xref: /freebsd/contrib/unbound/smallapp/unbound-control-setup.sh.in (revision 53bb5613a8a15363718b6e6de8d965bf9a2c5469)
1#!/bin/sh
2#
3# unbound-control-setup.sh - set up SSL certificates for unbound-control
4#
5# Copyright (c) 2008, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8#
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12#
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15#
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19#
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23#
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39DESTDIR=@ub_conf_dir@
40
41# issuer and subject name for certificates
42SERVERNAME=unbound
43CLIENTNAME=unbound-control
44
45# validity period for certificates
46DAYS=7200
47
48# size of keys in bits
49BITS=3072
50
51# hash algorithm
52HASH=sha256
53
54# base name for unbound server keys
55SVR_BASE=unbound_server
56
57# base name for unbound-control keys
58CTL_BASE=unbound_control
59
60# flag to recreate generated certificates
61RECREATE=0
62
63# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
64umask 0027
65
66# end of options
67
68set -eu
69
70cleanup() {
71    echo "removing artifacts"
72
73    rm -rf \
74       server.cnf \
75       client.cnf \
76       "${SVR_BASE}_trust.pem" \
77       "${CTL_BASE}_trust.pem" \
78       "${SVR_BASE}_trust.srl"
79}
80
81fatal() {
82    printf "fatal error: $*\n" >/dev/stderr
83    exit 1
84}
85
86usage() {
87    cat <<EOF
88usage: $0 OPTIONS
89OPTIONS
90-d <dir>  used directory to store keys and certificates (default: $DESTDIR)
91-h        show help notice
92-r        recreate certificates
93EOF
94}
95
96OPTIND=1
97while getopts 'd:hr' arg; do
98    case "$arg" in
99      d) DESTDIR="$OPTARG" ;;
100      h) usage; exit 1 ;;
101      r) RECREATE=1 ;;
102      ?) fatal "'$arg' unknown option" ;;
103    esac
104done
105shift $((OPTIND - 1))
106
107if ! openssl >/dev/null 2>&1; then
108    echo "$0 requires openssl to be installed for keys/certificates generation." >&2
109    exit 1
110fi
111
112echo "setup in directory $DESTDIR"
113cd "$DESTDIR"
114
115trap cleanup INT
116
117# ===
118# Generate server certificate
119# ===
120
121# generate private key; do no recreate it if they already exist.
122if [ ! -f "$SVR_BASE.key" ]; then
123    openssl genrsa -out "$SVR_BASE.key" "$BITS"
124fi
125
126cat >server.cnf <<EOF
127[req]
128default_bits=$BITS
129default_md=$HASH
130prompt=no
131distinguished_name=req_distinguished_name
132x509_extensions=v3_ca
133[req_distinguished_name]
134commonName=$SERVERNAME
135[v3_ca]
136subjectKeyIdentifier=hash
137authorityKeyIdentifier=keyid:always,issuer:always
138basicConstraints=critical,CA:TRUE,pathlen:0
139subjectAltName=DNS:$SERVERNAME
140EOF
141
142[ -f server.cnf ] || fatal "cannot create openssl configuration"
143
144if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
145    openssl req \
146            -new -x509 \
147            -key "$SVR_BASE.key" \
148            -config server.cnf  \
149            -days "$DAYS" \
150            -out "$SVR_BASE.pem"
151
152    [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
153fi
154
155# ===
156# Generate client certificate
157# ===
158
159# generate private key; do no recreate it if they already exist.
160if [ ! -f "$CTL_BASE.key" ]; then
161    openssl genrsa -out "$CTL_BASE.key" "$BITS"
162fi
163
164cat >client.cnf <<EOF
165[req]
166default_bits=$BITS
167default_md=$HASH
168prompt=no
169distinguished_name=req_distinguished_name
170req_extensions=v3_req
171[req_distinguished_name]
172commonName=$CLIENTNAME
173[v3_req]
174basicConstraints=critical,CA:FALSE
175subjectAltName=DNS:$CLIENTNAME
176EOF
177
178[ -f client.cnf ] || fatal "cannot create openssl configuration"
179
180if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
181    openssl x509 \
182        -addtrust serverAuth \
183        -in "$SVR_BASE.pem" \
184        -out "${SVR_BASE}_trust.pem"
185
186    openssl req \
187            -new \
188            -config client.cnf \
189            -key "$CTL_BASE.key" \
190        | openssl x509 \
191                  -req \
192                  -days "$DAYS" \
193                  -CA "${SVR_BASE}_trust.pem" \
194                  -CAkey "$SVR_BASE.key" \
195                  -CAcreateserial \
196                  -$HASH \
197                  -extfile client.cnf \
198                  -extensions v3_req \
199                  -out "$CTL_BASE.pem"
200
201    [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
202fi
203
204# remove unused permissions
205chmod o-rw \
206      "$SVR_BASE.pem" \
207      "$SVR_BASE.key" \
208      "$CTL_BASE.pem" \
209      "$CTL_BASE.key"
210
211cleanup
212
213echo "Setup success. Certificates created. Enable in unbound.conf file to use"
214
215# create trusted usage pem
216# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
217
218# see details with openssl x509 -noout -text < $SVR_BASE.pem
219# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
220# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
221# echo "preferences - advanced - encryption - view certificates - your certs"
222# echo "empty password is used, simply click OK on the password dialog box."
223# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
224
225