diff options
Diffstat (limited to 'raddb/certs/bootstrap')
| -rwxr-xr-x | raddb/certs/bootstrap | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap new file mode 100755 index 0000000..57de8cf --- /dev/null +++ b/raddb/certs/bootstrap @@ -0,0 +1,86 @@ +#!/bin/sh +# +# This is a wrapper script to create default certificates when the +# server first starts in debugging mode. Once the certificates have been +# created, this file should be deleted. +# +# Ideally, this program should be run as part of the installation of any +# binary package. The installation should also ensure that the permissions +# and owners are correct for the files generated by this script. +# +# $Id$ +# +umask 027 +cd `dirname $0` + +make -h > /dev/null 2>&1 + +# +# If we have a working "make", then use it. Otherwise, run the commands +# manually. +# +if [ "$?" = "0" ]; then + make all + exit $? +fi + +# +# The following commands were created by running "make -n", and edited +# to remove the trailing backslash, and to add "exit 1" after the commands. +# +# Don't edit the following text. Instead, edit the Makefile, and +# re-generate these commands. +# +if [ ! -f dh ]; then + openssl dhparam -out dh 2048 || exit 1 + if [ -e /dev/urandom ] ; then + ln -sf /dev/urandom random + else + date > ./random; + fi +fi + +if [ ! -f server.key ]; then + openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 + chmod g+r server.key +fi + +if [ ! -f ca.key ]; then + openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 +fi + +if [ ! -f index.txt ]; then + touch index.txt +fi + +if [ ! -f serial ]; then + echo '01' > serial +fi + +if [ ! -f server.crt ]; then + openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 +fi + +if [ ! -f server.p12 ]; then + openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 + chmod g+r server.p12 +fi + +if [ ! -f server.pem ]; then + openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 + openssl verify -CAfile ca.pem server.pem || exit 1 + chmod g+r server.pem +fi + +if [ ! -f ca.der ]; then + openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 +fi + +if [ ! -f client.key ]; then + openssl req -new -out client.csr -keyout client.key -config ./client.cnf + chmod g+r client.key +fi + +if [ ! -f client.crt ]; then + openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf +fi |