1#!/bin/sh 2# 3# unbound-control-setup.sh - set up SSL certificates for unbound-control 4# 5# Copyright (c) 2008, NLnet Labs. All rights reserved. 6# 7# This software is open source. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# Redistributions of source code must retain the above copyright notice, 14# this list of conditions and the following disclaimer. 15# 16# Redistributions in binary form must reproduce the above copyright notice, 17# this list of conditions and the following disclaimer in the documentation 18# and/or other materials provided with the distribution. 19# 20# Neither the name of the NLNET LABS nor the names of its contributors may 21# be used to endorse or promote products derived from this software without 22# specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 36# settings: 37 38# directory for files 39prefix= 40DESTDIR=${prefix}/etc/unbound 41 42# issuer and subject name for certificates 43SERVERNAME=unbound 44CLIENTNAME=unbound-control 45 46# validity period for certificates 47DAYS=7200 48 49# size of keys in bits 50BITS=1536 51 52# hash algorithm 53HASH=sha256 54 55# base name for unbound server keys 56SVR_BASE=unbound_server 57 58# base name for unbound-control keys 59CTL_BASE=unbound_control 60 61# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). 62umask 0027 63 64# end of options 65 66# functions: 67error ( ) { 68 echo "$0 fatal error: $1" 69 exit 1 70} 71 72# check arguments: 73while test $# -ne 0; do 74 case $1 in 75 -d) 76 if test $# -eq 1; then error "need argument for -d"; fi 77 DESTDIR="$2" 78 shift 79 ;; 80 *) 81 echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 82 echo " -d dir use directory to store keys and certificates." 83 echo " default: $DESTDIR" 84 echo "please run this command using the same user id that the " 85 echo "unbound daemon uses, it needs read privileges." 86 exit 1 87 ;; 88 esac 89 shift 90done 91 92# go!: 93echo "setup in directory $DESTDIR" 94cd "$DESTDIR" || error "could not cd to $DESTDIR" 95 96# create certificate keys; do not recreate if they already exist. 97if test -f $SVR_BASE.key; then 98 echo "$SVR_BASE.key exists" 99else 100 echo "generating $SVR_BASE.key" 101 openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 102fi 103if test -f $CTL_BASE.key; then 104 echo "$CTL_BASE.key exists" 105else 106 echo "generating $CTL_BASE.key" 107 openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 108fi 109 110# create self-signed cert for server 111cat >request.cfg <<EOF 112[req] 113default_bits=$BITS 114default_md=$HASH 115prompt=no 116distinguished_name=req_distinguished_name 117 118[req_distinguished_name] 119commonName=$SERVERNAME 120EOF 121test -f request.cfg || error "could not create request.cfg" 122 123echo "create $SVR_BASE.pem (self signed certificate)" 124openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 125# create trusted usage pem 126openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 127 128# create client request and sign it, piped 129cat >request.cfg <<EOF 130[req] 131default_bits=$BITS 132default_md=$HASH 133prompt=no 134distinguished_name=req_distinguished_name 135 136[req_distinguished_name] 137commonName=$CLIENTNAME 138EOF 139test -f request.cfg || error "could not create request.cfg" 140 141echo "create $CTL_BASE.pem (signed client certificate)" 142openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 143test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 144# create trusted usage pem 145# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 146 147# see details with openssl x509 -noout -text < $SVR_BASE.pem 148# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 149# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 150# echo "preferences - advanced - encryption - view certificates - your certs" 151# echo "empty password is used, simply click OK on the password dialog box." 152# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 153 154# remove unused permissions 155chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 156 157# remove crap 158rm -f request.cfg 159rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 160 161echo "Setup success. Certificates created. Enable in unbound.conf file to use" 162 163exit 0 164