Commit 7004e5c0 authored by Janek Bevendorff's avatar Janek Bevendorff

Generate PEM file for server certificates

parent fecca189
......@@ -35,7 +35,7 @@ if [ "$CMD" == "issue" ]; then
DEFINE_boolean "no_password" false "Do not encrypt private key" "n"
DEFINE_boolean "overwrite" false "Overwrite existing certificates instead of incrementing filename (use with caution!)" "x"
DEFINE_string "csr" "" "CSR file (optional)" "i"
DEFINE_string "out" "/dev/stdout" "OpenVPN .ovpn config file to generate (optional)" "o"
DEFINE_string "out" "/dev/stdout" "OpenVPN .ovpn config or PEM file to generate (optional)" "o"
elif [ "$CMD" == "revoke" ]; then
DEFINE_string "cryfs_dir" "" "CryFS base dir containing the encrypted certificates." "d"
DEFINE_string "root_cn" "" "CN of the root certificate for signing (optional)" "r"
......@@ -217,22 +217,22 @@ resolve_ca_chain() {
done
}
# Usage: OUT_FILE CERT CA_CERT [KEY] [NO_PASSWORD]
generate_ovpn_file() {
if [ "$4" != "" ] && [ "$5" -eq 0 ]; then
local pem="$(cat "$4")"
elif [ "$4" != "" ]; then
# Usage: TYPE OUT_FILE CERT CA_CERT [KEY] [NO_PASSWORD]
generate_output_file() {
if [ "$5" != "" ] && [ "$6" -eq 0 ]; then
local pem="$(cat "$5")"
elif [ "$5" != "" ]; then
local extra_param=""
if ! tty -s; then
# non-interactive shell, get password from env
extra_param="-passout env:PK_PASS"
fi
echo "Password to encrypt private key in .ovpn config file: " >&2
local pem="$(openssl rsa -aes256 -in $4 $extra_param)"
local pem="$(openssl rsa -aes256 -in $5 $extra_param)"
local counter=0
while [ "$pem" == "" ]; do
logError "Invalid passphrase, please try again."
local pem="$(openssl rsa -aes256 -in $4 $extra_param)"
local pem="$(openssl rsa -aes256 -in $5 $extra_param)"
counter=$(($counter + 1))
if [ $counter -ge 10 ]; then
......@@ -242,8 +242,9 @@ generate_ovpn_file() {
done
fi
local out_file="$1"
local out_file="$2"
if [ "$1" == "ovpn" ]; then
cat <<EOL > "$out_file"
client
remote vpn.webis.de
......@@ -263,15 +264,27 @@ $pem
</key>
<cert>
$(cat "$2")
$(cat "$3")
</cert>
<ca>
$(resolve_ca_chain "$3")
$(resolve_ca_chain "$4")
</ca>
EOL
logInfo "OpenVPN config file has been written to '$1'."
logInfo "OpenVPN config file has been written to '$2'."
else
cat <<EOL > "$out_file"
$pem
$(cat "$3")
$(resolve_ca_chain "$4")
EOL
logInfo "PEM file has been written to '$2'."
fi
return 0
}
......@@ -373,13 +386,17 @@ issue() {
if [ "$FLAGS_type" == "client" ]; then
logInfo "Writing .ovpn file..."
local type="ovpn"
else
logInfo "Writing PEM file..."
local type="pem"
fi
ROOT_CA_CERT="$(dirname $ROOT_CERT)/Webis_Root_CA.crt"
if ! generate_ovpn_file "$FLAGS_out" "$CERT" "$ROOT_CERT" "$KEY" $FLAGS_no_password; then
if ! generate_output_file "$type" "$FLAGS_out" "$CERT" "$ROOT_CERT" "$KEY" $FLAGS_no_password; then
rm -f "$KEY" "$CSR" "$CERT"
cleanup "$MOUNT_DIR"
exit 1
fi
fi
if $DELETE_KEY; then
# delete private key after generating ovpn file
logInfo "Deleting temporary private key..."
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment