ACC SHELL
| Path : /usr/sbin/ |
|
|
| Current File : //usr/sbin/mkpostfixcert |
#! /bin/bash
#
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany. All rights reserved.
#
myexit() {
rm -f $TMPFILE $ckey $creq $ccert
exit 1
}
do_help()
{
cat<<EOF ;
$0 -n|--name certname -c|--common-name "common name"
Optional parameters:
[-t|--country "country name"]
[-s|--state "state name"]
[-l|--locality "locality name"
[-o|--organization "organization name"]
[-u|--organizational-unit "organizational unit"]
[-e|--email-address "email address"]
[-p|--pkcs12] create pkcs12 file to import
into mailclient
$0 reads it's defaults from /etc/sysconfig/postfix
current defaults:
country: $POSTFIX_SSL_COUNTRY
state: $POSTFIX_SSL_STATE
locality: $POSTFIX_SSL_LOCALITY
organization: $POSTFIX_SSL_ORGANIZATION
organizational-unit: $POSTFIX_SSL_ORGANIZATIONAL_UNIT
email-address: $POSTFIX_SSL_EMAIL_ADDRESS
EOF
}
. /etc/sysconfig/postfix || {
echo "unable to open /etc/sysconfig/postfix"
exit 1
}
test -z "$1" && {
do_help
exit 1
}
TEMP=$(getopt -o t:s:l:o:u:c:e:n:p --long country:,state:,locality:,organization:,organizational-unit:,common-name:,email-address:,name:,pkcs12 -- "$@")
if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi
eval set -- "$TEMP"
POSTFIX_SSL_COMMON_NAME=""
while true ; do
case "$1" in
-n|--name)
name=$2
shift 2
;;
-c|--common-name)
POSTFIX_SSL_COMMON_NAME=$2
shift 2
;;
-t|--country)
POSTFIX_SSL_COUNTRY=$2
shift 2
;;
-s|--state)
POSTFIX_SSL_STATE=$2
shift 2
;;
-l|--locality)
POSTFIX_SSL_LOCALITY=$2
shift 2
;;
-o|--organization)
POSTFIX_SSL_ORGANIZATION=$2
shift 2
;;
-u|--organizational-unit)
POSTFIX_SSL_ORGANIZATIONAL_UNIT=$2
shift 2
;;
-e|--email-address)
POSTFIX_SSL_EMAIL_ADDRESS=$2
shift 2
;;
-p|--pkcs12)
pkcs12=$1
shift
;;
--) shift ; break ;;
esac
done
test -z "$name" -o -z "$POSTFIX_SSL_COMMON_NAME" && {
do_help
exit 1
}
openssl=/usr/bin/openssl
sslpath=$POSTFIX_SSL_PATH
ckey=$sslpath/certs/${name}key.pem
creq=$sslpath/certs/${name}req.pem
ccert=$sslpath/certs/${name}cert.pem
ccertder=$sslpath/certs/${name}cert.der
ccertpkcs12=$sslpath/certs/${name}.p12
test -f $sslpath/$POSTFIX_TLS_CAFILE || {
echo "no CA found: $sslpath/$POSTFIX_TLS_CAFILE"
exit 1
}
date="$(date)"
TMPFILE=$(mktemp /tmp/mkpostfixcert.XXXXXX) || exit 1
umask 077
cat<<EOF > $TMPFILE
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $sslpath
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
new_certs_dir = \$dir/newcerts
certificate = \$dir/$POSTFIX_TLS_CAFILE
serial = \$dir/serial
crl = \$dir/crl.pem
private_key = \$dir/private/cakey.pem
RANDFILE = \$dir/private/.rand
x509_extensions = usr_cert
default_days = 2000
default_md = md5
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
countryName = $POSTFIX_SSL_COUNTRY
stateOrProvinceName = $POSTFIX_SSL_STATE
localityName = $POSTFIX_SSL_LOCALITY
organizationName = $POSTFIX_SSL_ORGANIZATION
organizationalUnitName = $POSTFIX_SSL_ORGANIZATIONAL_UNIT
commonName = $POSTFIX_SSL_COMMON_NAME
emailAddress = $POSTFIX_SSL_EMAIL_ADDRESS
[ req_attributes ]
challengePassword = $RANDOM$RANDOM challenge password
[ server_cert ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = generated by mkpostfixcert at $date
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=email:copy
issuerAltName=issuer:copy
[ client_cert ]
basicConstraints=CA:FALSE
nsCertType = client, email
nsComment = generated by mkpostfixcert at $date
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=email:copy
issuerAltName=issuer:copy
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA
subjectAltName=email:copy
issuerAltName=issuer:copy
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = generated by mkpostfixcert at $date
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
EOF
echo "creating certificate request..."
$openssl req -config $TMPFILE -new -nodes -keyout $ckey -out $creq || {
echo "error creating certificate request"
myexit
}
echo "signing server certificate..."
$openssl ca -config $TMPFILE -notext -batch -out $ccert -infiles $creq || {
echo "error signing server certificate"
myexit
}
rm -f $TMPFILE
echo "converting to DER format..."
$openssl x509 -in $ccert -inform PEM -out $ccertder -outform DER || {
echo "error converting to DER"
}
if [ -n "$pkcs12" ]; then
echo "converting to PKCS12 format..."
$openssl pkcs12 -export -in $ccert -inkey $ckey -out $ccertpkcs12 \
-certfile $sslpath/$POSTFIX_TLS_CAFILE -name "$POSTFIX_SSL_COMMON_NAME" || {
echo "error converting to PKCS12"
}
fi
fp=$($openssl x509 -fingerprint -in $ccert -noout | cut -d"=" -f 2)
cat<<EOF
You may now want to add the fingerprint to /etc/postfix/relay_ccerts:
$fp $name
Don't forget to run SuSEconfig -module postfix after you've done that!
EOF
ACC SHELL 2018