verbose              - increase verbosity
    --quiet                - decrease verbosity
Example:
  $PROGRAM --ca \"Coert Vonk CA\"
  $PROGRAM --server siso.vonk
  $PROGRAM --client bor.vonk
Environment variables used:
  PASSWD                   - the password for the keys
  SSL_DIR                  - root directory for OpenSSL
  OPENSSL_CONF             - the configuration file for OpenSSL
"

function die {
    echo "ERROR during \"$*\"" >&2
    exit 1
}

function checkExit {
    $* || die "$*"
}

function usage {
    echo "$USAGE"
}

function verbose {
    local LEVEL="$1"
    [ ! -z "$LEVEL" ] || die "verbose: unspecified LEVEL"

    if [ $VERB -ge $LEVEL ] ; then
	shift
	echo "$PROGRAM: $*"
    fi
}


#
# create certifying authority
#

function createCA {
    # Common Name = your name followed by " CA" (i.e. Coert Vonk CA)
    # Challenge password = empty
    $OPENSSL req -new -x509 -out    $SSL_DIR/ca/CAcert.pem \
                            -keyout $SSL_DIR/ca/CAkey.pem \
                            -days   10950 \
                            -passout env:PASSWD <<EOF





$CA


EOF
    $OPENSSL pkcs12 -export -in    $SSL_DIR/ca/CAcert.pem \
                            -inkey $SSL_DIR/ca/CAkey.pem -nokeys \
                            -out   $SSL_DIR/ca/CAcert.p12 \
	                    -cacerts \
                            -passin env:PASSWD -passout env:PASSWD

    #$OPENSSL pkcs12 -in $SSL_DIR/ca/CAcert.p12 -out $SSL_DIR/ca/root.pem
    #$OPENSSL x509 -inform PEM outform DER -in $SSL_DIR/ca/root.pem -out $SSL_DIR/ca/root.der
}


#
# create certificate
#

function createCert {

  HOST=`echo $1 | sed 's/\ /_/g'`

  # generate server certificate and key
  $OPENSSL req -newkey rsa:1024 \
               -keyout "$SSL_DIR/certs/$HOST-encryptedkey.pem" -keyform PEM \
               -out    tempreq.pem -outform PEM \
               -passout env:PASSWD <<EOF





$1


EOF

  # translate private key to an unencrypted key
  $OPENSSL rsa -passin env:PASSWD < "$SSL_DIR/certs/$HOST-encryptedkey.pem" \
                                  > "$SSL_DIR/certs/$HOST-key.pem"
  $CHMOD 400 "$SSL_DIR/certs/$HOST-key.pem"

  # sign the certificate request
  # "-extensions $EKU .." is not needed for IPsec certificates
  $OPENSSL ca -in  tempreq.pem \
              -out "$SSL_DIR/certs/$HOST-cert.pem" \
              ${EKU:+-extensions ${EKU}_eku} \
              -passin env:PASSWD
  $RM tempreq.pem

  # create a PKCS#12 certificate that contains: the signed certificate,
  # the encrypted key, and the CA's certificate
  $OPENSSL pkcs12 -export -in       "$SSL_DIR/certs/$HOST-cert.pem" \
                          -inkey    "$SSL_DIR/certs/$HOST-encryptedkey.pem" \
                          -out      "$SSL_DIR/certs/$HOST-cert+encryptedkey.p12" \
                          -certfile "$SSL_DIR/ca/CAcert.p12" \
                          -passin env:PASSWD \
                          -passout env:PASSWD
# name "$1"
}

#
# parameters
#

HOST=
CA=
EKU=
VERB=0
DRY=

while [ -n "$1" ] ; do
  case $1 in
      --help)
        usage
	exit 0
	;;
      --verbose)
	shift
	let VERB++
	;;
      --quiet) 
	shift
	[ $VERB -eq 0 ] || let VERB--
	;;
      --dry-run)
	shift;
	DRY="echo"
	;;
      --eku)
        shift
	EKU="$1"
	shift
	;;
      --client)
	EKU=client
	shift
	;;
      --server)
	EKU=server
	shift
	;;
      --ca)
        shift
	CA="$1"
	shift
	;;
      -*)
	die "unrecognized parameter ($1)"
        ;;
      *)
	HOST="$1"
	shift
  esac
done

OPENSSL="checkExit $DRY openssl"
CHMOD="checkExit $DRY chmod"
RM="checkExit $DRY rm"

verbose 1 "HOST=$HOST"
verbose 1 "CA=$CA"
verbose 1 "EKU=$EKU"

[ -z "$PASSWD" ]            && die "env var PASSWD not set"
[ -z "$SSL_DIR" ]           && export SSL_DIR=$PRJ_DIR/openssl
[ -z "$OPENSSL_CONF" ]      && export OPENSSL_CONF=$SSL_DIR/openssl.conf

[ ! -d $SSL_DIR ]           && mkdir $SSL_DIR
[ ! -f $OPENSSL_CONF ]      && die "OpenSSL conf file ($OPENSSL_CONF) missing"

[ ! -d $SSL_DIR/ca ]        && mkdir $SSL_DIR/ca
[ ! -d $SSL_DIR/certs ]     && mkdir $SSL_DIR/certs
[ ! -d $SSL_DIR/newcerts ]  && mkdir $SSL_DIR/newcerts
[ ! -f $SSL_DIR/index.txt ] && touch $SSL_DIR/index.txt
[ ! -f $SSL_DIR/serial ]    && echo "01" > $SSL_DIR/serial

if [ -z "$CA" ] ; then
    if [ ! -f $SSL_DIR/ca/CAkey.pem ] ; then
	die "no CA, create a CA first"
    fi
fi

if [ ! -z "$EKU" ] ; then
    if ! grep -q '^\['${EKU}_eku $OPENSSL_CONF ; then
	die "extension ($EKU_eku) not in $OPENSSL_CONF"
    fi
fi


#
# main
#
    
if [ ! -z "$CA" ] ; then
    echo "generating CA named \"$CA\" .."
    createCA "$CA"
    echo
    echo "New certificates are in:"
    ls -l $SSL_DIR/ca/*
else
    echo "generating cert for \"$HOST\" .."
    createCert "$HOST"
    echo
    echo "New certificates are in:"
    ls -l $SSL_DIR/certs/$HOST-*
fi

openssl ca -gencrl -out ca/CRL.pem -passin env:PASSWD
# 

Example E.1. gencert