unbound-control-setup.sh.in revision 269257
1255592Sdes#!/bin/sh 2255592Sdes# 3255592Sdes# unbound-control-setup.sh - set up SSL certificates for unbound-control 4255592Sdes# 5255592Sdes# Copyright (c) 2008, NLnet Labs. All rights reserved. 6255592Sdes# 7255592Sdes# This software is open source. 8255592Sdes# 9255592Sdes# Redistribution and use in source and binary forms, with or without 10255592Sdes# modification, are permitted provided that the following conditions 11255592Sdes# are met: 12255592Sdes# 13255592Sdes# Redistributions of source code must retain the above copyright notice, 14255592Sdes# this list of conditions and the following disclaimer. 15255592Sdes# 16255592Sdes# Redistributions in binary form must reproduce the above copyright notice, 17255592Sdes# this list of conditions and the following disclaimer in the documentation 18255592Sdes# and/or other materials provided with the distribution. 19255592Sdes# 20255592Sdes# Neither the name of the NLNET LABS nor the names of its contributors may 21255592Sdes# be used to endorse or promote products derived from this software without 22255592Sdes# specific prior written permission. 23255592Sdes# 24255592Sdes# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25269257Sdes# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26269257Sdes# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27269257Sdes# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28269257Sdes# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29269257Sdes# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 30269257Sdes# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 31269257Sdes# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 32269257Sdes# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 33269257Sdes# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 34269257Sdes# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35255592Sdes 36255592Sdes# settings: 37255592Sdes 38255592Sdes# directory for files 39255592Sdesprefix=@prefix@ 40255592SdesDESTDIR=@sysconfdir@/unbound 41255592Sdes 42255592Sdes# issuer and subject name for certificates 43255592SdesSERVERNAME=unbound 44255592SdesCLIENTNAME=unbound-control 45255592Sdes 46255592Sdes# validity period for certificates 47255592SdesDAYS=7200 48255592Sdes 49255592Sdes# size of keys in bits 50255592SdesBITS=1536 51255592Sdes 52255592Sdes# hash algorithm 53255592SdesHASH=sha256 54255592Sdes 55255592Sdes# base name for unbound server keys 56255592SdesSVR_BASE=unbound_server 57255592Sdes 58255592Sdes# base name for unbound-control keys 59255592SdesCTL_BASE=unbound_control 60255592Sdes 61255595Sdes# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). 62255595Sdesumask 0027 63255592Sdes 64255592Sdes# end of options 65255592Sdes 66255592Sdes# functions: 67255592Sdeserror ( ) { 68255592Sdes echo "$0 fatal error: $1" 69255592Sdes exit 1 70255592Sdes} 71255592Sdes 72255592Sdes# check arguments: 73255592Sdeswhile test $# -ne 0; do 74255592Sdes case $1 in 75255592Sdes -d) 76255592Sdes if test $# -eq 1; then error "need argument for -d"; fi 77255592Sdes DESTDIR="$2" 78255592Sdes shift 79255592Sdes ;; 80255592Sdes *) 81255592Sdes echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 82255592Sdes echo " -d dir use directory to store keys and certificates." 83255592Sdes echo " default: $DESTDIR" 84255592Sdes echo "please run this command using the same user id that the " 85255592Sdes echo "unbound daemon uses, it needs read privileges." 86255592Sdes exit 1 87255592Sdes ;; 88255592Sdes esac 89255592Sdes shift 90255592Sdesdone 91255592Sdes 92255592Sdes# go!: 93255592Sdesecho "setup in directory $DESTDIR" 94255592Sdescd "$DESTDIR" || error "could not cd to $DESTDIR" 95255592Sdes 96255592Sdes# create certificate keys; do not recreate if they already exist. 97255592Sdesif test -f $SVR_BASE.key; then 98255592Sdes echo "$SVR_BASE.key exists" 99255592Sdeselse 100255592Sdes echo "generating $SVR_BASE.key" 101255592Sdes openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 102255592Sdesfi 103255592Sdesif test -f $CTL_BASE.key; then 104255592Sdes echo "$CTL_BASE.key exists" 105255592Sdeselse 106255592Sdes echo "generating $CTL_BASE.key" 107255592Sdes openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 108255592Sdesfi 109255592Sdes 110255592Sdes# create self-signed cert for server 111255592Sdescat >request.cfg <<EOF 112255592Sdes[req] 113255592Sdesdefault_bits=$BITS 114255592Sdesdefault_md=$HASH 115255592Sdesprompt=no 116255592Sdesdistinguished_name=req_distinguished_name 117255592Sdes 118255592Sdes[req_distinguished_name] 119255592SdescommonName=$SERVERNAME 120255592SdesEOF 121255592Sdestest -f request.cfg || error "could not create request.cfg" 122255592Sdes 123255592Sdesecho "create $SVR_BASE.pem (self signed certificate)" 124255592Sdesopenssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 125255592Sdes# create trusted usage pem 126255592Sdesopenssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 127255592Sdes 128255592Sdes# create client request and sign it, piped 129255592Sdescat >request.cfg <<EOF 130255592Sdes[req] 131255592Sdesdefault_bits=$BITS 132255592Sdesdefault_md=$HASH 133255592Sdesprompt=no 134255592Sdesdistinguished_name=req_distinguished_name 135255592Sdes 136255592Sdes[req_distinguished_name] 137255592SdescommonName=$CLIENTNAME 138255592SdesEOF 139255592Sdestest -f request.cfg || error "could not create request.cfg" 140255592Sdes 141255592Sdesecho "create $CTL_BASE.pem (signed client certificate)" 142255592Sdesopenssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 143255592Sdestest -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 144255592Sdes# create trusted usage pem 145255592Sdes# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 146255592Sdes 147255592Sdes# see details with openssl x509 -noout -text < $SVR_BASE.pem 148255592Sdes# echo "create $CTL_BASE""_browser.pfx (web client certificate)" 149255592Sdes# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 150255592Sdes# echo "preferences - advanced - encryption - view certificates - your certs" 151255592Sdes# echo "empty password is used, simply click OK on the password dialog box." 152255592Sdes# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 153255592Sdes 154255592Sdes# remove unused permissions 155255592Sdeschmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 156255592Sdes 157255592Sdes# remove crap 158255592Sdesrm -f request.cfg 159255592Sdesrm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 160255592Sdes 161255592Sdesecho "Setup success. Certificates created. Enable in unbound.conf file to use" 162255592Sdes 163255592Sdesexit 0 164