xref: /openbsd-src/usr.sbin/nsd/nsd-control-setup.sh.in (revision f2da64fbbbf1b03f09f390ab01267c93dfd77c4c) 
1#!/bin/sh
2#
3# nsd-control-setup.sh - set up SSL certificates for nsd-control
4#
5# Copyright (c) 2011, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8#
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12#
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15#
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19#
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23#
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39DESTDIR=@configdir@
40
41# issuer and subject name for certificates
42SERVERNAME=nsd
43CLIENTNAME=nsd-control
44
45# validity period for certificates
46DAYS=7200
47
48# size of keys in bits
49BITS=3072
50
51# hash algorithm
52HASH=sha256
53
54# base name for nsd server keys
55SVR_BASE=nsd_server
56
57# base name for nsd-control keys
58CTL_BASE=nsd_control
59
60# we want -rw-r--- access (say you run this as root: grp=yes (server), all=no).
61umask 0026
62
63# end of options
64
65# functions:
66error ( ) {
67	echo "$0 fatal error: $1"
68	exit 1
69}
70
71# check arguments:
72while test $# -ne 0; do
73	case $1 in
74	-d)
75	if test $# -eq 1; then error "need argument for -d"; fi
76	DESTDIR="$2"
77	shift
78	;;
79	*)
80	echo "nsd-control-setup.sh - setup SSL keys for nsd-control"
81	echo "	-d dir	use directory to store keys and certificates."
82	echo "		default: $DESTDIR"
83	exit 1
84	;;
85	esac
86	shift
87done
88
89# go!:
90echo "setup in directory $DESTDIR"
91cd "$DESTDIR" || error "could not cd to $DESTDIR"
92
93# create certificate keys; do not recreate if they already exist.
94if test -f $SVR_BASE.key; then
95	echo "$SVR_BASE.key exists"
96else
97	echo "generating $SVR_BASE.key"
98	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
99fi
100if test -f $CTL_BASE.key; then
101	echo "$CTL_BASE.key exists"
102else
103	echo "generating $CTL_BASE.key"
104	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
105fi
106
107# create self-signed cert for server
108cat >request.cfg <<EOF
109[req]
110default_bits=$BITS
111default_md=$HASH
112prompt=no
113distinguished_name=req_distinguished_name
114
115[req_distinguished_name]
116commonName=$SERVERNAME
117EOF
118test -f request.cfg || error "could not create request.cfg"
119
120echo "create $SVR_BASE.pem (self signed certificate)"
121openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
122# create trusted usage pem
123openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
124
125# create client request and sign it, piped
126cat >request.cfg <<EOF
127[req]
128default_bits=$BITS
129default_md=$HASH
130prompt=no
131distinguished_name=req_distinguished_name
132
133[req_distinguished_name]
134commonName=$CLIENTNAME
135EOF
136test -f request.cfg || error "could not create request.cfg"
137
138echo "create $CTL_BASE.pem (signed client certificate)"
139openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
140test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
141# create trusted usage pem
142# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
143
144# see details with openssl x509 -noout -text < $SVR_BASE.pem
145# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
146# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
147# echo "preferences - advanced - encryption - view certificates - your certs"
148# echo "empty password is used, simply click OK on the password dialog box."
149# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "nsd remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
150
151# remove unused permissions
152chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
153
154# remove crap
155rm -f request.cfg
156rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
157
158echo "Setup success. Certificates created. Enable in nsd.conf file to use"
159
160exit 0
161