From 89a16f9c81cf477d66c5427e483d4f9ff8816c05 Mon Sep 17 00:00:00 2001
From: Terry Wilson <twilson@digium.com>
Date: Fri, 22 Oct 2010 17:16:57 +0000
Subject: [PATCH] Merged revisions 292740 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.8

........
  r292740 | twilson | 2010-10-22 09:49:34 -0700 (Fri, 22 Oct 2010) | 45 lines

  Add TLS cert helper script

  This script is useful for quickly generating self-signed CA, server, and client
  certificates for use with Asterisk. It is still recommended to obtain
  certificates from a recognized Certificate Authority and to develop an
  understanding how SSL certificates work. Real security is hard work.

  OPTIONS:
    -h  Show this message
    -m  Type of cert "client" or "server". Defaults to server.
    -f  Config filename (openssl config file format)
    -c  CA cert filename (creates new CA cert/key as ca.crt/ca.key if not passed)
    -k  CA key filename
    -C  Common name (cert field)
          For a server cert, this should be the same address that clients
          attempt to connect to. Usually this will be the Fully Qualified
          Domain Name, but might be the IP of the server. For a CA or client
          cert, it is merely informational. Make sure your certs have unique
          common names.
    -O  Org name (cert field)
          An informational string (company name)
    -o  Output filename base (defaults to asterisk)
    -d  Output directory (defaults to the current directory)

  Example:

  To create a CA and a server (pbx.mycompany.com) cert with output in /tmp:
    ast_tls_cert -C pbx.mycompany.com -O "My Company" -d /tmp

  This will create a CA cert and key as well as asterisk.pem and the the two
  files that it is made from: asterisk.crt and asterisk.key. Copy asterisk.pem
  and ca.crt somewhere (like /etc/asterisk) and set tlscertfile=/etc/asterisk.pem
  and tlscafile=/etc/ca.crt. Since this is a self-signed key, many devices will
  require you to import the ca.crt file as a trusted cert.

  To create a client cert using the CA cert created by the example above:
    ast_tls_cert -m client -c /tmp/ca.crt -k /tmp/ca.key -C "Joe User" -O \
      "My Company" -d /tmp -o joe_user

  This will create client.crt/key/pem in /tmp. Use this if your device supports
  a client certificate. Make sure that you have the ca.crt file set up as
  a tlscafile in the necessary Asterisk configs. Make backups of all .key files
  in case you need them later.
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@292743 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 contrib/scripts/ast_tls_cert | 186 +++++++++++++++++++++++++++++++++++
 1 file changed, 186 insertions(+)
 create mode 100755 contrib/scripts/ast_tls_cert

diff --git a/contrib/scripts/ast_tls_cert b/contrib/scripts/ast_tls_cert
new file mode 100755
index 0000000000..618576b7ef
--- /dev/null
+++ b/contrib/scripts/ast_tls_cert
@@ -0,0 +1,186 @@
+#!/bin/sh -e
+DEFAULT_ORG="Asterisk"
+DEFAULT_CA_CN="Asterisk Private CA"
+DEFAULT_CLIENT_CN="asterisk"
+DEFAULT_SERVER_CN=`hostname -f`
+
+# arguments
+# $1 "ca" if we are to generate a CA cert
+# $2 alternate config file name (for ca)
+# $3 alternate common name
+# $4 alternate org name
+create_config () {
+	if [ "$1" = "ca" ]
+	then
+castring="
+[ext]
+basicConstraints=CA:TRUE"
+	fi
+
+cat > ${2:-"${CONFIG_FILE}"} << EOF
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+CN=${3:-"${COMMON_NAME}"}
+O=${4:-"${ORG_NAME}"}
+${castring}
+EOF
+}
+
+create_ca () {
+	echo "Creating ${CAKEY}"
+	openssl genrsa -des3 -out ${CAKEY} 4096 > /dev/null
+	echo "Creating ${CACERT}"
+	openssl req -new -config ${CACFG} -x509 -days 365 -key ${CAKEY} -out ${CACERT} > /dev/null
+}
+
+create_cert () {
+	local base=${OUTPUT_DIR}/${OUTPUT_BASE}
+	echo "Creating ${base}.key"
+	openssl genrsa -out ${base}.key 1024 > /dev/null
+	echo "Creating signing request"
+	openssl req -batch -new -config ${CONFIG_FILE} -key ${base}.key -out ${base}.csr > /dev/null
+	echo "Creating ${base}.crt"
+	openssl x509 -req -days 365 -in ${base}.csr -CA ${CACERT} -CAkey ${CAKEY} -set_serial 01 -out ${base}.crt > /dev/null
+	echo "Combining key and crt into ${base}.pem"
+	cat ${base}.key > ${base}.pem
+	cat ${base}.crt >> ${base}.pem
+}
+
+usage () {
+cat << EOF
+This script is useful for quickly generating self-signed CA, server, and client
+certificates for use with Asterisk. It is still recommended to obtain
+certificates from a recognized Certificate Authority and to develop an
+understanding how SSL certificates work. Real security is hard work.
+
+OPTIONS:
+  -h  Show this message
+  -m  Type of cert "client" or "server". Defaults to server.
+  -f  Config filename (openssl config file format)
+  -c  CA cert filename (creates new CA cert/key as ca.crt/ca.key if not passed)
+  -k  CA key filename
+  -C  Common name (cert field)
+        For a server cert, this should be the same address that clients
+        attempt to connect to. Usually this will be the Fully Qualified
+        Domain Name, but might be the IP of the server. For a CA or client
+        cert, it is merely informational. Make sure your certs have unique
+        common names.
+  -O  Org name (cert field)
+        An informational string (company name)
+  -o  Output filename base (defaults to asterisk) 
+  -d  Output directory (defaults to the current directory)
+
+Example:
+
+To create a CA and a server (pbx.mycompany.com) cert with output in /tmp:
+  ast_tls_cert -C pbx.mycompany.com -O "My Company" -d /tmp
+
+This will create a CA cert and key as well as asterisk.pem and the the two
+files that it is made from: asterisk.crt and asterisk.key. Copy asterisk.pem
+and ca.crt somewhere (like /etc/asterisk) and set tlscertfile=/etc/asterisk.pem
+and tlscafile=/etc/ca.crt. Since this is a self-signed key, many devices will
+require you to import the ca.crt file as a trusted cert.
+
+To create a client cert using the CA cert created by the example above:
+  ast_tls_cert -m client -c /tmp/ca.crt -k /tmp/ca.key -C "Joe User" -O \\
+    "My Company" -d /tmp -o joe_user
+
+This will create client.crt/key/pem in /tmp. Use this if your device supports
+a client certificate. Make sure that you have the ca.crt file set up as
+a tlscafile in the necessary Asterisk configs. Make backups of all .key files
+in case you need them later.
+EOF
+}
+
+if ! type openssl >/dev/null 2>&1
+then
+	echo "This script requires openssl to be in the path"
+	exit 1
+fi
+
+OUTPUT_BASE=asterisk # Our default cert basename
+CERT_MODE=server
+ORG_NAME=${DEFAULT_ORG}
+
+while getopts "hf:c:k:o:d:m:C:O:" OPTION
+do
+	case ${OPTION} in
+		h)
+			usage
+			exit 1
+			;;
+		f)
+			CONFIG_FILE=${OPTARG}
+			;;
+		c)
+			CACERT=${OPTARG}
+			;;
+		k)
+			CAKEY=${OPTARG}
+			;;
+		o)
+			OUTPUT_BASE=${OPTARG}
+			;;
+		d)
+			OUTPUT_DIR=${OPTARG}
+			;;
+		m)
+			CERT_MODE=${OPTARG}
+			;;
+		C)
+			COMMON_NAME=${OPTARG}
+			;;
+		O)
+			ORG_NAME=${OPTARG}
+			;;
+		?)
+			usage
+			exit
+			;;
+	esac
+done
+
+if [ -z "${OUTPUT_DIR}" ]
+then
+	OUTPUT_DIR=.
+else
+	mkdir -p "${OUTPUT_DIR}"
+fi
+
+case "${CERT_MODE}" in
+	server)
+		COMMON_NAME=${COMMON_NAME:-"${DEFAULT_SERVER_CN}"}
+		;;
+	client)
+		COMMON_NAME=${COMMON_NAME:-"${DEFAULT_CLIENT_CN}"}
+		;;
+	*)
+		echo
+		echo "Unknown mode. Exiting."
+		exit 1
+		;;
+esac
+
+if [ -z "${CONFIG_FILE}" ]
+then
+	CONFIG_FILE="${OUTPUT_DIR}/tmp.cfg"
+	echo
+	echo "No config file specified, creating '${CONFIG_FILE}'"
+	echo "You can use this config file to create additional certs without"
+	echo "re-entering the information for the fields in the certificate"
+	create_config
+fi
+
+if [ -z ${CACERT} ]
+then
+	CAKEY=${OUTPUT_DIR}/ca.key
+	CACERT=${OUTPUT_DIR}/ca.crt
+	CACFG=${OUTPUT_DIR}/ca.cfg
+	create_config ca "${CACFG}" "${DEFAULT_CA_CN}" "${DEFAULT_CA_ORG}"
+	create_ca
+fi
+
+create_cert
-- 
GitLab