1#!/bin/sh
2#
3# unbound-control-setup.sh - set up SSL certificates for unbound-control
4#
5# Copyright (c) 2008, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8# 
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12# 
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15# 
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19# 
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23# 
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39prefix=
40DESTDIR=${prefix}/etc/unbound
41
42# issuer and subject name for certificates
43SERVERNAME=unbound
44CLIENTNAME=unbound-control
45
46# validity period for certificates
47DAYS=7200
48
49# size of keys in bits
50BITS=1536
51
52# hash algorithm
53HASH=sha256
54
55# base name for unbound server keys
56SVR_BASE=unbound_server
57
58# base name for unbound-control keys
59CTL_BASE=unbound_control
60
61# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
62umask 0027
63
64# end of options
65
66# functions:
67error ( ) {
68	echo "$0 fatal error: $1"
69	exit 1
70}
71
72# check arguments:
73while test $# -ne 0; do
74	case $1 in
75	-d)
76	if test $# -eq 1; then error "need argument for -d"; fi
77	DESTDIR="$2"
78	shift
79	;;
80	*)
81	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
82	echo "	-d dir	use directory to store keys and certificates."
83	echo "		default: $DESTDIR"
84	echo "please run this command using the same user id that the "
85	echo "unbound daemon uses, it needs read privileges."
86	exit 1
87	;;
88	esac
89	shift
90done
91
92# go!:
93echo "setup in directory $DESTDIR"
94cd "$DESTDIR" || error "could not cd to $DESTDIR"
95
96# create certificate keys; do not recreate if they already exist.
97if test -f $SVR_BASE.key; then
98	echo "$SVR_BASE.key exists"
99else
100	echo "generating $SVR_BASE.key"
101	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
102fi
103if test -f $CTL_BASE.key; then
104	echo "$CTL_BASE.key exists"
105else
106	echo "generating $CTL_BASE.key"
107	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
108fi
109
110# create self-signed cert for server
111cat >request.cfg <<EOF
112[req]
113default_bits=$BITS
114default_md=$HASH
115prompt=no
116distinguished_name=req_distinguished_name
117
118[req_distinguished_name]
119commonName=$SERVERNAME
120EOF
121test -f request.cfg || error "could not create request.cfg"
122
123echo "create $SVR_BASE.pem (self signed certificate)"
124openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
125# create trusted usage pem
126openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
127
128# create client request and sign it, piped
129cat >request.cfg <<EOF
130[req]
131default_bits=$BITS
132default_md=$HASH
133prompt=no
134distinguished_name=req_distinguished_name
135
136[req_distinguished_name]
137commonName=$CLIENTNAME
138EOF
139test -f request.cfg || error "could not create request.cfg"
140
141echo "create $CTL_BASE.pem (signed client certificate)"
142openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
143test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
144# create trusted usage pem
145# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
146
147# see details with openssl x509 -noout -text < $SVR_BASE.pem
148# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
149# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
150# echo "preferences - advanced - encryption - view certificates - your certs"
151# echo "empty password is used, simply click OK on the password dialog box."
152# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
153
154# remove unused permissions
155chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
156
157# remove crap
158rm -f request.cfg
159rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
160
161echo "Setup success. Certificates created. Enable in unbound.conf file to use"
162
163exit 0
164