xref: /freebsd/contrib/unbound/smallapp/unbound-control-setup.sh (revision e8e8c939350bdf3c228a411caa9660c607c27a11) 
1#!/bin/sh
2#
3# unbound-control-setup.sh - set up SSL certificates for unbound-control
4#
5# Copyright (c) 2008, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8#
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12#
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15#
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19#
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23#
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39DESTDIR=/var/unbound
40
41# issuer and subject name for certificates
42SERVERNAME=unbound
43CLIENTNAME=unbound-control
44
45# validity period for certificates
46DAYS=7200
47
48# size of keys in bits
49BITS=1536
50
51# hash algorithm
52HASH=sha256
53
54# base name for unbound server keys
55SVR_BASE=unbound_server
56
57# base name for unbound-control keys
58CTL_BASE=unbound_control
59
60# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
61umask 0027
62
63# end of options
64
65# functions:
66error ( ) {
67	echo "$0 fatal error: $1"
68	exit 1
69}
70
71# check arguments:
72while test $# -ne 0; do
73	case $1 in
74	-d)
75	if test $# -eq 1; then error "need argument for -d"; fi
76	DESTDIR="$2"
77	shift
78	;;
79	*)
80	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
81	echo "	-d dir	use directory to store keys and certificates."
82	echo "		default: $DESTDIR"
83	echo "please run this command using the same user id that the "
84	echo "unbound daemon uses, it needs read privileges."
85	exit 1
86	;;
87	esac
88	shift
89done
90
91# go!:
92echo "setup in directory $DESTDIR"
93cd "$DESTDIR" || error "could not cd to $DESTDIR"
94
95# create certificate keys; do not recreate if they already exist.
96if test -f $SVR_BASE.key; then
97	echo "$SVR_BASE.key exists"
98else
99	echo "generating $SVR_BASE.key"
100	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
101fi
102if test -f $CTL_BASE.key; then
103	echo "$CTL_BASE.key exists"
104else
105	echo "generating $CTL_BASE.key"
106	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
107fi
108
109# create self-signed cert for server
110cat >request.cfg <<EOF
111[req]
112default_bits=$BITS
113default_md=$HASH
114prompt=no
115distinguished_name=req_distinguished_name
116
117[req_distinguished_name]
118commonName=$SERVERNAME
119EOF
120test -f request.cfg || error "could not create request.cfg"
121
122echo "create $SVR_BASE.pem (self signed certificate)"
123openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
124# create trusted usage pem
125openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
126
127# create client request and sign it, piped
128cat >request.cfg <<EOF
129[req]
130default_bits=$BITS
131default_md=$HASH
132prompt=no
133distinguished_name=req_distinguished_name
134
135[req_distinguished_name]
136commonName=$CLIENTNAME
137EOF
138test -f request.cfg || error "could not create request.cfg"
139
140echo "create $CTL_BASE.pem (signed client certificate)"
141openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
142test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
143# create trusted usage pem
144# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
145
146# see details with openssl x509 -noout -text < $SVR_BASE.pem
147# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
148# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
149# echo "preferences - advanced - encryption - view certificates - your certs"
150# echo "empty password is used, simply click OK on the password dialog box."
151# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
152
153# remove unused permissions
154chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
155
156# remove crap
157rm -f request.cfg
158rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
159
160echo "Setup success. Certificates created. Enable in unbound.conf file to use"
161
162exit 0
163