xref: /freebsd/contrib/unbound/smallapp/unbound-control-setup.sh (revision a63915c2d7ff177ce364488f86eff99949402051) 
1b7579f77SDag-Erling Smørgrav#!/bin/sh
2b7579f77SDag-Erling Smørgrav#
3b7579f77SDag-Erling Smørgrav# unbound-control-setup.sh - set up SSL certificates for unbound-control
4b7579f77SDag-Erling Smørgrav#
5b7579f77SDag-Erling Smørgrav# Copyright (c) 2008, NLnet Labs. All rights reserved.
6b7579f77SDag-Erling Smørgrav#
7b7579f77SDag-Erling Smørgrav# This software is open source.
8b7579f77SDag-Erling Smørgrav#
9b7579f77SDag-Erling Smørgrav# Redistribution and use in source and binary forms, with or without
10b7579f77SDag-Erling Smørgrav# modification, are permitted provided that the following conditions
11b7579f77SDag-Erling Smørgrav# are met:
12b7579f77SDag-Erling Smørgrav#
13b7579f77SDag-Erling Smørgrav# Redistributions of source code must retain the above copyright notice,
14b7579f77SDag-Erling Smørgrav# this list of conditions and the following disclaimer.
15b7579f77SDag-Erling Smørgrav#
16b7579f77SDag-Erling Smørgrav# Redistributions in binary form must reproduce the above copyright notice,
17b7579f77SDag-Erling Smørgrav# this list of conditions and the following disclaimer in the documentation
18b7579f77SDag-Erling Smørgrav# and/or other materials provided with the distribution.
19b7579f77SDag-Erling Smørgrav#
20b7579f77SDag-Erling Smørgrav# Neither the name of the NLNET LABS nor the names of its contributors may
21b7579f77SDag-Erling Smørgrav# be used to endorse or promote products derived from this software without
22b7579f77SDag-Erling Smørgrav# specific prior written permission.
23b7579f77SDag-Erling Smørgrav#
24b7579f77SDag-Erling Smørgrav# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25d1073051SDag-Erling Smørgrav# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26d1073051SDag-Erling Smørgrav# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27d1073051SDag-Erling Smørgrav# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28d1073051SDag-Erling Smørgrav# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29d1073051SDag-Erling Smørgrav# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30d1073051SDag-Erling Smørgrav# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31d1073051SDag-Erling Smørgrav# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32d1073051SDag-Erling Smørgrav# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33d1073051SDag-Erling Smørgrav# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34d1073051SDag-Erling Smørgrav# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35b7579f77SDag-Erling Smørgrav
36b7579f77SDag-Erling Smørgrav# settings:
37b7579f77SDag-Erling Smørgrav
38b7579f77SDag-Erling Smørgrav# directory for files
396480faa8SDag-Erling SmørgravDESTDIR=/var/unbound
40b7579f77SDag-Erling Smørgrav
41b7579f77SDag-Erling Smørgrav# issuer and subject name for certificates
42b7579f77SDag-Erling SmørgravSERVERNAME=unbound
43b7579f77SDag-Erling SmørgravCLIENTNAME=unbound-control
44b7579f77SDag-Erling Smørgrav
45b7579f77SDag-Erling Smørgrav# validity period for certificates
46b7579f77SDag-Erling SmørgravDAYS=7200
47b7579f77SDag-Erling Smørgrav
48b7579f77SDag-Erling Smørgrav# size of keys in bits
4909a3aaf3SDag-Erling SmørgravBITS=3072
50b7579f77SDag-Erling Smørgrav
51b7579f77SDag-Erling Smørgrav# hash algorithm
52b7579f77SDag-Erling SmørgravHASH=sha256
53b7579f77SDag-Erling Smørgrav
54b7579f77SDag-Erling Smørgrav# base name for unbound server keys
55b7579f77SDag-Erling SmørgravSVR_BASE=unbound_server
56b7579f77SDag-Erling Smørgrav
57b7579f77SDag-Erling Smørgrav# base name for unbound-control keys
58b7579f77SDag-Erling SmørgravCTL_BASE=unbound_control
59b7579f77SDag-Erling Smørgrav
60c775ab57SDag-Erling Smørgrav# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
61c775ab57SDag-Erling Smørgravumask 0027
62b7579f77SDag-Erling Smørgrav
63b7579f77SDag-Erling Smørgrav# end of options
64b7579f77SDag-Erling Smørgrav
65b7579f77SDag-Erling Smørgrav# functions:
66b7579f77SDag-Erling Smørgraverror ( ) {
67b7579f77SDag-Erling Smørgrav	echo "$0 fatal error: $1"
68b7579f77SDag-Erling Smørgrav	exit 1
69b7579f77SDag-Erling Smørgrav}
70b7579f77SDag-Erling Smørgrav
71b7579f77SDag-Erling Smørgrav# check arguments:
72b7579f77SDag-Erling Smørgravwhile test $# -ne 0; do
73b7579f77SDag-Erling Smørgrav	case $1 in
74b7579f77SDag-Erling Smørgrav	-d)
75b7579f77SDag-Erling Smørgrav	if test $# -eq 1; then error "need argument for -d"; fi
76b7579f77SDag-Erling Smørgrav	DESTDIR="$2"
77b7579f77SDag-Erling Smørgrav	shift
78b7579f77SDag-Erling Smørgrav	;;
79b7579f77SDag-Erling Smørgrav	*)
80b7579f77SDag-Erling Smørgrav	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
81b7579f77SDag-Erling Smørgrav	echo "	-d dir	use directory to store keys and certificates."
82b7579f77SDag-Erling Smørgrav	echo "		default: $DESTDIR"
83b7579f77SDag-Erling Smørgrav	echo "please run this command using the same user id that the "
84b7579f77SDag-Erling Smørgrav	echo "unbound daemon uses, it needs read privileges."
85b7579f77SDag-Erling Smørgrav	exit 1
86b7579f77SDag-Erling Smørgrav	;;
87b7579f77SDag-Erling Smørgrav	esac
88b7579f77SDag-Erling Smørgrav	shift
89b7579f77SDag-Erling Smørgravdone
90b7579f77SDag-Erling Smørgrav
91b7579f77SDag-Erling Smørgrav# go!:
92b7579f77SDag-Erling Smørgravecho "setup in directory $DESTDIR"
93b7579f77SDag-Erling Smørgravcd "$DESTDIR" || error "could not cd to $DESTDIR"
94b7579f77SDag-Erling Smørgrav
95b7579f77SDag-Erling Smørgrav# create certificate keys; do not recreate if they already exist.
96b7579f77SDag-Erling Smørgravif test -f $SVR_BASE.key; then
97b7579f77SDag-Erling Smørgrav	echo "$SVR_BASE.key exists"
98b7579f77SDag-Erling Smørgravelse
99b7579f77SDag-Erling Smørgrav	echo "generating $SVR_BASE.key"
100b7579f77SDag-Erling Smørgrav	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
101b7579f77SDag-Erling Smørgravfi
102b7579f77SDag-Erling Smørgravif test -f $CTL_BASE.key; then
103b7579f77SDag-Erling Smørgrav	echo "$CTL_BASE.key exists"
104b7579f77SDag-Erling Smørgravelse
105b7579f77SDag-Erling Smørgrav	echo "generating $CTL_BASE.key"
106b7579f77SDag-Erling Smørgrav	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
107b7579f77SDag-Erling Smørgravfi
108b7579f77SDag-Erling Smørgrav
109b7579f77SDag-Erling Smørgrav# create self-signed cert for server
110f61ef7f6SDag-Erling Smørgravecho "[req]" > request.cfg
111f61ef7f6SDag-Erling Smørgravecho "default_bits=$BITS" >> request.cfg
112f61ef7f6SDag-Erling Smørgravecho "default_md=$HASH" >> request.cfg
113f61ef7f6SDag-Erling Smørgravecho "prompt=no" >> request.cfg
114f61ef7f6SDag-Erling Smørgravecho "distinguished_name=req_distinguished_name" >> request.cfg
115f61ef7f6SDag-Erling Smørgravecho "" >> request.cfg
116f61ef7f6SDag-Erling Smørgravecho "[req_distinguished_name]" >> request.cfg
117f61ef7f6SDag-Erling Smørgravecho "commonName=$SERVERNAME" >> request.cfg
118b7579f77SDag-Erling Smørgrav
119b7579f77SDag-Erling Smørgravtest -f request.cfg || error "could not create request.cfg"
120b7579f77SDag-Erling Smørgrav
121b7579f77SDag-Erling Smørgravecho "create $SVR_BASE.pem (self signed certificate)"
122b7579f77SDag-Erling Smørgravopenssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
123b7579f77SDag-Erling Smørgrav# create trusted usage pem
124b7579f77SDag-Erling Smørgravopenssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
125b7579f77SDag-Erling Smørgrav
126b7579f77SDag-Erling Smørgrav# create client request and sign it, piped
127f61ef7f6SDag-Erling Smørgravecho "[req]" > request.cfg
128f61ef7f6SDag-Erling Smørgravecho "default_bits=$BITS" >> request.cfg
129f61ef7f6SDag-Erling Smørgravecho "default_md=$HASH" >> request.cfg
130f61ef7f6SDag-Erling Smørgravecho "prompt=no" >> request.cfg
131f61ef7f6SDag-Erling Smørgravecho "distinguished_name=req_distinguished_name" >> request.cfg
132f61ef7f6SDag-Erling Smørgravecho "" >> request.cfg
133f61ef7f6SDag-Erling Smørgravecho "[req_distinguished_name]" >> request.cfg
13405ab2901SDag-Erling Smørgravecho "commonName=$CLIENTNAME" >> request.cfg
135b7579f77SDag-Erling Smørgrav
136b7579f77SDag-Erling Smørgravtest -f request.cfg || error "could not create request.cfg"
137b7579f77SDag-Erling Smørgrav
138b7579f77SDag-Erling Smørgravecho "create $CTL_BASE.pem (signed client certificate)"
139b7579f77SDag-Erling Smørgravopenssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
140b7579f77SDag-Erling Smørgravtest -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
141b7579f77SDag-Erling Smørgrav# create trusted usage pem
142b7579f77SDag-Erling Smørgrav# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
143b7579f77SDag-Erling Smørgrav
144b7579f77SDag-Erling Smørgrav# see details with openssl x509 -noout -text < $SVR_BASE.pem
145b7579f77SDag-Erling Smørgrav# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
146b7579f77SDag-Erling Smørgrav# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
147b7579f77SDag-Erling Smørgrav# echo "preferences - advanced - encryption - view certificates - your certs"
148b7579f77SDag-Erling Smørgrav# echo "empty password is used, simply click OK on the password dialog box."
149b7579f77SDag-Erling Smørgrav# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
150b7579f77SDag-Erling Smørgrav
151*e86b9096SDag-Erling Smørgrav# set desired permissions
152*e86b9096SDag-Erling Smørgravchmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
153b7579f77SDag-Erling Smørgrav
154b7579f77SDag-Erling Smørgrav# remove crap
155b7579f77SDag-Erling Smørgravrm -f request.cfg
156b7579f77SDag-Erling Smørgravrm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
157b7579f77SDag-Erling Smørgrav
158b7579f77SDag-Erling Smørgravecho "Setup success. Certificates created. Enable in unbound.conf file to use"
159b7579f77SDag-Erling Smørgrav
160b7579f77SDag-Erling Smørgravexit 0
161