1238106Sdes#!/bin/sh 2238106Sdes# 3238106Sdes# unbound-control-setup.sh - set up SSL certificates for unbound-control 4238106Sdes# 5238106Sdes# Copyright (c) 2008, NLnet Labs. All rights reserved. 6238106Sdes# 7238106Sdes# This software is open source. 8238106Sdes# 9238106Sdes# Redistribution and use in source and binary forms, with or without 10238106Sdes# modification, are permitted provided that the following conditions 11238106Sdes# are met: 12238106Sdes# 13238106Sdes# Redistributions of source code must retain the above copyright notice, 14238106Sdes# this list of conditions and the following disclaimer. 15238106Sdes# 16238106Sdes# Redistributions in binary form must reproduce the above copyright notice, 17238106Sdes# this list of conditions and the following disclaimer in the documentation 18238106Sdes# and/or other materials provided with the distribution. 19238106Sdes# 20238106Sdes# Neither the name of the NLNET LABS nor the names of its contributors may 21238106Sdes# be used to endorse or promote products derived from this software without 22238106Sdes# specific prior written permission. 23238106Sdes# 24238106Sdes# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25269257Sdes# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26269257Sdes# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27269257Sdes# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28269257Sdes# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29269257Sdes# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 30269257Sdes# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31269257Sdes# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32269257Sdes# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33269257Sdes# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34269257Sdes# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35238106Sdes 36238106Sdes# settings: 37238106Sdes 38238106Sdes# directory for files 39285206SdesDESTDIR=/var/unbound 40238106Sdes 41238106Sdes# issuer and subject name for certificates 42238106SdesSERVERNAME=unbound 43238106SdesCLIENTNAME=unbound-control 44238106Sdes 45238106Sdes# validity period for certificates 46238106SdesDAYS=7200 47238106Sdes 48238106Sdes# size of keys in bits 49291767SdesBITS=3072 50238106Sdes 51238106Sdes# hash algorithm 52238106SdesHASH=sha256 53238106Sdes 54238106Sdes# base name for unbound server keys 55238106SdesSVR_BASE=unbound_server 56238106Sdes 57238106Sdes# base name for unbound-control keys 58238106SdesCTL_BASE=unbound_control 59238106Sdes 60255595Sdes# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). 61255595Sdesumask 0027 62238106Sdes 63238106Sdes# end of options 64238106Sdes 65238106Sdes# functions: 66238106Sdeserror ( ) { 67238106Sdes echo "$0 fatal error: $1" 68238106Sdes exit 1 69238106Sdes} 70238106Sdes 71238106Sdes# check arguments: 72238106Sdeswhile test $# -ne 0; do 73238106Sdes case $1 in 74238106Sdes -d) 75238106Sdes if test $# -eq 1; then error "need argument for -d"; fi 76238106Sdes DESTDIR="$2" 77238106Sdes shift 78238106Sdes ;; 79238106Sdes *) 80238106Sdes echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 81238106Sdes echo " -d dir use directory to store keys and certificates." 82238106Sdes echo " default: $DESTDIR" 83238106Sdes echo "please run this command using the same user id that the " 84238106Sdes echo "unbound daemon uses, it needs read privileges." 85238106Sdes exit 1 86238106Sdes ;; 87238106Sdes esac 88238106Sdes shift 89238106Sdesdone 90238106Sdes 91238106Sdes# go!: 92238106Sdesecho "setup in directory $DESTDIR" 93238106Sdescd "$DESTDIR" || error "could not cd to $DESTDIR" 94238106Sdes 95238106Sdes# create certificate keys; do not recreate if they already exist. 96238106Sdesif test -f $SVR_BASE.key; then 97238106Sdes echo "$SVR_BASE.key exists" 98238106Sdeselse 99238106Sdes echo "generating $SVR_BASE.key" 100238106Sdes openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 101238106Sdesfi 102238106Sdesif test -f $CTL_BASE.key; then 103238106Sdes echo "$CTL_BASE.key exists" 104238106Sdeselse 105238106Sdes echo "generating $CTL_BASE.key" 106238106Sdes openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 107238106Sdesfi 108238106Sdes 109238106Sdes# create self-signed cert for server 110294190Sdesecho "[req]\n" > request.cfg 111294190Sdesecho "default_bits=$BITS\n" >> request.cfg 112294190Sdesecho "default_md=$HASH\n" >> request.cfg 113294190Sdesecho "prompt=no\n" >> request.cfg 114294190Sdesecho "distinguished_name=req_distinguished_name\n" >> request.cfg 115294190Sdesecho "\n" >> request.cfg 116294190Sdesecho "[req_distinguished_name]\n" >> request.cfg 117294190Sdesecho "commonName=$SERVERNAME\n" >> request.cfg 118238106Sdes 119238106Sdestest -f request.cfg || error "could not create request.cfg" 120238106Sdes 121238106Sdesecho "create $SVR_BASE.pem (self signed certificate)" 122238106Sdesopenssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 123238106Sdes# create trusted usage pem 124238106Sdesopenssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 125238106Sdes 126238106Sdes# create client request and sign it, piped 127294190Sdesecho "[req]\n" > request.cfg 128294190Sdesecho "default_bits=$BITS\n" >> request.cfg 129294190Sdesecho "default_md=$HASH\n" >> request.cfg 130294190Sdesecho "prompt=no\n" >> request.cfg 131294190Sdesecho "distinguished_name=req_distinguished_name\n" >> request.cfg 132294190Sdesecho "\n" >> request.cfg 133294190Sdesecho "[req_distinguished_name]\n" >> request.cfg 134294190Sdesecho "commonName=$CLIENTNAME" >> request.cfg 135238106Sdes 136238106Sdestest -f request.cfg || error "could not create request.cfg" 137238106Sdes 138238106Sdesecho "create $CTL_BASE.pem (signed client certificate)" 139238106Sdesopenssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 140238106Sdestest -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 141238106Sdes# create trusted usage pem 142238106Sdes# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 143238106Sdes 144238106Sdes# see details with openssl x509 -noout -text < $SVR_BASE.pem 145238106Sdes# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 146238106Sdes# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 147238106Sdes# echo "preferences - advanced - encryption - view certificates - your certs" 148238106Sdes# echo "empty password is used, simply click OK on the password dialog box." 149238106Sdes# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 150238106Sdes 151238106Sdes# remove unused permissions 152238106Sdeschmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 153238106Sdes 154238106Sdes# remove crap 155238106Sdesrm -f request.cfg 156238106Sdesrm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 157238106Sdes 158238106Sdesecho "Setup success. Certificates created. Enable in unbound.conf file to use" 159238106Sdes 160238106Sdesexit 0 161