mmsssl.sh revision 257873cfc1dd3337766407f80397db60a56f2f5a
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
#
# MMS SSL Self-Signed Certificate Authority
#
umask 066
# Now setup directories
DIR=
# DSA Parameters Prime Number Bit Length
PRIME_BITS=2048
# User
USER=""
MMS_USER="mms"
# Root files (CA)
PASSWD_FILE="$CADIR/$MMS_USER""_ca_pass"
{
echo "Error, you must be root to run this script."
exit 1
fi
}
{
pass_file="$1"
echo
echo "Generate private key password phrase"
openssl base64 > "$pass_file"
exit 1
fi
}
# setup mms as ca (certificate authority)
{
echo
echo "Initialize certificate authority"
# certificate serial number
exit 1
fi
# certificate database
exit 1
fi
# new certs dir
if [ $? -ne 0 ]; then
exit 1
fi
if [ $? -ne 0 ]; then
exit 1
fi
# ca random password phrase
}
# generate crl (certificate revocation list) file
{
echo
echo "Update CRL"
cmd="$cmd -passin file:$PASSWD_FILE"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
# publish the list, let everyone read the file
if [ $? -ne 0 ]; then
exit 1
fi
# tell mm to reload updated crl
}
# compute public shared prime number p and generator g
dh_pem()
{
echo
echo "Generate Diffie-Hellman parameters"
cmd="openssl dhparam -check -5 1024 -out $MMS_DH1024 -outform PEM"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
chmod 0600 $MMS_DH1024
if [ $? -ne 0 ]; then
exit 1
fi
}
# rsa private key
rsa_key()
{
rsa_key_file="$1"
echo
echo "Create RSA certificate with SHA-1 signature"
cmd="openssl genrsa -out $rsa_key_file -des3"
cmd="$cmd -passout file:$PASSWD_FILE"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
}
# generate self signed root certificate and private key
rsa_cert()
{
echo
echo "Generate self-signed certificate authority"
unset -v OPENSSL_CONF
# gen self signed ca certificate
cmd="openssl req -x509 -newkey rsa:$PRIME_BITS -out $ROOT_CERT"
cmd="$cmd -passout file:$PASSWD_FILE"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
chmod 0600 "$ROOT_CERT"
if [ $? -ne 0 ]; then
exit 1
fi
if [ ! -f $ROOT_PEM ]; then
exit 1
fi
# put ca certificate in public directory
if [ $? -ne 0 ]; then
exit 1
fi
# let everyone read public ca certificate
chmod 0440 $ROOT_CERT_PUB
if [ $? -ne 0 ]; then
exit 1
fi
# view certificate info
# initialize cert revocation list
}
{
dir=$1
mess=$2
echo
if [ $? -ne 0 ]; then
exit 1
fi
# user password phrase
# filenames
# use default openssl configuration for certificate request
unset -v OPENSSL_CONF
# generate certificate request
cmd="openssl req -newkey rsa:$PRIME_BITS -keyout $key -keyform PEM"
cmd="$cmd -out $req -outform PEM -sha1 -passout file:$pass_file"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
echo
echo
echo
echo "Certificate request: $req"
echo "Private key: $key"
echo "Private key password: $pass_file"
echo
echo "Email certificate request file to MMS CA for signing."
echo
fi
}
ca_sign()
{
echo
echo "Sign certificate request"
# filenames
# root signs client certificate request
cmd="openssl ca -in $req -out $cert -notext -cert $ROOT_CERT"
cmd="$cmd -config $ROOT_CNF -md sha1 -passin file:$PASSWD_FILE"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
if [ -f $key ]; then
# combine certificate, private key and public root certificate
if [ $? -ne 0 ]; then
echo "Error, create $pem"
else
echo
echo "The combined certificate, private key and CA certificate file\n$pem"
echo
fi
else
# remote user without access to ssl public directory
echo
echo "Use the distinguished name email address to deliver"
echo "the following files to the user:"
echo "\t$cert"
echo "\t$ROOT_CERT_PUB"
echo
echo "Instruct the user to do the following:"
echo "\tcat $user_cert $user_key $root_cert > $USER.pem"
echo
fi
}
# revoke client's certificate
{
echo "Revoke certificate"
# filename
# revoke certificate
cmd="$cmd -passin file:$PASSWD_FILE"
echo $cmd
if [ $? -ne 0 ]; then
exit 1
fi
# add revoked cert to the list
}
{
echo "Error, missing user name."
exit 1
fi
}
usage()
{
echo "usage: mmsssl.sh [ ca | req | crl ] [-v] [-n]"
echo
echo "mmsssl.sh ca -c configure mms ca"
echo "mmsssl.sh ca -s -u user_name sign certificate request"
echo "mmsssl.sh ca -r -u user_name revoke certificate"
echo "mmsssl.sh req -u user_name [-d path] certificate request"
echo "mmsssl.sh crl revoked certificate list"
echo
echo "Examples:"
echo "1. Create the MMS CA and MM RSA certificates:"
echo "\t% mmsssl.sh ca -c"
echo "\tRun the command only once on the host where the MM will execute."
echo "\tDiffie-Hellman (DH) parameters are generated."
echo "\tYou will enter a DN (Distinguished Name) once for the CA and"
echo "\tonce for the MM certificate. You will sign the MM certificate"
echo "\tand commit the request."
echo
echo "2. MMS user certificate request:"
echo "\t% mmsssl.sh req -u JohnQPublic"
echo
echo "3. MMS CA signs user certificate request:"
echo "\t% cp JohnQPublic_req.pem \\"
echo "\t$PUBDIR/JohnQPublic_req.pem"
echo "\tCopy certificate request into the MMS CA for signing."
echo "\t% mmsssl.sh ca -s -u JohnQPublic"
echo "\tYou will sign the MM certificate and commit the request."
"files to the user."
echo
echo "4. MMS user creates single PEM file for MMS:"
echo "\t% cat JohnQPublic_cert.pem JohnQPublic_key.pem \\"
echo "\tmms_ca_cert.pem > JohnQPublic.pem"
echo
echo "5. MMS CA revokes user certificate:"
echo "\t% mmsssl.sh ca -r -u JohnQPublic"
echo "\tThe revoked certificate is added to the file"
echo "\t$PUBDIR/mms_crl.pem"
echo
echo "6. MMS CA reviews CRL (Certificate Revocation List):"
echo "\t% mmsssl.sh crl"
echo "\tLists revoked certificate serial numbers."
echo
echo "Notes:"
echo "1. user_name is one word i.e. John Q. Public is JohnQPublic"
echo "2. one-way authentication is where only the server is configured"
echo " with a RSA certificate."
echo "3. two-way authentication is when the server and client both have"
echo " a RSA certificate."
echo "4. MMS supports both one-way and two-way authentication."
echo "5. The MMS CA can use a certificate request made by a tool"
echo " other than this script."
echo "6. The crl.pem file contains the CRL for this MMS CA."
echo "7. The MM, Watcher, LM (Library Manager) and DM (Drive Manager)"
echo " can use the same certificate."
echo
exit 2
}
#
# Main
#
if [ $# -eq 0 ]; then
fi
choice=$1
oper=""
shift
found=0
while getopts "csru:d:" opt; do
found=0
c)
# setup mms ca
oper="configure"
found=1
;;
s)
# Create Signed Certificate on this host.
#
# On remote hosts its a two step process:
# 1. request certificate
# 2. CA sign's certificate
oper="sign"
found=1
;;
r)
# Revoke Certificate
#
# Update the MM CA CRL and put on all remote hosts
# especially if you have one MM CA for multiple MMs.
oper="revoke"
found=1
;;
u)
# User Name
found=1
;;
d)
# User directory
found=1
;;
esac
fi
done
ca)
# setup non-root MMS client in /etc
# setup MMS CA
# sign mms certificate request
echo "Done"
;;
sign)
# sign certificate request
echo "Done"
;;
if [ -z "$USER" ]; then
echo "Error, missing client user name."
exit 1
fi
echo "Done"
;;
*) usage
;;
esac
;;
req)
# certificate request
if [ "$DIR" = "" ]; then
fi
echo "Done"
;;
crl)
# show certificate revocation list
echo "Done"
;;
*) usage
;;
esac
exit 0