unbound-control-setup.sh revision 269257
1122679Sume#!/bin/sh 262655Skris# 356668Sshin# unbound-control-setup.sh - set up SSL certificates for unbound-control 456668Sshin# 556668Sshin# Copyright (c) 2008, NLnet Labs. All rights reserved. 662655Skris# 756668Sshin# This software is open source. 856668Sshin# 956668Sshin# Redistribution and use in source and binary forms, with or without 1056668Sshin# modification, are permitted provided that the following conditions 1156668Sshin# are met: 1256668Sshin# 1356668Sshin# Redistributions of source code must retain the above copyright notice, 1456668Sshin# this list of conditions and the following disclaimer. 1556668Sshin# 1656668Sshin# Redistributions in binary form must reproduce the above copyright notice, 1756668Sshin# this list of conditions and the following disclaimer in the documentation 1862655Skris# and/or other materials provided with the distribution. 1956668Sshin# 2056668Sshin# Neither the name of the NLNET LABS nor the names of its contributors may 2156668Sshin# be used to endorse or promote products derived from this software without 2256668Sshin# specific prior written permission. 2356668Sshin# 2456668Sshin# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2556668Sshin# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2656668Sshin# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 2756668Sshin# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 2856668Sshin# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 2956668Sshin# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 3056668Sshin# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 3156668Sshin# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32173298Scharnier# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33173298Scharnier# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34173298Scharnier# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3556668Sshin 3656668Sshin# settings: 3756668Sshin 3856668Sshin# directory for files 3956668Sshinprefix= 4056668SshinDESTDIR=${prefix}/etc/unbound 4156668Sshin 4256668Sshin# issuer and subject name for certificates 4356668SshinSERVERNAME=unbound 4456668SshinCLIENTNAME=unbound-control 4556668Sshin 4656668Sshin# validity period for certificates 4756668SshinDAYS=7200 4856668Sshin 4956668Sshin# size of keys in bits 5056668SshinBITS=1536 5156668Sshin 5256668Sshin# hash algorithm 5356668SshinHASH=sha256 5456668Sshin 5556668Sshin# base name for unbound server keys 5656668SshinSVR_BASE=unbound_server 5756668Sshin 5856668Sshin# base name for unbound-control keys 5956668SshinCTL_BASE=unbound_control 6056668Sshin 6156668Sshin# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). 6256668Sshinumask 0027 6356668Sshin 6495023Ssuz# end of options 6556668Sshin 6656668Sshin# functions: 67173412Skevloerror ( ) { 68173412Skevlo echo "$0 fatal error: $1" 69173412Skevlo exit 1 70173412Skevlo} 71173412Skevlo 72173412Skevlo# check arguments: 7356668Sshinwhile test $# -ne 0; do 7456668Sshin case $1 in 7556668Sshin -d) 7656668Sshin if test $# -eq 1; then error "need argument for -d"; fi 7756668Sshin DESTDIR="$2" 7856668Sshin shift 7956668Sshin ;; 8056668Sshin *) 81173298Scharnier echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 8256668Sshin echo " -d dir use directory to store keys and certificates." 8356668Sshin echo " default: $DESTDIR" 8456668Sshin echo "please run this command using the same user id that the " 8556668Sshin echo "unbound daemon uses, it needs read privileges." 8656668Sshin exit 1 8756668Sshin ;; 8856668Sshin esac 8956668Sshin shift 9056668Sshindone 91173298Scharnier 9256668Sshin# go!: 9356668Sshinecho "setup in directory $DESTDIR" 9456668Sshincd "$DESTDIR" || error "could not cd to $DESTDIR" 9556668Sshin 9656668Sshin# create certificate keys; do not recreate if they already exist. 97122679Sumeif test -f $SVR_BASE.key; then 98122679Sume echo "$SVR_BASE.key exists" 99122679Sumeelse 10078064Sume echo "generating $SVR_BASE.key" 10156668Sshin openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 10256668Sshinfi 10356668Sshinif test -f $CTL_BASE.key; then 10456668Sshin echo "$CTL_BASE.key exists" 10556668Sshinelse 10656668Sshin echo "generating $CTL_BASE.key" 10756668Sshin openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 10856668Sshinfi 10956668Sshin 11056668Sshin# create self-signed cert for server 11156668Sshincat >request.cfg <<EOF 11256668Sshin[req] 11356668Sshindefault_bits=$BITS 11456668Sshindefault_md=$HASH 11556668Sshinprompt=no 11656668Sshindistinguished_name=req_distinguished_name 11756668Sshin 11856668Sshin[req_distinguished_name] 11956668SshincommonName=$SERVERNAME 12056668SshinEOF 12156668Sshintest -f request.cfg || error "could not create request.cfg" 12256668Sshin 12356668Sshinecho "create $SVR_BASE.pem (self signed certificate)" 12456668Sshinopenssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 12556668Sshin# create trusted usage pem 12656668Sshinopenssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 12756668Sshin 12856668Sshin# create client request and sign it, piped 12956668Sshincat >request.cfg <<EOF 13056668Sshin[req] 13156668Sshindefault_bits=$BITS 13256668Sshindefault_md=$HASH 13356668Sshinprompt=no 13456668Sshindistinguished_name=req_distinguished_name 13556668Sshin 13656668Sshin[req_distinguished_name] 13756668SshincommonName=$CLIENTNAME 13856668SshinEOF 13956668Sshintest -f request.cfg || error "could not create request.cfg" 14056668Sshin 14156668Sshinecho "create $CTL_BASE.pem (signed client certificate)" 14256668Sshinopenssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 14356668Sshintest -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 14456668Sshin# create trusted usage pem 14556668Sshin# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 14656668Sshin 14756668Sshin# see details with openssl x509 -noout -text < $SVR_BASE.pem 14856668Sshin# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 14956668Sshin# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 15056668Sshin# echo "preferences - advanced - encryption - view certificates - your certs" 15156668Sshin# echo "empty password is used, simply click OK on the password dialog box." 152173298Scharnier# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 15356668Sshin 15456668Sshin# remove unused permissions 15556668Sshinchmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 15656668Sshin 15756668Sshin# remove crap 15856668Sshinrm -f request.cfg 15956668Sshinrm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 16056668Sshin 161122679Sumeecho "Setup success. Certificates created. Enable in unbound.conf file to use" 162122679Sume 16356668Sshinexit 0 16456668Sshin