-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathast_tls_cert
executable file
·221 lines (200 loc) · 5 KB
/
ast_tls_cert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
#!/bin/sh -e
DEFAULT_ORG="Asterisk"
DEFAULT_CA_CN="Asterisk Private CA"
DEFAULT_CLIENT_CN="asterisk"
DEFAULT_SERVER_CN=`hostname -f`
# arguments
# $1 "ca" if we are to generate a CA cert
# $2 alternate config file name (for ca)
# $3 alternate common name
# $4 alternate org name
create_config () {
if [ "$1" = "ca" ]
then
castring="
[ext]
basicConstraints=CA:TRUE"
fi
cat > ${2:-"${CONFIG_FILE}"} << EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
CN=${3:-"${COMMON_NAME}"}
O=${4:-"${ORG_NAME}"}
${castring}
EOF
}
create_ca () {
echo "Creating CA key ${CAKEY}"
openssl genrsa -des3 -out ${CAKEY} 4096 > /dev/null
if [ $? -ne 0 ];
then
echo "Failed"
exit 1
fi
echo "Creating CA certificate ${CACERT}"
openssl req -new -config ${CACFG} -x509 -days 365 -key ${CAKEY} -out ${CACERT} > /dev/null
if [ $? -ne 0 ];
then
echo "Failed"
exit 1
fi
}
create_cert () {
local base=${OUTPUT_DIR}/${OUTPUT_BASE}
echo "Creating certificate ${base}.key"
openssl genrsa -out ${base}.key 1024 > /dev/null
if [ $? -ne 0 ];
then
echo "Failed"
exit 1
fi
echo "Creating signing request ${base}.csr"
openssl req -batch -new -config ${CONFIG_FILE} -key ${base}.key -out ${base}.csr > /dev/null
if [ $? -ne 0 ];
then
echo "Failed"
exit 1
fi
echo "Creating certificate ${base}.crt"
openssl x509 -req -days 365 -in ${base}.csr -CA ${CACERT} -CAkey ${CAKEY} -set_serial 01 -out ${base}.crt > /dev/null
if [ $? -ne 0 ];
then
echo "Failed"
exit 1
fi
echo "Combining key and crt into ${base}.pem"
cat ${base}.key > ${base}.pem
cat ${base}.crt >> ${base}.pem
}
usage () {
cat << EOF
This script is useful for quickly generating self-signed CA, server, and client
certificates for use with Asterisk. It is still recommended to obtain
certificates from a recognized Certificate Authority and to develop an
understanding how SSL certificates work. Real security is hard work.
OPTIONS:
-h Show this message
-m Type of cert "client" or "server". Defaults to server.
-f Config filename (openssl config file format)
-c CA cert filename (creates new CA cert/key as ca.crt/ca.key if not passed)
-k CA key filename
-C Common name (cert field)
This should be the fully qualified domain name or IP address for
the client or server. Make sure your certs have unique common
names.
-O Org name (cert field)
An informational string (company name)
-o Output filename base (defaults to asterisk)
-d Output directory (defaults to the current directory)
Example:
To create a CA and a server (pbx.mycompany.com) cert with output in /tmp:
ast_tls_cert -C pbx.mycompany.com -O "My Company" -d /tmp
This will create a CA cert and key as well as asterisk.pem and the the two
files that it is made from: asterisk.crt and asterisk.key. Copy asterisk.pem
and ca.crt somewhere (like /etc/asterisk) and set tlscertfile=/etc/asterisk.pem
and tlscafile=/etc/ca.crt. Since this is a self-signed key, many devices will
require you to import the ca.crt file as a trusted cert.
To create a client cert using the CA cert created by the example above:
ast_tls_cert -m client -c /tmp/ca.crt -k /tmp/ca.key -C phone1.mycompany.com \\
-O "My Company" -d /tmp -o joe_user
This will create client.crt/key/pem in /tmp. Use this if your device supports
a client certificate. Make sure that you have the ca.crt file set up as
a tlscafile in the necessary Asterisk configs. Make backups of all .key files
in case you need them later.
EOF
}
if ! type openssl >/dev/null 2>&1
then
echo "This script requires openssl to be in the path"
exit 1
fi
OUTPUT_BASE=asterisk # Our default cert basename
CERT_MODE=server
ORG_NAME=${DEFAULT_ORG}
while getopts "hf:c:k:o:d:m:C:O:" OPTION
do
case ${OPTION} in
h)
usage
exit 1
;;
f)
CONFIG_FILE=${OPTARG}
;;
c)
CACERT=${OPTARG}
;;
k)
CAKEY=${OPTARG}
;;
o)
OUTPUT_BASE=${OPTARG}
;;
d)
OUTPUT_DIR=${OPTARG}
;;
m)
CERT_MODE=${OPTARG}
;;
C)
COMMON_NAME=${OPTARG}
;;
O)
ORG_NAME=${OPTARG}
;;
?)
usage
exit
;;
esac
done
if [ -z "${OUTPUT_DIR}" ]
then
OUTPUT_DIR=.
else
mkdir -p "${OUTPUT_DIR}"
fi
umask 177
case "${CERT_MODE}" in
server)
COMMON_NAME=${COMMON_NAME:-"${DEFAULT_SERVER_CN}"}
;;
client)
COMMON_NAME=${COMMON_NAME:-"${DEFAULT_CLIENT_CN}"}
;;
*)
echo
echo "Unknown mode. Exiting."
exit 1
;;
esac
if [ -z "${CONFIG_FILE}" ]
then
CONFIG_FILE="${OUTPUT_DIR}/tmp.cfg"
echo
echo "No config file specified, creating '${CONFIG_FILE}'"
echo "You can use this config file to create additional certs without"
echo "re-entering the information for the fields in the certificate"
create_config
fi
if [ -z ${CACERT} ]
then
CAKEY=${OUTPUT_DIR}/ca.key
CACERT=${OUTPUT_DIR}/ca.crt
CACFG=${OUTPUT_DIR}/ca.cfg
if [ ! -r "$CAKEY" ] && [ ! -r "$CACFG" ]; then
create_config ca "${CACFG}" "${DEFAULT_CA_CN}" "${DEFAULT_CA_ORG}"
fi
if [ ! -r "$CACERT" ]; then
create_ca
fi
else
if [ -z ${CAKEY} ]
then
echo "-k must be specified if -c is"
exit 1
fi
fi
create_cert