1 1.1 christos #!/bin/sh 2 1.1 christos # 3 1.1 christos # unbound-control-setup.sh - set up SSL certificates for unbound-control 4 1.1 christos # 5 1.1 christos # Copyright (c) 2008, NLnet Labs. All rights reserved. 6 1.1 christos # 7 1.1 christos # This software is open source. 8 1.1 christos # 9 1.1 christos # Redistribution and use in source and binary forms, with or without 10 1.1 christos # modification, are permitted provided that the following conditions 11 1.1 christos # are met: 12 1.1 christos # 13 1.1 christos # Redistributions of source code must retain the above copyright notice, 14 1.1 christos # this list of conditions and the following disclaimer. 15 1.1 christos # 16 1.1 christos # Redistributions in binary form must reproduce the above copyright notice, 17 1.1 christos # this list of conditions and the following disclaimer in the documentation 18 1.1 christos # and/or other materials provided with the distribution. 19 1.1 christos # 20 1.1 christos # Neither the name of the NLNET LABS nor the names of its contributors may 21 1.1 christos # be used to endorse or promote products derived from this software without 22 1.1 christos # specific prior written permission. 23 1.1 christos # 24 1.1 christos # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 1.1 christos # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 26 1.1 christos # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 27 1.1 christos # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 28 1.1 christos # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 1.1 christos # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 1.1 christos # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 1.1 christos # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 1.1 christos # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 1.1 christos # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 1.1 christos # POSSIBILITY OF SUCH DAMAGE. 35 1.1 christos 36 1.1 christos # settings: 37 1.1 christos 38 1.1 christos # directory for files 39 1.1 christos DESTDIR=/usr/local/etc/unbound 40 1.1 christos 41 1.1 christos # issuer and subject name for certificates 42 1.1 christos SERVERNAME=petal 43 1.1 christos CLIENTNAME=unbound-anchor 44 1.1 christos 45 1.1 christos # validity period for certificates 46 1.1 christos DAYS=7200 47 1.1 christos 48 1.1 christos # size of keys in bits 49 1.1.1.2 christos BITS=3072 50 1.1 christos 51 1.1 christos # hash algorithm 52 1.1 christos HASH=sha1 53 1.1 christos 54 1.1 christos # base name for unbound server keys 55 1.1 christos SVR_BASE=test_cert 56 1.1 christos 57 1.1 christos # base name for unbound-control keys 58 1.1 christos CTL_BASE=unbound_control 59 1.1 christos 60 1.1 christos # we want -rw-r--- access (say you run this as root: grp=yes (server), all=no). 61 1.1 christos umask 0026 62 1.1 christos 63 1.1 christos # end of options 64 1.1 christos 65 1.1 christos # functions: 66 1.1 christos error ( ) { 67 1.1 christos echo "$0 fatal error: $1" 68 1.1 christos exit 1 69 1.1 christos } 70 1.1 christos 71 1.1 christos # check arguments: 72 1.1 christos while test $# -ne 0; do 73 1.1 christos case $1 in 74 1.1 christos -d) 75 1.1 christos if test $# -eq 1; then error "need argument for -d"; fi 76 1.1 christos DESTDIR="$2" 77 1.1 christos shift 78 1.1 christos ;; 79 1.1 christos *) 80 1.1 christos echo "unbound-control-setup.sh - setup SSL keys for unbound-control" 81 1.1 christos echo " -d dir use directory to store keys and certificates." 82 1.1 christos echo " default: $DESTDIR" 83 1.1 christos echo "please run this command using the same user id that the " 84 1.1.1.3 christos echo "unbound daemon uses, it needs read privileges." 85 1.1 christos exit 1 86 1.1 christos ;; 87 1.1 christos esac 88 1.1 christos shift 89 1.1 christos done 90 1.1 christos 91 1.1 christos # go!: 92 1.1 christos echo "setup in directory $DESTDIR" 93 1.1 christos cd "$DESTDIR" || error "could not cd to $DESTDIR" 94 1.1 christos 95 1.1 christos # create certificate keys; do not recreate if they already exist. 96 1.1 christos if test -f $SVR_BASE.key; then 97 1.1 christos echo "$SVR_BASE.key exists" 98 1.1 christos else 99 1.1 christos echo "generating $SVR_BASE.key" 100 1.1 christos openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" 101 1.1 christos fi 102 1.1 christos if test -f $CTL_BASE.key; then 103 1.1 christos echo "$CTL_BASE.key exists" 104 1.1 christos else 105 1.1 christos echo "generating $CTL_BASE.key" 106 1.1 christos openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" 107 1.1 christos fi 108 1.1 christos 109 1.1 christos # create self-signed cert for server 110 1.1 christos cat >request.cfg <<EOF 111 1.1 christos [req] 112 1.1 christos default_bits=$BITS 113 1.1 christos default_md=$HASH 114 1.1 christos prompt=no 115 1.1 christos distinguished_name=req_distinguished_name 116 1.1 christos x509_extensions=v3_ca 117 1.1 christos 118 1.1 christos [req_distinguished_name] 119 1.1 christos commonName=$SERVERNAME 120 1.1 christos emailAddress=$SERVERNAME 121 1.1 christos 122 1.1 christos [v3_ca] 123 1.1 christos keyUsage=digitalSignature, keyCertSign 124 1.1 christos EOF 125 1.1 christos test -f request.cfg || error "could not create request.cfg" 126 1.1 christos 127 1.1 christos echo "create $SVR_BASE.pem (self signed certificate)" 128 1.1 christos openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" 129 1.1 christos # create trusted usage pem 130 1.1 christos openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" 131 1.1 christos 132 1.1 christos # create client request and sign it, piped 133 1.1 christos cat >request.cfg <<EOF 134 1.1 christos [req] 135 1.1 christos default_bits=$BITS 136 1.1 christos default_md=$HASH 137 1.1 christos prompt=no 138 1.1 christos distinguished_name=req_distinguished_name 139 1.1 christos 140 1.1 christos [req_distinguished_name] 141 1.1 christos commonName=$CLIENTNAME 142 1.1 christos EOF 143 1.1 christos test -f request.cfg || error "could not create request.cfg" 144 1.1 christos 145 1.1 christos echo "create $CTL_BASE.pem (signed client certificate)" 146 1.1 christos openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem 147 1.1 christos test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" 148 1.1 christos # create trusted usage pem 149 1.1 christos # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" 150 1.1 christos 151 1.1 christos # see details with openssl x509 -noout -text < $SVR_BASE.pem 152 1.1 christos # echo "create $CTL_BASE""_browser.pfx (web client certificate)" 153 1.1 christos # echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" 154 1.1 christos # echo "preferences - advanced - encryption - view certificates - your certs" 155 1.1 christos # echo "empty password is used, simply click OK on the password dialog box." 156 1.1 christos # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" 157 1.1 christos 158 1.1 christos # remove unused permissions 159 1.1 christos chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key 160 1.1 christos 161 1.1 christos # remove crap 162 1.1 christos rm -f request.cfg 163 1.1 christos rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" 164 1.1 christos 165 1.1 christos echo "Setup success. Certificates created. Enable in unbound.conf file to use" 166 1.1 christos 167 1.1 christos exit 0 168
Indexes created Sat Feb 28 05:31:39 UTC 2026