3 # unbound-control-setup.sh - set up SSL certificates for unbound-control
5 # Copyright (c) 2008, NLnet Labs. All rights reserved.
7 # This software is open source.
9 # Redistribution and use in source and binary forms, with or without
10 # modification, are permitted provided that the following conditions
13 # Redistributions of source code must retain the above copyright notice,
14 # this list of conditions and the following disclaimer.
16 # Redistributions in binary form must reproduce the above copyright notice,
17 # this list of conditions and the following disclaimer in the documentation
18 # and/or other materials provided with the distribution.
20 # Neither the name of the NLNET LABS nor the names of its contributors may
21 # be used to endorse or promote products derived from this software without
22 # specific prior written permission.
24 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27 # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28 # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30 # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31 # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32 # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
41 # issuer and subject name for certificates
43 CLIENTNAME=unbound-control
45 # validity period for certificates
48 # size of keys in bits
54 # base name for unbound server keys
55 SVR_BASE=unbound_server
57 # base name for unbound-control keys
58 CTL_BASE=unbound_control
60 # flag to recreate generated certificates
63 # we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
71 echo "removing artifacts"
76 "${SVR_BASE}_trust.pem" \
77 "${CTL_BASE}_trust.pem" \
78 "${SVR_BASE}_trust.srl"
82 printf "fatal error: $*\n" >/dev/stderr
90 -d <dir> used directory to store keys and certificates (default: $DESTDIR)
92 -r recreate certificates
97 while getopts 'd:hr' arg; do
99 d) DESTDIR="$OPTARG" ;;
102 ?) fatal "'$arg' unknown option" ;;
105 shift $((OPTIND - 1))
108 echo "setup in directory $DESTDIR"
114 # Generate server certificate
117 # generate private key; do no recreate it if they already exist.
118 if [ ! -f "$SVR_BASE.key" ]; then
119 openssl genrsa -out "$SVR_BASE.key" "$BITS"
122 cat >server.cnf <<EOF
127 distinguished_name=req_distinguished_name
128 x509_extensions=v3_ca
129 [req_distinguished_name]
130 commonName=$SERVERNAME
132 subjectKeyIdentifier=hash
133 authorityKeyIdentifier=keyid:always,issuer:always
134 basicConstraints=critical,CA:TRUE,pathlen:0
135 subjectAltName=DNS:$SERVERNAME
138 [ -f server.cnf ] || fatal "cannot create openssl configuration"
140 if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
143 -key "$SVR_BASE.key" \
148 [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
152 # Generate client certificate
155 # generate private key; do no recreate it if they already exist.
156 if [ ! -f "$CTL_BASE.key" ]; then
157 openssl genrsa -out "$CTL_BASE.key" "$BITS"
160 cat >client.cnf <<EOF
165 distinguished_name=req_distinguished_name
166 req_extensions=v3_req
167 [req_distinguished_name]
168 commonName=$CLIENTNAME
170 basicConstraints=critical,CA:FALSE
171 subjectAltName=DNS:$CLIENTNAME
174 [ -f client.cnf ] || fatal "cannot create openssl configuration"
176 if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
178 -addtrust serverAuth \
179 -in "$SVR_BASE.pem" \
180 -out "${SVR_BASE}_trust.pem"
185 -key "$CTL_BASE.key" \
189 -CA "${SVR_BASE}_trust.pem" \
190 -CAkey "$SVR_BASE.key" \
193 -extfile client.cnf \
197 [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
200 # remove unused permissions
209 echo "Setup success. Certificates created. Enable in unbound.conf file to use"
211 # create trusted usage pem
212 # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
214 # see details with openssl x509 -noout -text < $SVR_BASE.pem
215 # echo "create $CTL_BASE""_browser.pfx (web client certificate)"
216 # echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
217 # echo "preferences - advanced - encryption - view certificates - your certs"
218 # echo "empty password is used, simply click OK on the password dialog box."
219 # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"