1#!/bin/sh 2# 3# unbound-control-setup.sh - set up SSL certificates for unbound-control 4# 5# Copyright (c) 2008, NLnet Labs. All rights reserved. 6# 7# This software is open source. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# Redistributions of source code must retain the above copyright notice, 14# this list of conditions and the following disclaimer. 15# 16# Redistributions in binary form must reproduce the above copyright notice, 17# this list of conditions and the following disclaimer in the documentation 18# and/or other materials provided with the distribution. 19# 20# Neither the name of the NLNET LABS nor the names of its contributors may 21# be used to endorse or promote products derived from this software without 22# specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 36# settings: 37 38# directory for files 39DESTDIR=@ub_conf_dir@ 40 41# issuer and subject name for certificates 42SERVERNAME=unbound 43CLIENTNAME=unbound-control 44 45# validity period for certificates 46DAYS=7200 47 48# size of keys in bits 49BITS=3072 50 51# hash algorithm 52HASH=sha256 53 54# base name for unbound server keys 55SVR_BASE=unbound_server 56 57# base name for unbound-control keys 58CTL_BASE=unbound_control 59 60# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). 61umask 0027 62 63# end of options 64 65# functions: 66error ( ) { 67 echo "$0 fatal error: $1" 68 exit 1 69} 70 71# check arguments: 72while test $# -ne 0; do 73 case $1 in 74 -d) 75 if test $# -eq 1; then error "need argument for -d"; fi 76 DESTDIR="$2" 77 shift 78 ;; 79 *) 80 echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 81 echo " -d dir use directory to store keys and certificates." 82 echo " default: $DESTDIR" 83 echo "please run this command using the same user id that the " 84 echo "unbound daemon uses, it needs read privileges." 85 exit 1 86 ;; 87 esac 88 shift 89done 90 91# go!: 92echo "setup in directory $DESTDIR" 93cd "$DESTDIR" || error "could not cd to $DESTDIR" 94 95# create certificate keys; do not recreate if they already exist. 96if test -f $SVR_BASE.key; then 97 echo "$SVR_BASE.key exists" 98else 99 echo "generating $SVR_BASE.key" 100 openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 101fi 102if test -f $CTL_BASE.key; then 103 echo "$CTL_BASE.key exists" 104else 105 echo "generating $CTL_BASE.key" 106 openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 107fi 108 109# create self-signed cert for server 110echo "[req]\n" > request.cfg 111echo "default_bits=$BITS\n" >> request.cfg 112echo "default_md=$HASH\n" >> request.cfg 113echo "prompt=no\n" >> request.cfg 114echo "distinguished_name=req_distinguished_name\n" >> request.cfg 115echo "\n" >> request.cfg 116echo "[req_distinguished_name]\n" >> request.cfg 117echo "commonName=$SERVERNAME\n" >> request.cfg 118 119test -f request.cfg || error "could not create request.cfg" 120 121echo "create $SVR_BASE.pem (self signed certificate)" 122openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 123# create trusted usage pem 124openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 125 126# create client request and sign it, piped 127echo "[req]\n" > request.cfg 128echo "default_bits=$BITS\n" >> request.cfg 129echo "default_md=$HASH\n" >> request.cfg 130echo "prompt=no\n" >> request.cfg 131echo "distinguished_name=req_distinguished_name\n" >> request.cfg 132echo "\n" >> request.cfg 133echo "[req_distinguished_name]\n" >> request.cfg 134echo "commonName=$CLIENTNAME" >> request.cfg 135 136test -f request.cfg || error "could not create request.cfg" 137 138echo "create $CTL_BASE.pem (signed client certificate)" 139openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 140test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 141# create trusted usage pem 142# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 143 144# see details with openssl x509 -noout -text < $SVR_BASE.pem 145# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 146# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 147# echo "preferences - advanced - encryption - view certificates - your certs" 148# echo "empty password is used, simply click OK on the password dialog box." 149# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 150 151# remove unused permissions 152chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 153 154# remove crap 155rm -f request.cfg 156rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 157 158echo "Setup success. Certificates created. Enable in unbound.conf file to use" 159 160exit 0 161