Review Board 1.7.16


Add a contrib script for generating certs for TLS stuff

Review Request #979 - Created Oct. 21, 2010 and submitted

Terry Wilson
/branches/1.8/
Reviewers
asterisk-dev
Asterisk
After suffering through yet another fun day of setting up TLS certs for asterisk, I figured I'd knock out a quick script so I don't ever have to do it again.
I've generated a CA, client, and server cert, installed the client and CA certs on the Blink softphone, and set the server and CA certs in sip.conf. Everything works.

Example:
./ast_tls_cert -C pbx.mycompany.com -O "My Company"
./ast_tls_cert -m client -C "Joe User" -O "My Company" -c ca.crt -k ca.key -o joe_user

The first run would create the CA certs since the -c option wasn't passed and also asterisk.pem which would be copied to /etc/asterisk (or wherever) and used as the tlscertfile in sip.conf. The ca.crt can also be copied over and used as the tlscafile.

The second run would create a client certificate using the previously created CA cert and write out joe_user.pem. I then copied ca.rt and joe_user.pem and configured Blink to use them and to verify the server.

Diff revision 1 (Latest)

  1. /branches/1.8/contrib/scripts/ast_tls_cert: Loading...
/branches/1.8/contrib/scripts/ast_tls_cert
New File

    
   
1
#!/bin/sh -e

    
   
2
DEFAULT_ORG="Asterisk"

    
   
3
DEFAULT_CA_CN="Asterisk Private CA"

    
   
4
DEFAULT_CLIENT_CN="asterisk"

    
   
5
DEFAULT_SERVER_CN=`hostname -f`

    
   
6

   

    
   
7
# arguments

    
   
8
# $1 "ca" if we are to generate a CA cert

    
   
9
# $2 alternate config file name (for ca)

    
   
10
# $3 alternate common name

    
   
11
# $4 alternate org name

    
   
12
create_config () {

    
   
13
	if [ "$1" = "ca" ]

    
   
14
	then

    
   
15
castring="

    
   
16
[ext]

    
   
17
basicConstraints=CA:TRUE"

    
   
18
	fi

    
   
19

   

    
   
20
cat > ${2:-"${CONFIG_FILE}"} << EOF

    
   
21
[req]

    
   
22
distinguished_name = req_distinguished_name

    
   
23
prompt = no

    
   
24

   

    
   
25
[req_distinguished_name]

    
   
26
CN=${3:-"${COMMON_NAME}"}

    
   
27
O=${4:-"${ORG_NAME}"}

    
   
28
${castring}

    
   
29
EOF

    
   
30
}

    
   
31

   

    
   
32
create_ca () {

    
   
33
	echo "Creating ${CAKEY}"

    
   
34
	openssl genrsa -des3 -out ${CAKEY} 4096 > /dev/null

    
   
35
	echo "Creating ${CACERT}"

    
   
36
	openssl req -new -config ${CACFG} -x509 -days 365 -key ${CAKEY} -out ${CACERT} > /dev/null

    
   
37
}

    
   
38

   

    
   
39
create_cert () {

    
   
40
	local base=${OUTPUT_DIR}/${OUTPUT_BASE}

    
   
41
	echo "Creating ${base}.key"

    
   
42
	openssl genrsa -out ${base}.key 1024 > /dev/null

    
   
43
	echo "Creating signing request"

    
   
44
	openssl req -batch -new -config ${CONFIG_FILE} -key ${base}.key -out ${base}.csr > /dev/null

    
   
45
	echo "Creating ${base}.crt"

    
   
46
	openssl x509 -req -days 365 -in ${base}.csr -CA ${CACERT} -CAkey ${CAKEY} -set_serial 01 -out ${base}.crt > /dev/null

    
   
47
	echo "Combining key and crt into ${base}.pem"

    
   
48
	cat ${base}.key > ${base}.pem

    
   
49
	cat ${base}.crt >> ${base}.pem

    
   
50
}

    
   
51

   

    
   
52
usage () {

    
   
53
cat << EOF

    
   
54
This script is useful for quickly generating self-signed CA, server, and client

    
   
55
certificates for use with Asterisk. It is still recommended that to obtain

    
   
56
certificates from a recognized Certificate Authority and to develop an

    
   
57
understanding how SSL certificates work. Real security is hard work.

    
   
58

   

    
   
59
OPTIONS:

    
   
60
  -h  Show this message

    
   
61
  -m  Type of cert "client" or "server". Defaults to server.

    
   
62
  -f  Config filename (will prompt for values if not passed)

    
   
63
  -c  CA cert filename (creates new CA cert/key as ca.crt/ca.key if not passed)

    
   
64
  -k  CA key filename

    
   
65
  -C  Common name (cert field)

    
   
66
        For a server cert, this should be the same address that clients

    
   
67
        attempt to connect to. Usually this will be the Fully Qualified

    
   
68
        Domain Name, but might be the IP of the server. For a CA or client

    
   
69
        cert, it is merely informational. Make sure your certs have unique

    
   
70
        common names.

    
   
71
  -O  Org name (cert field)

    
   
72
        An informational string (company name)

    
   
73
  -o  Output filename base (defaults to asterisk) 

    
   
74
  -d  Output directory (defaults to the current directory)

    
   
75

   

    
   
76
Example:

    
   
77

   

    
   
78
To create a CA and a server (pbx.mycompany.com) cert with output in /tmp:

    
   
79
  ast_tls_cert -C pbx.mycompany.com -O "My Company" -d /tmp

    
   
80

   

    
   
81
This will create a CA cert and key as well as asterisk.pem and the the two

    
   
82
files that it is made from: asterisk.crt and asterisk.key. Copy asterisk.pem

    
   
83
and ca.crt somewhere (like /etc/asterisk) and set tlscertfile=/etc/asterisk.pem

    
   
84
and tlscafile=/etc/ca.crt. Since this is a self-signed key, many devices will

    
   
85
require you to import the ca.crt file as a trusted cert.

    
   
86

   

    
   
87
To create a client cert using the CA cert created by the example above:

    
   
88
  ast_tls_cert -m client -c /tmp/ca.crt -k /tmp/ca.key -C "Joe User" -O \\

    
   
89
    "My Company" -d /tmp -o joe_user

    
   
90

   

    
   
91
This will create client.crt/key/pem in /tmp. Use this if your device supports

    
   
92
a client certificate. Make sure that you have the ca.crt file set up as

    
   
93
a tlscafile in the necessary Asterisk configs. Make backups of all .key files

    
   
94
in case you need them later.

    
   
95
EOF

    
   
96
}

    
   
97

   

    
   
98
if ! type openssl >/dev/null 2>&1

    
   
99
then

    
   
100
	echo "This script requires openssl to be in the path"

    
   
101
	exit 1

    
   
102
fi

    
   
103

   

    
   
104
OUTPUT_BASE=asterisk # Our default cert basename

    
   
105
CERT_MODE=server

    
   
106
ORG_NAME=${DEFAULT_ORG}

    
   
107

   

    
   
108
while getopts "hf:c:k:o:d:m:C:O:" OPTION

    
   
109
do

    
   
110
	case ${OPTION} in

    
   
111
		h)

    
   
112
			usage

    
   
113
			exit 1

    
   
114
			;;

    
   
115
		f)

    
   
116
			CONFIG_FILE=${OPTARG}

    
   
117
			;;

    
   
118
		c)

    
   
119
			CACERT=${OPTARG}

    
   
120
			;;

    
   
121
		k)

    
   
122
			CAKEY=${OPTARG}

    
   
123
			;;

    
   
124
		o)

    
   
125
			OUTPUT_BASE=${OPTARG}

    
   
126
			;;

    
   
127
		d)

    
   
128
			OUTPUT_DIR=${OPTARG}

    
   
129
			;;

    
   
130
		m)

    
   
131
			CERT_MODE=${OPTARG}

    
   
132
			;;

    
   
133
		C)

    
   
134
			COMMON_NAME=${OPTARG}

    
   
135
			;;

    
   
136
		O)

    
   
137
			ORG_NAME=${OPTARG}

    
   
138
			;;

    
   
139
		?)

    
   
140
			usage

    
   
141
			exit

    
   
142
			;;

    
   
143
	esac

    
   
144
done

    
   
145

   

    
   
146
if [ -z "${OUTPUT_DIR}" ]

    
   
147
then

    
   
148
	OUTPUT_DIR=.

    
   
149
else

    
   
150
	mkdir -p "${OUTPUT_DIR}"

    
   
151
fi

    
   
152

   

    
   
153
case "${CERT_MODE}" in

    
   
154
	server)

    
   
155
		COMMON_NAME=${COMMON_NAME:-"${DEFAULT_SERVER_CN}"}

    
   
156
		;;

    
   
157
	client)

    
   
158
		COMMON_NAME=${COMMON_NAME:-"${DEFAULT_CLIENT_CN}"}

    
   
159
		;;

    
   
160
	*)

    
   
161
		echo

    
   
162
		echo "Unknown mode. Exiting."

    
   
163
		exit 1

    
   
164
		;;

    
   
165
esac

    
   
166

   

    
   
167
if [ -z "${CONFIG_FILE}" ]

    
   
168
then

    
   
169
	CONFIG_FILE="${OUTPUT_DIR}/tmp.cfg"

    
   
170
	echo

    
   
171
	echo "No config file specified, creating '${CONFIG_FILE}'"

    
   
172
	echo "You can use this config file to create additional certs without"

    
   
173
	echo "re-entering the information for the fields in the certificate"

    
   
174
	create_config

    
   
175
fi

    
   
176

   

    
   
177
if [ -z ${CACERT} ]

    
   
178
then

    
   
179
	CAKEY=${OUTPUT_DIR}/ca.key

    
   
180
	CACERT=${OUTPUT_DIR}/ca.crt

    
   
181
	CACFG=${OUTPUT_DIR}/ca.cfg

    
   
182
	create_config ca "${CACFG}" "${DEFAULT_CA_CN}" "${DEFAULT_CA_ORG}"

    
   
183
	create_ca

    
   
184
fi

    
   
185

   

    
   
186
create_cert
  1. /branches/1.8/contrib/scripts/ast_tls_cert: Loading...

https://reviewboard.asterisk.org/ runs on a server provided by Digium, Inc. and uses bandwidth donated to the open source Asterisk community by API Digital Communications in Huntsville, AL USA.
Please report problems with this site to asteriskteam@digium.com.