scripts/own-pki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dev #20260420-2044

Browse Source
This commit is contained in:
Gilles Mouchet 2026-04-20 20:44:13 +02:00
parent 8eaacc490f
commit 8ad708c93e
5 changed files with 47 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -8,7 +8,8 @@ This toolkit allows you to manage a personal PKI through various bash scripts.
- Redhat 10
- Packages
- sqlite
- litecli sqlite text client (`pip3 install litecli`)
Not essential for the tools to work, but could be handy
## Installation
```bash
git clone https://gitweb.dyndns.org/scripts/own-ski.git

38
bin/generate-cert.sh
View File

@ -301,47 +301,41 @@ check_rc $?
echo -e -n "\nVerify the validity of ${GREEN}$CERTS_TMP_PATH/${COMMON_NAME}.crt${NC} using the trust chain: "
openssl verify -CAfile $CRT_CA_PATH/$CA_CRT $CERTS_TMP_PATH/$COMMON_NAME.crt > /dev/null 2>&1
check_rc $?
# get validity date
notBefore=$(openssl x509 -noout -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -startdate | cut -d'=' -f2)
notAfter=$(openssl x509 -noout -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -enddate | cut -d'=' -f2)
NOT_BEFORE=$(openssl x509 -noout -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -startdate | cut -d'=' -f2)
NOT_AFTER=$(openssl x509 -noout -in $CERTS_TMP_PATH/${COMMON_NAME}.crt -enddate | cut -d'=' -f2)
exit
# check if commonName already exist on db
echo -e -n "\nCheck if ${GREEN}${COMMON_NAME}${NC} exist in DB: "
recordExist=$(sqlite3 $dbCertFile "SELECT EXISTS(SELECT 1 FROM certs WHERE common_name='${COMMON_NAME}');")
rc="$?"
[ "$rc" != "0" ] && { echo -e "${RED}Error reading the database (RC:$rc - $recordExist)${NC}"; exit; } || echo -e "${GREEN}Ok${NC}"
recordExist=$(sqlite3 $DB_PATH "SELECT EXISTS(SELECT 1 FROM certs WHERE common_name='${COMMON_NAME}');")
check_rc $?
if [ "$recordExist" == "1" ]; then
echo -e -n "Update ${ORANGE}${COMMON_NAME}${NC} in DB: "
sqlite3 $dbCertFile <<EOF
UPDATE certs SET san_dns = '$dnsLine',
san_ip = '$ipLine',
sqlite3 $DB_PATH <<EOF
UPDATE certs SET san_dns = '$DNS_LINE',
san_ip = '$IP_LINE',
cert_key = readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.key'),
cert_csr = readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.csr'),
cert_crt = readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.crt'),
not_valid_before = '$notBefore',
not_valid_after = '$notAfter'
not_valid_before = '$NOT_BEFORE',
not_valid_after = '$NOT_AFTER'
WHERE common_name = '${COMMON_NAME}';
EOF
rc="$?"
[ "$rc" != "0" ] && { echo -e "${RED}Error updating record in the database (RC:$rc - $recordExist)${NC}"; exit; } || echo -e "${GREEN}Ok${NC}"
check_rc $?
else
echo -e -n "Add ${ORANGE}${COMMON_NAME}${NC} in DB: "
sqlite3 $dbCertFile <<EOF
sqlite3 $DB_PATH <<EOF
INSERT INTO certs (common_name,san_dns,san_ip,cert_key,cert_csr,cert_crt,not_valid_before,not_valid_after)
VALUES ('${COMMON_NAME}', '$dnsLine','$ipLine',
VALUES ('${COMMON_NAME}', '$DNS_LINE','$IP_LINE',
readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.key'),
readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.csr'),
readfile('${CERTS_TMP_PATH}/${COMMON_NAME}.crt'),
'$notBefore',
'$notAfter')
'$NOT_BEFORE',
'$NOT_AFTER')
EOF
rc="$?"
[ "$rc" != "0" ] && { echo -e "${RED}Error writing record in the database (RC:$rc - $recordExist)${NC}"; exit; } || echo -e "${GREEN}Ok${NC}"
check_rc $?
fi
}

32
bin/install.sh
View File

@ -64,7 +64,7 @@ EOF
# path resolution
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
ETC_PATH="/etc/own-pki"
CONF_PATH="/etc/own-pki"
ENABLE_COLOR=true
BIN_PATH="/opt/own-pki"
DB_PATH="/var/lib/own-pki/certificates.db"
@ -121,17 +121,35 @@ main(){
msg_warn "$BIN_PATH/bin already exists!"
fi
echo -e -n "Create $ETC_PATH: "
if [ ! -d "$ETC_PATH" ]; then
mkdir -p $ETC_PATH 2>/dev/null
echo -e -n "Create $BIN_PATH/config: "
if [ ! -d "$BIN_PATH/config" ]; then
mkdir -p $BIN_PATH/config 2>/dev/null
check_rc $?
else
msg_warn "$ETC_PATH already exists!"
msg_warn "$BIN_PATH/config already exists!"
fi
echo -e -n "Create $CONF_PATH: "
if [ ! -d "$CONF_PATH" ]; then
mkdir -p $CONF_PATH 2>/dev/null
check_rc $?
else
msg_warn "$CONF_PATH already exists!"
fi
# copy config file
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/own-pki.conf${NC} to ${ETC_PATH}/: "
cp "$ROOT_DIR/config/own-pki.conf" "${ETC_PATH}/."
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/default.conf${NC} to $BIN_PATH/config: "
cp "$ROOT_DIR/config/default.conf" "$BIN_PATH/config/."
check_rc $?
# copy config file
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/default.conf${NC} to $BIN_PATH/config: "
cp "$ROOT_DIR/config/default.conf" "$BIN_PATH/config/."
check_rc $?
# copy config file
echo -e -n "Copy ${ORANGE}$ROOT_DIR/config/ca-config.tmpl${NC} to ${BIN_PATH}/config: "
cp "$ROOT_DIR/config/ca-config.tmpl" "${BIN_PATH}/config/."
check_rc $?
# create DB

102
config/ca-config
View File

@ -1,102 +0,0 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/dbca/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CH
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Vaud
localityName = Locality Name (eg, city)
localityName_default = Nyon
0.organizationName = Organization Name (eg, company)
0.organizationName_default = GMO Lab (gmolab)
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = ITCS (Information Technology and Communications Service)
commonName = Common Name (eg, YOUR name)
commonName_default =
commonName_max = 64
emailAddress = Email Address
emailAddress_default = example@example.com
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

3
config/default.conf
View File

@ -47,3 +47,6 @@ ASSUME_YES=0
# Temp path for certificates files
CERTS_TMP_PATH=/tmp/ca
# Databse
DB_PATH=/var/lib/own-pki/certificates.db