#!/bin/sh
#
# Utility to manage an internal certificate authority using OpenSSL.
set -eu
PROGNAME=pki
USAGE="<init|cert|client-cert|renew|pkcs12|show>"
BOXCONF_ROOT=$(dirname "$(readlink -f "$0")")
BOXCONF_CA_PASSWORD_FILE="${BOXCONF_ROOT}/.ca_password"
CA_VALID_DAYS=3650
DEFAULT_VALID_DAYS=3650
EC_CURVE=prime256v1
DIGEST=sha256
CIPHER=aes256
usage(){
printf 'usage: %s %s\n' "$PROGNAME" "$USAGE" 2>&1
exit 2
}
_pki_get_ca_password(){
# Acquire the CA password.
# If the BOXCONF_CA_PASSWORD environment variable is set, use that.
# Next, try reading the password from the .ca_password file.
# If all else fails, prompt interactively.
if [ -n "${BOXCONF_CA_PASSWORD:-}" ]; then
return
elif [ -f "$BOXCONF_CA_PASSWORD_FILE" ]; then
BOXCONF_CA_PASSWORD=$(cat "$BOXCONF_CA_PASSWORD_FILE")
else
_boxconf_read_password 'Enter CA password: ' BOXCONF_CA_PASSWORD
fi
}
_pki_dn2cnf() {
# Convert an LDAP DN to its OpenSSL .cnf file representation.
echo "$1" \
| tr ',' '\n' \
| awk '{a[i++]=$0} END {for (j=i-1; j>=0;) print a[j--] }' \
| sed \
-e 's/^[Cc][Nn]=/commonName=/' \
-e 's/^[Oo]=/organizationName=/' \
-e 's/^[Oo][Uu]=/organizationalUnitName=/' \
-e 's/^[Dd][Cc]=/domainComponent=/' \
-e 's/^[Cc]=/countryName=/' \
-e 's/^[Ss][Tt]=/stateOrProvinceName=/' \
-e 's/^[Ll]=/locality=/' \
-e 's/^[Ss][Nn]=/surName=/' \
-e 's/^[Gg][Nn]=/givenName=/' \
-e 's/^[Uu][Ii][Dd]=/userId=/' \
| awk '{print NR-1 "." $0}'
}
_pki_postsign(){
# Create symlinks and delete temp files after signing a certificate.
# $1 = certificate path
# Create symlink with human-readable name.
serial=$(awk 'END{print $3}' "${BOXCONF_CA_DIR}/index.txt")
ln -sf "../certs/${serial}.pem" "${BOXCONF_CA_DIR}/${1}.crt"
# Create fullchain certificate.
cat "${BOXCONF_CA_DIR}/${1}.crt" "${BOXCONF_CA_DIR}/ca.crt" > "${BOXCONF_CA_DIR}/${1}.fullchain.crt"
# Delete useless files.
rm -f \
"${BOXCONF_CA_DIR}/index.txt.old" \
"${BOXCONF_CA_DIR}/index.txt.attr.old" \
"${BOXCONF_CA_DIR}/serial.old"
}
_pki_sign(){
# Given an OpenSSL config file, generate a signed certificate keypair.
# $1 = certificate path
# $2 = validity time (days)
# Generate encrypted private key for the server certificate.
PASS="$BOXCONF_VAULT_PASSWORD" openssl genpkey \
-algorithm ec \
-pkeyopt "ec_paramgen_curve:${EC_CURVE}" \
"-${CIPHER}" \
-pass env:PASS \
-out "${BOXCONF_CA_DIR}/${1}.key"
# Generate the CSR.
PASS="$BOXCONF_VAULT_PASSWORD" openssl req -new \
-key "${BOXCONF_CA_DIR}/${1}.key" \
"-${DIGEST}" \
-passin env:PASS \
-config "${BOXCONF_CA_DIR}/${1}.cnf" \
-out "${BOXCONF_CA_DIR}/${1}.csr"
# Sign the certificate.
PASS="$BOXCONF_CA_PASSWORD" openssl ca -batch \
-config "${BOXCONF_CA_DIR}/ca.cnf" \
-passin env:PASS \
${2:+-days $2} \
-notext \
-out /dev/null \
-outdir "${BOXCONF_CA_DIR}/certs" \
-infiles "${BOXCONF_CA_DIR}/${1}.csr"
_pki_postsign "$1"
}
_pki_renew(){
# Re-sign an existing certificate.
# $1 = certificate path
# $2 = validity time (time)
_pki_get_ca_password
# Sign the certificate.
PASS="$BOXCONF_CA_PASSWORD" openssl ca -batch \
-config "${BOXCONF_CA_DIR}/ca.cnf" \
-passin env:PASS \
${2:+-days $2} \
-notext \
-out /dev/null \
-outdir "${BOXCONF_CA_DIR}/certs" \
-infiles "${BOXCONF_CA_DIR}/${1}.csr"
_pki_postsign "$1"
}
pki_init(){
# Initialize the CA. Create CA cert, private key, and OpenSSL configuration.
USAGE='init [-c CONSTRAINT]... DOMAIN'
constraints=''
while getopts :c: opt; do
case $opt in
c) constraints="${constraints}, permitted;${OPTARG}" ;;
:) usage ;;
?) usage ;;
esac
done
shift $((OPTIND - 1 ))
[ $# -eq 1 ] || usage
domain=$1
[ -d "$BOXCONF_CA_DIR" ] && die 'CA already exists'
_pki_get_ca_password
mkdir -p "${BOXCONF_CA_DIR}/certs"
# Generate encrypted private key for CA.
PASS="$BOXCONF_CA_PASSWORD" openssl genpkey \
-algorithm ec \
-pkeyopt "ec_paramgen_curve:${EC_CURVE}" \
"-${CIPHER}" \
-pass env:PASS \
-out "${BOXCONF_CA_DIR}/ca.key"
# Create a config file for the CA certificate.
cat > "${BOXCONF_CA_DIR}/ca.cnf" <<EOF
[ req ]
x509_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[ v3_req ]
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
nameConstraints = permitted;DNS:${domain}, permitted;DNS:.${domain}, permitted;email:.${domain}${constraints}
[ req_distinguished_name ]
O = ${domain}
CN = Certificate Authority
[ ca ]
preserve = yes
default_ca = CA_own
[ CA_own ]
dir = .${BOXCONF_CA_DIR#${BOXCONF_ROOT}}
new_certs_dir = \$dir/certs
database = \$dir/index.txt
rand_serial = yes
unique_subject = no
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = ${DEFAULT_VALID_DAYS}
default_crl_days = 30
default_md = ${DIGEST}
preserve = yes
policy = policy_anything
copy_extensions = copy
x509_extensions = v3
[ v3 ]
basicConstraints = critical, CA:FALSE
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
EOF
# Self-sign the CA certificate.
PASS="$BOXCONF_CA_PASSWORD" openssl req -new -x509 \
-days "$CA_VALID_DAYS" \
"-${DIGEST}" \
-passin env:PASS \
-config "${BOXCONF_CA_DIR}/ca.cnf" \
-key "${BOXCONF_CA_DIR}/ca.key" \
-out "${BOXCONF_CA_DIR}/ca.crt"
# Create empty index db.
[ -f "${BOXCONF_CA_DIR}/index.txt" ] || touch "${BOXCONF_CA_DIR}/index.txt"
}
pki_server(){
# Create a server certificate keypair.
USAGE='server-cert [-d DAYS] HOSTNAME CERTNAME SAN...'
while getopts :d: opt; do
case $opt in
d) days=$OPTARG ;;
:|?) usage ;;
esac
done
shift $((OPTIND - 1 ))
[ $# -ge 3 ] || usage
hostname=$1; certname=$2; cn=${3#*:}
shift 2
[ -e "${BOXCONF_CA_DIR}/${hostname}/${certname}.cnf" ] && die "certificate already exists: ${hostname}/${certname}"
_pki_get_ca_password
_boxconf_get_vault_password
# Generate the SAN list. If the arg contains a ':', pass along as-is.
# If no ':' is present, assume type 'DNS:'.
while [ $# -gt 0 ]; do
if [ "${1#*:}" = "$1" ]; then
sans="${sans:+${sans},}DNS:${1}"
else
sans="${sans:+${sans},}${1}"
fi
shift
done
# Create host directory.
mkdir -p "${BOXCONF_CA_DIR}/${hostname}"
# Create a config file for the server certificate.
cat > "${BOXCONF_CA_DIR}/${hostname}/${certname}.cnf" <<EOF
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[ v3_req ]
basicConstraints = critical,CA:FALSE
extendedKeyUsage = serverAuth
subjectAltName = ${sans}
[ req_distinguished_name ]
CN = ${cn}
EOF
# Generate and sign the certificate.
_pki_sign "${hostname}/${certname}" "${days:-}"
}
pki_client(){
# Create a client certificate keypair.
USAGE='client-cert HOSTNAME CERTNAME DN [SAN...]'
while getopts :d: opt; do
case $opt in
d) days=$OPTARG ;;
:|?) usage ;;
esac
done
shift $((OPTIND - 1 ))
[ $# -ge 3 ] || usage
hostname=$1; certname=$2; dn=$3
shift 3
[ -e "${BOXCONF_CA_DIR}/${hostname}/${certname}.cnf" ] && die "certificate already exists: ${hostname}/${certname}"
_pki_get_ca_password
_boxconf_get_vault_password
# Generate the SAN list.
if [ $# -gt 0 ]; then
sans=$1; shift
while [ $# -gt 0 ]; do
sans="${sans}, ${1}"
shift
done
fi
# Create host directory.
mkdir -p "${BOXCONF_CA_DIR}/${hostname}"
# Create a config file for the client certificate.
cat > "${BOXCONF_CA_DIR}/${hostname}/${certname}.cnf" <<EOF
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[ v3_req ]
basicConstraints = critical,CA:FALSE
extendedKeyUsage = clientAuth
${sans:+subjectAltName = $sans}
[ req_distinguished_name ]
$(_pki_dn2cnf "$dn")
EOF
# Generate and sign the certificate.
_pki_sign "${hostname}/${certname}" "${days:-}"
}
pki_renew(){
# Renew an existing certificate.
USAGE='renew [-d DAYS] HOSTNAME CERTNAME'
while getopts :d: opt; do
case $opt in
d) days=$OPTARG ;;
:|?) usage ;;
esac
done
shift $((OPTIND - 1 ))
[ $# -eq 2 ] || usage
[ -f "${BOXCONF_CA_DIR}/${1}/${2}.csr" ] || die "CSR does not exist: ${1}/${2}.csr"
_pki_renew "${1}/${2}" "${days:-}"
}
pki_pkcs12(){
# Generate a pkcs12 bundle.
USAGE='pkcs12 HOSTNAME CERTNAME PATH'
[ $# -eq 3 ] || usage
[ -f "${BOXCONF_CA_DIR}/${1}/${2}.crt" ] || die "certificate does not exist: ${1}/${2}.crt"
[ -f "${BOXCONF_CA_DIR}/${1}/${2}.key" ] || die "key does not exist: ${1}/${2}.key"
_boxconf_get_vault_password
PASS="$BOXCONF_VAULT_PASSWORD" openssl pkcs12 -legacy -export \
-out "$3" \
-inkey "${BOXCONF_CA_DIR}/${1}/${2}.key" \
-in "${BOXCONF_CA_DIR}/${1}/${2}.crt" \
-name "$2" \
-passin env:PASS
}
pki_show(){
# Show a certificate and decrypted private key.
USAGE='show HOSTNAME CERTNAME'
[ -f "${BOXCONF_CA_DIR}/${1}/${2}.crt" ] || die "certificate does not exist: ${1}/${2}.crt"
[ -f "${BOXCONF_CA_DIR}/${1}/${2}.key" ] || die "key does not exist: ${1}/${2}.key"
_boxconf_get_vault_password
cat "${BOXCONF_CA_DIR}/${1}/${2}.crt"
_boxconf_decrypt_key "${BOXCONF_CA_DIR}/${1}/${2}.key"
}
[ $# -ge 1 ] || usage
action=$1; shift
for _bc_lib in "${BOXCONF_ROOT}/lib"/*; do
. "$_bc_lib"
done
case $action in
init) pki_init "$@" ;;
server-cert|server|cert) pki_server "$@" ;;
client-cert|client) pki_client "$@" ;;
renew) pki_renew "$@" ;;
pkcs12) pki_pkcs12 "$@" ;;
show) pki_show "$@" ;;
*) usage ;;
esac
