4
# $Id: openvas-mkcert.in 1214 2008-08-25 08:45:51Z mwiegand $
5
# Description: shellscript that creates the OpenVAS SSL certificate.
7
# Authors: - Renaud Deraison <deraison@nessus.org> (Original pre-fork develoment)
8
# - Michel Arboi <arboi@alussinan.org> (Original pre-fork development)
9
# - Tim Brown <mailto:timb@openvas.org> (Initial fork)
10
# - Laban Mwangi <mailto:labanm@openvas.org> (Renaming work)
11
# - Tarik El-Yassem <mailto:tarik@openvas.org> (Headers section)
14
# Portions Copyright (C) 2006 Software in the Public Interest, Inc.
15
# Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
17
# This program is free software; you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License version 2,
19
# as published by the Free Software Foundation
21
# This program is distributed in the hope that it will be useful,
22
# but WITHOUT ANY WARRANTY; without even the implied warranty of
23
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24
# GNU General Public License for more details.
26
# You should have received a copy of the GNU General Public License
27
# along with this program; if not, write to the Free Software
28
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
43
sysconfdir=@sysconfdir@
44
localstatedir=@localstatedir@
45
sharedstatedir=@sharedstatedir@
46
sbindir=@exec_prefix@/sbin
47
bindir=@exec_prefix@/bin
53
RANDFLAG="-rand $egdpath"
57
PATH=$PATH:$sbindir:$bindir:/usr/ssl/bin:/usr/local/ssl/bin:/opt/ssl/bin
60
# check if gettext is present
62
if [ -f /usr/bin/gettext.sh ];
68
export TEXTDOMAIN=nessus-scripts
69
export TEXTDOMAINDIR=@datadir@/locale
73
# define dummy functions
80
eval_gettext_var="echo $1"
81
echo $Xn "`eval $eval_gettext_var` " $Xc
89
test "$1" = "-q" && QUIET=y
101
echo "-------------------------------------------------------------------------------"
102
gettext " Creation of the OpenVAS SSL Certificate"; echo
103
echo "-------------------------------------------------------------------------------"
111
case `id 2>/dev/null` in
113
$sbindir/openvasd -g || {
114
gettext "Executing openvasd failed. Make sure your library loader is configured properly and that openvasd is in your \$PATH."; echo
119
gettext "Only root can use openvas-mkcert."; echo
126
case `openssl version` in
130
gettext "OpenSSL is not properly installed: The 'openssl' command line utility could not be found (is your \$PATH set properly?)"; echo
134
OPENVASPRIV="@OPENVASD_STATEDIR@/private/CA"
135
OPENVASPUB="@OPENVASD_SHAREDSTATEDIR@/CA"
136
if [ ! -d "$OPENVASPRIV" ]; then
137
mkdir -p "$OPENVASPRIV"
138
chmod 0700 "$OPENVASPRIV"
139
echo "$OPENVASPRIV `gettext "created"`"
142
if [ ! -d "$OPENVASPUB" ]; then
143
mkdir -p "$OPENVASPUB"
144
chmod a+rx "$OPENVASPUB"
145
echo "$OPENVASPUB `gettext "created"`"
150
if [ -z "$HOME" ]; then
151
gettext "\$HOME should be defined." 1>&2; echo; exit 1
156
# If EGD is not installed, we have to rely on other sources
159
test -z "$RANDFLAG" -a -z "$RANDFILE" &&
161
if [ ! -r /dev/random -a ! -r /dev/urandom -a ! -r $HOME/.rnd ];
164
gettext "You do not have any suitable random source."; echo
165
gettext "You will be asked to type a few random keys on your keyboard to generate random bytes."; echo
166
openvas-mkrand $HOME/.rnd 1024
167
gettext "Press [ENTER] to continue..."; echo
176
BASEDIR=${TMPDIR-/tmp}/openvas-mkcert.$$
177
mkdir $BASEDIR || exit 1
180
CAKEY=$OPENVASPRIV/cakey.pem
181
CACERT=$OPENVASPUB/cacert.pem
183
SRVKEY=$OPENVASPRIV/serverkey.pem
184
SRVREQ=$BASEDIR/serverreq.pem
185
SRVCERT=$OPENVASPUB/servercert.pem
188
# The client part will be implemented later on...
189
#cln CLNKEY=$BASEDIR/clientkey.pem
190
#cln CLNREQ=$BASEDIR/clientreq.pem
191
#cln CLNCERT=$BASEDIR/clientcert.pem
197
gettext "This script will now ask you the relevant information to create the SSL certificate of OpenVAS."; echo
198
gettext "Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information."; echo
202
gettext "CA certificate life time in days [1460]: "; read x
203
CACERT_LIFETIME=${x:-1460}
204
gettext "Server certificate life time in days [365]: "; read x
205
SRVCERT_LIFETIME=${x:-365}
206
#cln echo_no_nl "Client certificate life time in days [365]:"; read x
207
#cln CLNCERT_LIFETIME=${x:-365}
209
if [ ! -z "$LANG" ]; then
210
DC=`echo $LANG | sed -n 's/^..*_\(..\)$/\1/p'`
213
# Default country = France
214
# Too bad for you, but quicker for my tests!
216
eval_gettext "Your country \${Bo}two letter code\${Bc} [\$X]: "; read x
219
gettext "Your state or province name [none]: "; read x
221
X=Paris; eval_gettext "Your location \${Bo}e.g. town\${Bc} [\$X]: "; read x
223
X="OpenVAS Users United"; eval_gettext "Your organization [\$X]: "; read x
224
ORGANIZATION=${x:-$X}
225
# X="Test unit"; echo_no_nl "Your organization unit [$X]:"; read x
230
CACERT_LIFETIME="1460"
231
SRVCERT_LIFETIME="365"
235
ORGANIZATION="OpenVAS Users United"
239
cat <<EOF>$BASEDIR/std000.cnf
240
RANDFILE = $HOME/.rnd
243
default_ca = OpenVASCA
246
dir = $BASEDIR # Where everything is kept
247
certs = \$dir # Where the issued certs are kept
248
crl_dir = \$dir # Where the issued crl are kept
249
database = \$dir/index.txt # database index file.
250
new_certs_dir = \$dir # default place for new certs.
252
certificate = $CACERT # The CA certificate
253
serial = \$dir/serial # The current serial number
254
crl = \$dir/crl.pem # The current CRL
255
private_key = $CAKEY # The private key
257
x509_extensions = usr_cert # The extentions to add to the cert
258
crl_extensions = crl_ext
260
default_days = 365 # how long to certify for
261
default_crl_days= 30 # how long before next CRL
262
default_md = md5 # which md to use.
263
preserve = no # keep passed DN ordering
265
policy = policy_anything
268
countryName = optional
269
stateOrProvinceName = optional
270
localityName = optional
271
organizationName = optional
272
organizationalUnitName = optional
273
commonName = supplied
274
emailAddress = optional
278
distinguished_name = req_distinguished_name
279
# attributes = req_attributes
280
x509_extensions = v3_ca # The extentions to add to the self signed cert
282
[ req_distinguished_name ]
283
countryName = Country Name (2 letter code)
284
countryName_default = FR
288
stateOrProvinceName = State or Province Name (full name)
289
stateOrProvinceName_default = Some-State
291
localityName = Locality Name (eg, city)
293
0.organizationName = Organization Name (eg, company)
294
0.organizationName_default = Internet Widgits Pty Ltd
296
# we can do this but it is not needed normally :-)
297
#1.organizationName = Second Organization Name (eg, company)
298
#1.organizationName_default = World Wide Web Pty Ltd
300
organizationalUnitName = Organizational Unit Name (eg, section)
301
#organizationalUnitName_default =
303
commonName = Common Name (eg, your name or your server\'s hostname)
306
emailAddress = Email Address
307
emailAddress_max = 255
309
# SET-ex3 = SET extension number 3
312
# These extensions are added when 'ca' signs a request.
313
# This goes against PKIX guidelines but some CAs do it and some software
314
# requires this to avoid interpreting an end user certificate as a CA.
315
#basicConstraints=CA:FALSE
317
# Here are some examples of the usage of nsCertType. If it is omitted
318
# the certificate can be used for anything *except* object signing.
320
# This is OK for an SSL server.
321
# nsCertType = nsCertType
322
# For normal client use this is typical
323
# nsCertType = client, email
324
nsCertType = NSCERTTYPE
326
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
328
# This will be displayed in Netscape's comment listbox.
329
nsComment = "OpenSSL Generated Certificate"
331
# PKIX recommendations harmless if included in all certificates.
332
subjectKeyIdentifier=hash
333
authorityKeyIdentifier=keyid,issuer:always
335
# This stuff is for subjectAltName and issuerAltname.
336
# Import the email address.
337
subjectAltName=email:copy
339
# Copy subject details
340
issuerAltName=issuer:copy
342
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
350
# PKIX recommendation.
351
subjectKeyIdentifier=hash
352
authorityKeyIdentifier=keyid:always,issuer:always
354
# This is what PKIX recommends but some broken software chokes on critical
356
basicConstraints = critical,CA:true
357
# So we do this instead.
358
#basicConstraints = CA:true
360
# Key usage: this is typical for a CA certificate. However since it will
361
# prevent it being used as an test self-signed certificate it is best
362
# left out by default.
363
keyUsage = cRLSign, keyCertSign
369
sed 's/NSCERTTYPE/server/g' < $BASEDIR/std000.cnf > $BASEDIR/std.cnf
370
sed 's/NSCERTTYPE/client/g' < $BASEDIR/std000.cnf > $BASEDIR/stdC.cnf
372
if [ -z "$hostname" ];
374
gettext "An error occured while trying to determine hostname!"; echo
377
# The value for organizationalUnitName must be 64 chars or less;
378
# thus, hostname must be 36 chars or less. If it's too big,
379
# try removing domain.
381
hostname_len=`echo $hostname| wc -c`
383
if [ $hostname_len -gt 36 ];
385
hostname=`echo $hostname | cut -d '.' -f 1`
389
#cln CLNMAIL=nessus@$hostname
390
SRVMAIL=openvasd@$hostname
396
echo 01 > $BASEDIR/serial
397
touch $BASEDIR/index.txt
398
openssl genrsa $RANDFLAG -out $CAKEY 1024 2> $BASEDIR/openssl-log
405
Certification Authority for $hostname
408
openssl req -config $BASEDIR/std.cnf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $BASEDIR/openssl-log
411
openssl genrsa $RANDFLAG -out $SRVKEY 1024 2>> $BASEDIR/openssl-log
413
# Server certificate "request"
418
Server certificate for $hostname
421
openssl req -config $BASEDIR/std.cnf -new -key $SRVKEY -out $SRVREQ 2>> $BASEDIR/openssl-log
423
# Sign the server certificate
424
openssl ca -config $BASEDIR/std.cnf -name OpenVASCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $BASEDIR/openssl-log
427
#cln openssl genrsa -out $CLNKEY 1024
429
#cln # Client certificate "request"
434
#cln Client certificate for $hostname
437
#cln openssl req -config $BASEDIR/stdC.cnf -new -key $CLNKEY -out $CLNREQ
439
#cln # Sign the client certificate
440
#cln openssl ca -config $BASEDIR/stdC.cnf -name OpenVASCA -batch -days $CLNCERT_LIFETIME -in $CLNREQ -out $CLNCERT
444
chmod a+r $CACERT $SRVCERT #cln $CLNCERT
447
CF=@sysconfdir@/openvas/openvasd.conf
448
egrep -v '^ *(pem_password|cert_file|key_file|ca_file|force_pubkey_auth) *=' "$CF" > "$CF.tmp"
450
# Added by openvas-mkcert
455
# If you decide to protect your private key with a password,
456
# uncomment and change next line
457
# pem_password=password
458
# If you want to force the use of a client certificate, uncomment next line
459
# force_pubkey_auth = yes" >> "$CF.tmp"
464
test -z "$QUIET" && header
466
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
468
test -z "$QUIET" && gettext "Congratulations. Your server certificate was properly created."; echo
470
mv -f "$CF.tmp" "$CF"
471
test -z "$QUIET" && {
473
eval_gettext "\$CF updated"; echo
475
#cln echo "Your client certificates are in $BASEDIR
476
#cln You will have to copy them by hand
478
gettext "The following files were created:"; echo
480
gettext ". Certification authority:"; echo
481
eval_gettext " Certificate = \$CACERT"; echo
482
eval_gettext " Private key = \$CAKEY"; echo
484
gettext ". OpenVAS Server : "; echo
485
eval_gettext " Certificate = \$SRVCERT"; echo
486
eval_gettext " Private key = \$SRVKEY"; echo
487
#cln ***** OpenVAS client *****
488
#cln Certificate = $CLNCERT
489
#cln Private key = $CLNKEY
492
gettext "An error occured while generating the certificates and/or keys!"; echo
494
echo_no_nl "`gettext "Do you want to save openssl output in a file for further analysis? (y/n) [y] "`" $Xc
496
test -z "$n" -o "$n" = `gettext "y"` && {
497
eval_gettext "Where should I save this file? [\$HOME/openssl-output] "
499
test -z "$n" && n="$HOME/openssl-output"
500
cp "$BASEDIR"/openssl-log "$n"
510
gettext "Press [ENTER] to exit"; echo; read x
515
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];