1#!/bin/sh 2# 3# unbound-control-setup.sh - set up SSL certificates for unbound-control 4# 5# Copyright (c) 2008, NLnet Labs. All rights reserved. 6# 7# This software is open source. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# Redistributions of source code must retain the above copyright notice, 14# this list of conditions and the following disclaimer. 15# 16# Redistributions in binary form must reproduce the above copyright notice, 17# this list of conditions and the following disclaimer in the documentation 18# and/or other materials provided with the distribution. 19# 20# Neither the name of the NLNET LABS nor the names of its contributors may 21# be used to endorse or promote products derived from this software without 22# specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 36# settings: 37 38# directory for files 39DESTDIR=@ub_conf_dir@ 40 41# issuer and subject name for certificates 42SERVERNAME=unbound 43CLIENTNAME=unbound-control 44 45# validity period for certificates 46DAYS=7200 47 48# size of keys in bits 49BITS=3072 50 51# hash algorithm 52HASH=sha256 53 54# base name for unbound server keys 55SVR_BASE=unbound_server 56 57# base name for unbound-control keys 58CTL_BASE=unbound_control 59 60# flag to recreate generated certificates 61RECREATE=0 62 63# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). 64umask 0027 65 66# end of options 67 68set -eu 69 70cleanup() { 71 echo "removing artifacts" 72 73 rm -rf \ 74 server.cnf \ 75 client.cnf \ 76 "${SVR_BASE}_trust.pem" \ 77 "${CTL_BASE}_trust.pem" \ 78 "${SVR_BASE}_trust.srl" 79} 80 81fatal() { 82 printf "fatal error: $*\n" >/dev/stderr 83 exit 1 84} 85 86usage() { 87 cat <<EOF 88usage: $0 OPTIONS 89OPTIONS 90-d <dir> used directory to store keys and certificates (default: $DESTDIR) 91-h show help notice 92-r recreate certificates 93EOF 94} 95 96OPTIND=1 97while getopts 'd:hr' arg; do 98 case "$arg" in 99 d) DESTDIR="$OPTARG" ;; 100 h) usage; exit 1 ;; 101 r) RECREATE=1 ;; 102 ?) fatal "'$arg' unknown option" ;; 103 esac 104done 105shift $((OPTIND - 1)) 106 107 108echo "setup in directory $DESTDIR" 109cd "$DESTDIR" 110 111trap cleanup INT 112 113# === 114# Generate server certificate 115# === 116 117# generate private key; do no recreate it if they already exist. 118if [ ! -f "$SVR_BASE.key" ]; then 119 openssl genrsa -out "$SVR_BASE.key" "$BITS" 120fi 121 122cat >server.cnf <<EOF 123default_bits=$BITS 124default_md=$HASH 125prompt=no 126distinguished_name=req_distinguished_name 127[req_distinguished_name] 128commonName=$SERVERNAME 129EOF 130 131[ -f server.cnf ] || fatal "cannot create openssl configuration" 132 133if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then 134 openssl req \ 135 -new -x509 \ 136 -key "$SVR_BASE.key" \ 137 -config server.cnf \ 138 -days "$DAYS" \ 139 -out "$SVR_BASE.pem" 140 141 [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate" 142fi 143 144# === 145# Generate client certificate 146# === 147 148# generate private key; do no recreate it if they already exist. 149if [ ! -f "$CTL_BASE.key" ]; then 150 openssl genrsa -out "$CTL_BASE.key" "$BITS" 151fi 152 153cat >client.cnf <<EOF 154[req] 155default_bits=$BITS 156default_md=$HASH 157prompt=no 158distinguished_name=req_distinguished_name 159[req_distinguished_name] 160commonName=$CLIENTNAME 161EOF 162 163[ -f client.cnf ] || fatal "cannot create openssl configuration" 164 165if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then 166 openssl x509 \ 167 -addtrust serverAuth \ 168 -in "$SVR_BASE.pem" \ 169 -out "${SVR_BASE}_trust.pem" 170 171 openssl req \ 172 -new \ 173 -config client.cnf \ 174 -key "$CTL_BASE.key" \ 175 | openssl x509 \ 176 -req \ 177 -days "$DAYS" \ 178 -CA "${SVR_BASE}_trust.pem" \ 179 -CAkey "$SVR_BASE.key" \ 180 -CAcreateserial \ 181 -$HASH \ 182 -out "$CTL_BASE.pem" 183 184 [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate" 185fi 186 187# remove unused permissions 188chmod o-rw \ 189 "$SVR_BASE.pem" \ 190 "$SVR_BASE.key" \ 191 "$CTL_BASE.pem" \ 192 "$CTL_BASE.key" 193 194cleanup 195 196echo "Setup success. Certificates created. Enable in unbound.conf file to use" 197 198# create trusted usage pem 199# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 200 201# see details with openssl x509 -noout -text < $SVR_BASE.pem 202# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 203# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 204# echo "preferences - advanced - encryption - view certificates - your certs" 205# echo "empty password is used, simply click OK on the password dialog box." 206# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 207 208