1 #!/bin/sh 2 # 3 # unbound-control-setup.sh - set up SSL certificates for unbound-control 4 # 5 # Copyright (c) 2008, NLnet Labs. All rights reserved. 6 # 7 # This software is open source. 8 # 9 # Redistribution and use in source and binary forms, with or without 10 # modification, are permitted provided that the following conditions 11 # are met: 12 # 13 # Redistributions of source code must retain the above copyright notice, 14 # this list of conditions and the following disclaimer. 15 # 16 # Redistributions in binary form must reproduce the above copyright notice, 17 # this list of conditions and the following disclaimer in the documentation 18 # and/or other materials provided with the distribution. 19 # 20 # Neither the name of the NLNET LABS nor the names of its contributors may 21 # be used to endorse or promote products derived from this software without 22 # specific prior written permission. 23 # 24 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 26 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 27 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 28 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 # POSSIBILITY OF SUCH DAMAGE. 35 36 # settings: 37 38 # directory for files 39 DESTDIR=/usr/local/etc/unbound 40 41 # issuer and subject name for certificates 42 SERVERNAME=petal 43 CLIENTNAME=unbound-anchor 44 45 # validity period for certificates 46 DAYS=7200 47 48 # size of keys in bits 49 BITS=3072 50 51 # hash algorithm 52 HASH=sha1 53 54 # base name for unbound server keys 55 SVR_BASE=test_cert 56 57 # base name for unbound-control keys 58 CTL_BASE=unbound_control 59 60 # we want -rw-r--- access (say you run this as root: grp=yes (server), all=no). 61 umask 0026 62 63 # end of options 64 65 # functions: 66 error ( ) { 67 echo "$0 fatal error: $1" 68 exit 1 69 } 70 71 # check arguments: 72 while test $# -ne 0; do 73 case $1 in 74 -d) 75 if test $# -eq 1; then error "need argument for -d"; fi 76 DESTDIR="$2" 77 shift 78 ;; 79 *) 80 echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 81 echo " -d dir use directory to store keys and certificates." 82 echo " default: $DESTDIR" 83 echo "please run this command using the same user id that the " 84 echo "unbound daemon uses, it needs read privileges." 85 exit 1 86 ;; 87 esac 88 shift 89 done 90 91 # go!: 92 echo "setup in directory $DESTDIR" 93 cd "$DESTDIR" || error "could not cd to $DESTDIR" 94 95 # create certificate keys; do not recreate if they already exist. 96 if test -f $SVR_BASE.key; then 97 echo "$SVR_BASE.key exists" 98 else 99 echo "generating $SVR_BASE.key" 100 openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 101 fi 102 if test -f $CTL_BASE.key; then 103 echo "$CTL_BASE.key exists" 104 else 105 echo "generating $CTL_BASE.key" 106 openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 107 fi 108 109 # create self-signed cert for server 110 cat >request.cfg <<EOF 111 [req] 112 default_bits=$BITS 113 default_md=$HASH 114 prompt=no 115 distinguished_name=req_distinguished_name 116 x509_extensions=v3_ca 117 118 [req_distinguished_name] 119 commonName=$SERVERNAME 120 emailAddress=$SERVERNAME 121 122 [v3_ca] 123 keyUsage=digitalSignature, keyCertSign 124 EOF 125 test -f request.cfg || error "could not create request.cfg" 126 127 echo "create $SVR_BASE.pem (self signed certificate)" 128 openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 129 # create trusted usage pem 130 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 131 132 # create client request and sign it, piped 133 cat >request.cfg <<EOF 134 [req] 135 default_bits=$BITS 136 default_md=$HASH 137 prompt=no 138 distinguished_name=req_distinguished_name 139 140 [req_distinguished_name] 141 commonName=$CLIENTNAME 142 EOF 143 test -f request.cfg || error "could not create request.cfg" 144 145 echo "create $CTL_BASE.pem (signed client certificate)" 146 openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 147 test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 148 # create trusted usage pem 149 # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 150 151 # see details with openssl x509 -noout -text < $SVR_BASE.pem 152 # echo "create $CTL_BASE""_browser.pfx (web client certificate)" 153 # echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 154 # echo "preferences - advanced - encryption - view certificates - your certs" 155 # echo "empty password is used, simply click OK on the password dialog box." 156 # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 157 158 # remove unused permissions 159 chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 160 161 # remove crap 162 rm -f request.cfg 163 rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 164 165 echo "Setup success. Certificates created. Enable in unbound.conf file to use" 166 167 exit 0 168
Indexes created Sat Feb 28 05:31:39 UTC 2026