1#!/bin/sh
2#
3# unbound-control-setup.sh - set up SSL certificates for unbound-control
4#
5# Copyright (c) 2008, NLnet Labs. All rights reserved.
6#
7# This software is open source.
8# 
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12# 
13# Redistributions of source code must retain the above copyright notice,
14# this list of conditions and the following disclaimer.
15# 
16# Redistributions in binary form must reproduce the above copyright notice,
17# this list of conditions and the following disclaimer in the documentation
18# and/or other materials provided with the distribution.
19# 
20# Neither the name of the NLNET LABS nor the names of its contributors may
21# be used to endorse or promote products derived from this software without
22# specific prior written permission.
23# 
24# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36# settings:
37
38# directory for files
39DESTDIR=/var/unbound
40
41# issuer and subject name for certificates
42SERVERNAME=unbound
43CLIENTNAME=unbound-control
44
45# validity period for certificates
46DAYS=7200
47
48# size of keys in bits
49BITS=3072
50
51# hash algorithm
52HASH=sha256
53
54# base name for unbound server keys
55SVR_BASE=unbound_server
56
57# base name for unbound-control keys
58CTL_BASE=unbound_control
59
60# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
61umask 0027
62
63# end of options
64
65# functions:
66error ( ) {
67	echo "$0 fatal error: $1"
68	exit 1
69}
70
71# check arguments:
72while test $# -ne 0; do
73	case $1 in
74	-d)
75	if test $# -eq 1; then error "need argument for -d"; fi
76	DESTDIR="$2"
77	shift
78	;;
79	*)
80	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
81	echo "	-d dir	use directory to store keys and certificates."
82	echo "		default: $DESTDIR"
83	echo "please run this command using the same user id that the "
84	echo "unbound daemon uses, it needs read privileges."
85	exit 1
86	;;
87	esac
88	shift
89done
90
91# go!:
92echo "setup in directory $DESTDIR"
93cd "$DESTDIR" || error "could not cd to $DESTDIR"
94
95# create certificate keys; do not recreate if they already exist.
96if test -f $SVR_BASE.key; then
97	echo "$SVR_BASE.key exists"
98else
99	echo "generating $SVR_BASE.key"
100	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
101fi
102if test -f $CTL_BASE.key; then
103	echo "$CTL_BASE.key exists"
104else
105	echo "generating $CTL_BASE.key"
106	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
107fi
108
109# create self-signed cert for server
110echo "[req]" > request.cfg
111echo "default_bits=$BITS" >> request.cfg
112echo "default_md=$HASH" >> request.cfg
113echo "prompt=no" >> request.cfg
114echo "distinguished_name=req_distinguished_name" >> request.cfg
115echo "" >> request.cfg
116echo "[req_distinguished_name]" >> request.cfg
117echo "commonName=$SERVERNAME" >> request.cfg
118
119test -f request.cfg || error "could not create request.cfg"
120
121echo "create $SVR_BASE.pem (self signed certificate)"
122openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
123# create trusted usage pem
124openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
125
126# create client request and sign it, piped
127echo "[req]" > request.cfg
128echo "default_bits=$BITS" >> request.cfg
129echo "default_md=$HASH" >> request.cfg
130echo "prompt=no" >> request.cfg
131echo "distinguished_name=req_distinguished_name" >> request.cfg
132echo "" >> request.cfg
133echo "[req_distinguished_name]" >> request.cfg
134echo "commonName=$CLIENTNAME" >> request.cfg
135
136test -f request.cfg || error "could not create request.cfg"
137
138echo "create $CTL_BASE.pem (signed client certificate)"
139openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
140test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
141# create trusted usage pem
142# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
143
144# see details with openssl x509 -noout -text < $SVR_BASE.pem
145# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
146# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
147# echo "preferences - advanced - encryption - view certificates - your certs"
148# echo "empty password is used, simply click OK on the password dialog box."
149# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
150
151# set desired permissions
152chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
153
154# remove crap
155rm -f request.cfg
156rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
157
158echo "Setup success. Certificates created. Enable in unbound.conf file to use"
159
160exit 0
161