#!/bin/bash
###########################################################################
#
#	Shell script to create Self-Signed Root Certificate, Certificate 
#	Request and Signing It. Script was created to simplify configuration
#	of Apache server with SSL.
#
#	Copyright 2008, TheOrangeIT.org, <ralph at theorangeit dot org>.
#
#	This shell script is free software; you can redistribute it and/ or
#	modify it under the terms of the GNU General Public License v.3 as
#	published by the Free Software Foundation;
#
#	This program is distributed in the hope that it will be useful
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	Usage:
#		1. Customize options in Configuration Section.
#		2. Run script in a folder where you want to create 
#		   your CA.
#
#	For help visit: www.TheOrangeIT.org
#
#	May/24/2008	File created               .... ver 0.1
#
###########################################################################

########################### CONFIGURATION SECTION #########################

#################### Certification Authority Configuration ##################

# Name you wish to use for your Certification Authority.
commonName="TheOrangeIT.org CA"

# Name of your state or province
stateOrProvinceName="California"

# Two letter country code
countryName=US

# Email address to CA
emailAddress=ca@theorangeit.org

# Name of the organization you wish to use for your CA
organizationName="TheOrangeIT.org CA"

# Unit of the organization (RND - Research And Development)
organizationalUnitName="RND"

# Do you want to encrypt CA private key
ENCRYPT_CA_PK="yes"

################# Certificate will be issued to: ###########################

# Here you should enter an IP of the server this certificate will be 
# used on or its fully qualified domain name ex. www.TheOrangeIt.org
#
# Note: If your server is using TheOrangeIT.org (without www.) you
# must put FQDN without www.
req_commonName=192.168.11.103

# The rest of the options are the same as in previous section.
req_stateOrProvinceName=California
req_countryName=US
req_emailAddress=ralph@theorangeit.org
req_organizationName="TheOrangeIT.org"
req_organizationalUnitName=RND

# DO you want to encrypt servers private key?
ENCRYPT_PK='yes'

################ DO NOT CHANGE ANYTHING BELOW THIS LINE ###################

# Folder to create Certificate Authority environment in.

CURRENT_FOLDER=`pwd`

CA_FOLDER_NAME="myCA"

CA_ROOT_DIR=$CURRENT_FOLDER/$CA_FOLDER_NAME

function create_CA_envirnoment() {
	mkdir -p $CA_ROOT_DIR/certs $CA_ROOT_DIR/private
	chmod g-rwx,o-rwx $CA_ROOT_DIR/private
	echo '01' > $CA_ROOT_DIR/serial
	touch $CA_ROOT_DIR/index.txt
}

function ca_config_file (){
cat <<ENDOFFILE
[ ca ]
default_ca 	= toitCA

[ toitCA ]
dir 		= $CA_ROOT_DIR
certificate 	= \$dir/cacert.pem
database 	= \$dir/index.txt
new_certs_dir 	= \$dir/certs
private_key 	= \$dir/private/cakey.pem
serial 		= \$dir/serial

default_crl_days = 7
default_days	 = 365
default_md	 = md5

policy		= toitCA_policy
x509_extensions	= certificate_extensions

[ toitCA_policy ]
commonName		= supplied
stateOrProvinceName 	= supplied
countryName		= supplied
emailAddress		= supplied
organizationName	= supplied
organizationalUnitName	= optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits	= 2048
default_keyfile = $CA_ROOT_DIR/private/cakey.pem
default_md 	= md5
encrypt_key	= $ENCRYPT_CA_PK

prompt			= no
distinguished_name	= root_ca_distinguished_name

x509_extensions		= root_ca_extensions

[ root_ca_distinguished_name ]
commonName		= $commonName
stateOrProvinceName	= $stateOrProvinceName
countryName		= $countryName
emailAddress		= $emailAddress
organizationName	= $organizationName
organizationalUnitName	= $organizationalUnitName

[ root_ca_extensions ]
basicConstraints = CA:true

ENDOFFILE
}

function req_config_file(){
cat<<ENDOFFILE
[ req ]
default_bits	= 2048
default_keyfile = $CA_ROOT_DIR/private/cakey.pem
default_md 	= md5
encrypt_key	= $ENCRYPT_PK

prompt			= no
distinguished_name	= root_ca_distinguished_name

x509_extensions		= root_ca_extensions

[ root_ca_distinguished_name ]
commonName		= $req_commonName
stateOrProvinceName	= $req_stateOrProvinceName
countryName		= $req_countryName
emailAddress		= $req_emailAddress
organizationName	= $req_organizationName
organizationalUnitName	= $req_organizationalUnitName

[ root_ca_extensions ]
basicConstraints = CA:false
ENDOFFILE
}

create_CA_envirnoment
ca_config_file >> ./ca.cnf
req_config_file >> ./req.cnf

# Create self-signed root certificate
openssl req -x509 -newkey rsa:2048 -out $CA_ROOT_DIR/cacert.pem -outform PEM -config $CURRENT_FOLDER/ca.cnf
openssl x509 -in $CA_ROOT_DIR/cacert.pem -text -noout

# Generate certificate request
openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM -config $CURRENT_FOLDER/req.cnf

# Sign certificate request
openssl ca -in $CURRENT_FOLDER/testreq.pem -batch -config $CURRENT_FOLDER/ca.cnf