#!/bin/sh -e
#
# nessus-mkcert
#
# Written by Renaud Deraison <deraison@cvs.nessus.org> 
# and Michel Arboi <arboi@bigfoot.com>
#
# This script is distributed under the Gnu General Public License (GPL)
#

# Check environment
if [ -z "$HOME" ]; then
    echo "HOME should be defined" 1>&2; exit 1
fi

umask 022

BASEDIR=tmp
mkdir $BASEDIR || exit 1
trap "rm -rf $BASEDIR" 0


CAKEY=./cakey.pem
CACERT=./cacert.pem
SRVKEY=./serverkey.pem
SRVREQ=$BASEDIR/serverreq.pem
SRVCERT=./servercert.pem
#

CACERT_LIFETIME=1460
SRVCERT_LIFETIME=730
COUNTRY=FR
PROVINCE=.
LOCATION=Paris
ORGANIZATION="Nessus Kabale"
ORGUNIT="Newsbies tracking unit"

####

cat <<EOF>$BASEDIR/std.cnf
RANDFILE		= $HOME/.rnd
#
[ ca ]
default_ca = NessusCA

[ NessusCA ]
dir		= $BASEDIR		# Where everything is kept
certs		= \$dir			# Where the issued certs are kept
crl_dir		= \$dir			# Where the issued crl are kept
database	= \$dir/index.txt	# database index file.
new_certs_dir	= \$dir			# default place for new certs.

certificate	= $CACERT	 	# The CA certificate
serial		= \$dir/serial 		# The current serial number
crl		= \$dir/crl.pem 	# The current CRL
private_key	= $CAKEY		# The private key

x509_extensions	= usr_cert		# The extentions to add to the cert
crl_extensions	= crl_ext

default_days	= 365		# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering

policy		= policy_anything

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits		= 1024
distinguished_name	= req_distinguished_name
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= AU
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State

localityName			= Locality Name (eg, city)

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 40

# SET-ex3			= SET extension number 3

[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType			= server

keyUsage = nonRepudiation, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy

# Copy subject details
issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF

#####

hostname=newbie
CAMAIL=CA@nessus.kab
SRVMAIL=server@nessus.kab

#
# Create the root CA
#

echo 01 > $BASEDIR/serial
touch $BASEDIR/index.txt
openssl genrsa -out $CAKEY  1024


echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
$hostname
$CAMAIL" | 
openssl req -config $BASEDIR/std.cnf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT

# Server key
openssl genrsa -out $SRVKEY 1024

# Server certificate "request"
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$hostname
$SRVMAIL" | 
openssl req -config $BASEDIR/std.cnf -new -key $SRVKEY -out $SRVREQ

# Sign the server certificate
openssl ca -config $BASEDIR/std.cnf -name NessusCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT

chmod a+r $CACERT $SRVCERT
rm -f $CAKEY

clear

echo "**** Certification authority ****
Certificate = $CACERT
***** Nessus server *****
Certificate = $SRVCERT
Private key = $SRVKEY"

