1#!/bin/sh 2# 3# unbound-control-setup.sh - set up SSL certificates for unbound-control 4# 5# Copyright (c) 2008, NLnet Labs. All rights reserved. 6# 7# This software is open source. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# Redistributions of source code must retain the above copyright notice, 14# this list of conditions and the following disclaimer. 15# 16# Redistributions in binary form must reproduce the above copyright notice, 17# this list of conditions and the following disclaimer in the documentation 18# and/or other materials provided with the distribution. 19# 20# Neither the name of the NLNET LABS nor the names of its contributors may 21# be used to endorse or promote products derived from this software without 22# specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 26# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 27# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 28# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34# POSSIBILITY OF SUCH DAMAGE. 35 36# settings: 37 38# directory for files 39DESTDIR=/usr/local/etc/unbound 40 41# issuer and subject name for certificates 42SERVERNAME=unbound 43CLIENTNAME=unbound-control 44 45# validity period for certificates 46DAYS=7200 47 48# size of keys in bits 49BITS=1536 50 51# hash algorithm 52HASH=sha256 53 54# base name for unbound server keys 55SVR_BASE=unbound_server 56 57# base name for unbound-control keys 58CTL_BASE=unbound_control 59 60# we want -rw-r--- access (say you run this as root: grp=yes (server), all=no). 61umask 0026 62 63# end of options 64 65# functions: 66error ( ) { 67 echo "$0 fatal error: $1" 68 exit 1 69} 70 71# check arguments: 72while test $# -ne 0; do 73 case $1 in 74 -d) 75 if test $# -eq 1; then error "need argument for -d"; fi 76 DESTDIR="$2" 77 shift 78 ;; 79 *) 80 echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 81 echo " -d dir use directory to store keys and certificates." 82 echo " default: $DESTDIR" 83 echo "please run this command using the same user id that the " 84 echo "unbound daemon uses, it needs read privileges." 85 exit 1 86 ;; 87 esac 88 shift 89done 90 91# go!: 92echo "setup in directory $DESTDIR" 93cd "$DESTDIR" || error "could not cd to $DESTDIR" 94 95# create certificate keys; do not recreate if they already exist. 96if test -f $SVR_BASE.key; then 97 echo "$SVR_BASE.key exists" 98else 99 echo "generating $SVR_BASE.key" 100 openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 101fi 102if test -f $CTL_BASE.key; then 103 echo "$CTL_BASE.key exists" 104else 105 echo "generating $CTL_BASE.key" 106 openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 107fi 108 109# create self-signed cert for server 110cat >request.cfg <<EOF 111[req] 112default_bits=$BITS 113default_md=$HASH 114prompt=no 115distinguished_name=req_distinguished_name 116 117[req_distinguished_name] 118commonName=$SERVERNAME 119EOF 120test -f request.cfg || error "could not create request.cfg" 121 122echo "create $SVR_BASE.pem (self signed certificate)" 123openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 124# create trusted usage pem 125openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 126 127# create client request and sign it, piped 128cat >request.cfg <<EOF 129[req] 130default_bits=$BITS 131default_md=$HASH 132prompt=no 133distinguished_name=req_distinguished_name 134 135[req_distinguished_name] 136commonName=$CLIENTNAME 137EOF 138test -f request.cfg || error "could not create request.cfg" 139 140echo "create $CTL_BASE.pem (signed client certificate)" 141openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 142test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 143# create trusted usage pem 144# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 145 146# see details with openssl x509 -noout -text < $SVR_BASE.pem 147# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 148# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 149# echo "preferences - advanced - encryption - view certificates - your certs" 150# echo "empty password is used, simply click OK on the password dialog box." 151# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 152 153# remove unused permissions 154chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 155 156# remove crap 157rm -f request.cfg 158rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 159 160echo "Setup success. Certificates created. Enable in unbound.conf file to use" 161 162exit 0 163