diff options
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/scripts/ast_tls_cert | 186 |
1 files changed, 186 insertions, 0 deletions
diff --git a/contrib/scripts/ast_tls_cert b/contrib/scripts/ast_tls_cert new file mode 100755 index 000000000..618576b7e --- /dev/null +++ b/contrib/scripts/ast_tls_cert @@ -0,0 +1,186 @@ +#!/bin/sh -e +DEFAULT_ORG="Asterisk" +DEFAULT_CA_CN="Asterisk Private CA" +DEFAULT_CLIENT_CN="asterisk" +DEFAULT_SERVER_CN=`hostname -f` + +# arguments +# $1 "ca" if we are to generate a CA cert +# $2 alternate config file name (for ca) +# $3 alternate common name +# $4 alternate org name +create_config () { + if [ "$1" = "ca" ] + then +castring=" +[ext] +basicConstraints=CA:TRUE" + fi + +cat > ${2:-"${CONFIG_FILE}"} << EOF +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +CN=${3:-"${COMMON_NAME}"} +O=${4:-"${ORG_NAME}"} +${castring} +EOF +} + +create_ca () { + echo "Creating ${CAKEY}" + openssl genrsa -des3 -out ${CAKEY} 4096 > /dev/null + echo "Creating ${CACERT}" + openssl req -new -config ${CACFG} -x509 -days 365 -key ${CAKEY} -out ${CACERT} > /dev/null +} + +create_cert () { + local base=${OUTPUT_DIR}/${OUTPUT_BASE} + echo "Creating ${base}.key" + openssl genrsa -out ${base}.key 1024 > /dev/null + echo "Creating signing request" + openssl req -batch -new -config ${CONFIG_FILE} -key ${base}.key -out ${base}.csr > /dev/null + echo "Creating ${base}.crt" + openssl x509 -req -days 365 -in ${base}.csr -CA ${CACERT} -CAkey ${CAKEY} -set_serial 01 -out ${base}.crt > /dev/null + echo "Combining key and crt into ${base}.pem" + cat ${base}.key > ${base}.pem + cat ${base}.crt >> ${base}.pem +} + +usage () { +cat << EOF +This script is useful for quickly generating self-signed CA, server, and client +certificates for use with Asterisk. It is still recommended to obtain +certificates from a recognized Certificate Authority and to develop an +understanding how SSL certificates work. Real security is hard work. + +OPTIONS: + -h Show this message + -m Type of cert "client" or "server". Defaults to server. + -f Config filename (openssl config file format) + -c CA cert filename (creates new CA cert/key as ca.crt/ca.key if not passed) + -k CA key filename + -C Common name (cert field) + For a server cert, this should be the same address that clients + attempt to connect to. Usually this will be the Fully Qualified + Domain Name, but might be the IP of the server. For a CA or client + cert, it is merely informational. Make sure your certs have unique + common names. + -O Org name (cert field) + An informational string (company name) + -o Output filename base (defaults to asterisk) + -d Output directory (defaults to the current directory) + +Example: + +To create a CA and a server (pbx.mycompany.com) cert with output in /tmp: + ast_tls_cert -C pbx.mycompany.com -O "My Company" -d /tmp + +This will create a CA cert and key as well as asterisk.pem and the the two +files that it is made from: asterisk.crt and asterisk.key. Copy asterisk.pem +and ca.crt somewhere (like /etc/asterisk) and set tlscertfile=/etc/asterisk.pem +and tlscafile=/etc/ca.crt. Since this is a self-signed key, many devices will +require you to import the ca.crt file as a trusted cert. + +To create a client cert using the CA cert created by the example above: + ast_tls_cert -m client -c /tmp/ca.crt -k /tmp/ca.key -C "Joe User" -O \\ + "My Company" -d /tmp -o joe_user + +This will create client.crt/key/pem in /tmp. Use this if your device supports +a client certificate. Make sure that you have the ca.crt file set up as +a tlscafile in the necessary Asterisk configs. Make backups of all .key files +in case you need them later. +EOF +} + +if ! type openssl >/dev/null 2>&1 +then + echo "This script requires openssl to be in the path" + exit 1 +fi + +OUTPUT_BASE=asterisk # Our default cert basename +CERT_MODE=server +ORG_NAME=${DEFAULT_ORG} + +while getopts "hf:c:k:o:d:m:C:O:" OPTION +do + case ${OPTION} in + h) + usage + exit 1 + ;; + f) + CONFIG_FILE=${OPTARG} + ;; + c) + CACERT=${OPTARG} + ;; + k) + CAKEY=${OPTARG} + ;; + o) + OUTPUT_BASE=${OPTARG} + ;; + d) + OUTPUT_DIR=${OPTARG} + ;; + m) + CERT_MODE=${OPTARG} + ;; + C) + COMMON_NAME=${OPTARG} + ;; + O) + ORG_NAME=${OPTARG} + ;; + ?) + usage + exit + ;; + esac +done + +if [ -z "${OUTPUT_DIR}" ] +then + OUTPUT_DIR=. +else + mkdir -p "${OUTPUT_DIR}" +fi + +case "${CERT_MODE}" in + server) + COMMON_NAME=${COMMON_NAME:-"${DEFAULT_SERVER_CN}"} + ;; + client) + COMMON_NAME=${COMMON_NAME:-"${DEFAULT_CLIENT_CN}"} + ;; + *) + echo + echo "Unknown mode. Exiting." + exit 1 + ;; +esac + +if [ -z "${CONFIG_FILE}" ] +then + CONFIG_FILE="${OUTPUT_DIR}/tmp.cfg" + echo + echo "No config file specified, creating '${CONFIG_FILE}'" + echo "You can use this config file to create additional certs without" + echo "re-entering the information for the fields in the certificate" + create_config +fi + +if [ -z ${CACERT} ] +then + CAKEY=${OUTPUT_DIR}/ca.key + CACERT=${OUTPUT_DIR}/ca.crt + CACFG=${OUTPUT_DIR}/ca.cfg + create_config ca "${CACFG}" "${DEFAULT_CA_CN}" "${DEFAULT_CA_ORG}" + create_ca +fi + +create_cert |