xref: /freebsd/contrib/unbound/smallapp/unbound-control-setup.sh.in (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1#!/bin/sh
2#
3# unbound-control-setup.sh - set up SSL certificates for unbound-control
4#
5# Copyright (c) 2008, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8#
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12#
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15#
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19#
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23#
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39DESTDIR=@ub_conf_dir@
40
41# issuer and subject name for certificates
42SERVERNAME=unbound
43CLIENTNAME=unbound-control
44
45# validity period for certificates
46DAYS=7200
47
48# size of keys in bits
49BITS=3072
50
51# hash algorithm
52HASH=sha256
53
54# base name for unbound server keys
55SVR_BASE=unbound_server
56
57# base name for unbound-control keys
58CTL_BASE=unbound_control
59
60# flag to recreate generated certificates
61RECREATE=0
62
63# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
64umask 0027
65
66# end of options
67
68set -eu
69
70cleanup() {
71    echo "removing artifacts"
72
73    rm -rf \
74       server.cnf \
75       client.cnf \
76       "${SVR_BASE}_trust.pem" \
77       "${CTL_BASE}_trust.pem" \
78       "${SVR_BASE}_trust.srl"
79}
80
81fatal() {
82    printf "fatal error: $*\n" >/dev/stderr
83    exit 1
84}
85
86usage() {
87    cat <<EOF
88usage: $0 OPTIONS
89OPTIONS
90-d <dir>  used directory to store keys and certificates (default: $DESTDIR)
91-h        show help notice
92-r        recreate certificates
93EOF
94}
95
96OPTIND=1
97while getopts 'd:hr' arg; do
98    case "$arg" in
99      d) DESTDIR="$OPTARG" ;;
100      h) usage; exit 1 ;;
101      r) RECREATE=1 ;;
102      ?) fatal "'$arg' unknown option" ;;
103    esac
104done
105shift $((OPTIND - 1))
106
107
108echo "setup in directory $DESTDIR"
109cd "$DESTDIR"
110
111trap cleanup INT
112
113# ===
114# Generate server certificate
115# ===
116
117# generate private key; do no recreate it if they already exist.
118if [ ! -f "$SVR_BASE.key" ]; then
119    openssl genrsa -out "$SVR_BASE.key" "$BITS"
120fi
121
122cat >server.cnf <<EOF
123[req]
124default_bits=$BITS
125default_md=$HASH
126prompt=no
127distinguished_name=req_distinguished_name
128x509_extensions=v3_ca
129[req_distinguished_name]
130commonName=$SERVERNAME
131[v3_ca]
132subjectKeyIdentifier=hash
133authorityKeyIdentifier=keyid:always,issuer:always
134basicConstraints=critical,CA:TRUE,pathlen:0
135subjectAltName=DNS:$SERVERNAME
136EOF
137
138[ -f server.cnf ] || fatal "cannot create openssl configuration"
139
140if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
141    openssl req \
142            -new -x509 \
143            -key "$SVR_BASE.key" \
144            -config server.cnf  \
145            -days "$DAYS" \
146            -out "$SVR_BASE.pem"
147
148    [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
149fi
150
151# ===
152# Generate client certificate
153# ===
154
155# generate private key; do no recreate it if they already exist.
156if [ ! -f "$CTL_BASE.key" ]; then
157    openssl genrsa -out "$CTL_BASE.key" "$BITS"
158fi
159
160cat >client.cnf <<EOF
161[req]
162default_bits=$BITS
163default_md=$HASH
164prompt=no
165distinguished_name=req_distinguished_name
166req_extensions=v3_req
167[req_distinguished_name]
168commonName=$CLIENTNAME
169[v3_req]
170basicConstraints=critical,CA:FALSE
171subjectAltName=DNS:$CLIENTNAME
172EOF
173
174[ -f client.cnf ] || fatal "cannot create openssl configuration"
175
176if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
177    openssl x509 \
178        -addtrust serverAuth \
179        -in "$SVR_BASE.pem" \
180        -out "${SVR_BASE}_trust.pem"
181
182    openssl req \
183            -new \
184            -config client.cnf \
185            -key "$CTL_BASE.key" \
186        | openssl x509 \
187                  -req \
188                  -days "$DAYS" \
189                  -CA "${SVR_BASE}_trust.pem" \
190                  -CAkey "$SVR_BASE.key" \
191                  -CAcreateserial \
192                  -$HASH \
193                  -extfile client.cnf \
194                  -extensions v3_req \
195                  -out "$CTL_BASE.pem"
196
197    [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
198fi
199
200# remove unused permissions
201chmod o-rw \
202      "$SVR_BASE.pem" \
203      "$SVR_BASE.key" \
204      "$CTL_BASE.pem" \
205      "$CTL_BASE.key"
206
207cleanup
208
209echo "Setup success. Certificates created. Enable in unbound.conf file to use"
210
211# create trusted usage pem
212# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
213
214# see details with openssl x509 -noout -text < $SVR_BASE.pem
215# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
216# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
217# echo "preferences - advanced - encryption - view certificates - your certs"
218# echo "empty password is used, simply click OK on the password dialog box."
219# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
220
221