modify-default-setting/createCredential.sh at master · primecloud-controller-org/modify-default-setting · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/bin/sh

cd /etc/openvpn/easy-rsa
source ./vars > /dev/null
./clean-all

#copy stdout to fd 3
exec 3>&1
exec >/dev/null 2>&1

#create root ca
expect -c "
set timeout 2
spawn /etc/openvpn/easy-rsa/build-ca
expect \"Country Name (2 letter code) \[JP\]:\"
send \"\r\"
expect \"State or Province Name (full name) \[CA\]:\"
send \"\r\"
expect \"Locality Name (eg, city) \[Tokyo\]:\"
send \"\r\"
expect \"Organization Name (eg, company) \[PrimeCloud-Controller-ORG\]:\"
send \"\r\"
expect \"Organizational Unit Name (eg, section) \[\]:\"
send \"\r\"
expect \"Common Name (eg, your name or your server's hostname) \[PrimeCloud-Controller-ORG CA\]:\"
send \"\r\"
expect \"Name \[\]:\"
send \"\r\"
expect \"Email Address \[mail@pcc01.dev.primecloud-controller.org\]:\"
send \"\r\"
interact"

cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/

#create server certificate
expect -c "
set timeout 2
spawn /etc/openvpn/easy-rsa/build-key-server server
expect \"Country Name (2 letter code) \[JP\]:\"
send \"\r\"
expect \"State or Province Name (full name) \[CA\]:\"
send \"\r\"
expect \"Locality Name (eg, city) \[Tokyo\]:\"
send \"\r\"
expect \"Organization Name (eg, company) \[PrimeCloud-Controller-ORG\]:\"
send \"\r\"
expect \"Organizational Unit Name (eg, section) \[\]:\"
send \"\r\"
expect \"Common Name (eg, your name or your server's hostname) \[PrimeCloud-Controller-ORG CA\]:\"
send \"\r\"
expect \"Name \[\]:\"
send \"\r\"
expect \"Email Address \[mail@pcc01.dev.primecloud-controller.org\]:\"
send \"\r\"
expect \"A challenge password \[\]:\"
send \"\r\"
expect \"An optional company name \[\]:\"
send \"\r\"
expect \"Sign the certificate? \[y/n\]:\"
send \"y\r\"
expect \"1 out of 1 certificate requests certified, commit? \[y/n\]:\"
send \"y\r\"
interact"

cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn

#create Diffie-Hellman key
/etc/openvpn/easy-rsa/build-dh
cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/

#create TLS key
openvpn --genkey --secret /etc/openvpn/ta.key

#create crl
expect -c "
set timeout 2
spawn /etc/openvpn/easy-rsa/build-key dummy
expect \"Country Name (2 letter code) \[JP\]:\"
send \"\r\"
expect \"State or Province Name (full name) \[CA\]:\"
send \"\r\"
expect \"Locality Name (eg, city) \[Tokyo\]:\"
send \"\r\"
expect \"Organization Name (eg, company) \[PrimeCloud-Controller-ORG\]:\"
send \"\r\"
expect \"Organizational Unit Name (eg, section) \[\]:\"
send \"\r\"
expect \"Common Name (eg, your name or your server's hostname) \[PrimeCloud-Controller-ORG CA\]:\"
send \"\r\"
expect \"Name \[\]:\"
send \"\r\"
expect \"Email Address \[mail@pcc01.dev.primecloud-controller.org\]:\"
send \"\r\"
expect \"A challenge password \[\]:\"
send \"\r\"
expect \"An optional company name \[\]:\"
send \"\r\"
expect \"Sign the certificate? \[y/n\]:\"
send \"y\r\"
expect \"1 out of 1 certificate requests certified, commit? \[y/n\]:\"
send \"y\r\"
interact"

./revoke-full dummy
cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/

#create clinent certificate
expect -c "
set timeout 2
spawn /etc/openvpn/easy-rsa/build-key ec2-vpnclient
expect \"Country Name (2 letter code) \[JP\]:\"
send \"\r\"
expect \"State or Province Name (full name) \[CA\]:\"
send \"\r\"
expect \"Locality Name (eg, city) \[Tokyo\]:\"
send \"\r\"
expect \"Organization Name (eg, company) \[PrimeCloud-Controller-ORG\]:\"
send \"\r\"
expect \"Organizational Unit Name (eg, section) \[\]:\"
send \"\r\"
expect \"Common Name (eg, your name or your server's hostname) \[PrimeCloud-Controller-ORG CA\]:\"
send \"\r\"
expect \"Name \[\]:\"
send \"\r\"
expect \"Email Address \[mail@pcc01.dev.primecloud-controller.org\]:\"
send \"\r\"
expect \"A challenge password \[\]:\"
send \"\r\"
expect \"An optional company name \[\]:\"
send \"\r\"
expect \"Sign the certificate? \[y/n\]:\"
send \"y\r\"
expect \"1 out of 1 certificate requests certified, commit? \[y/n\]:\"
send \"y\r\"
interact"

cp /etc/openvpn/easy-rsa/keys/ec2-vpnclient.key /etc/openvpn/

#set nonpassword clinent certificate
openssl rsa -in /etc/openvpn/easy-rsa/keys/ec2-vpnclient.key -out keys/ec2-vpnclient.key.nopass

cp /etc/openvpn/client.conf /etc/openvpn/easy-rsa/keys/

#create startup/shutdown script for vpn client
touch /etc/openvpn/easy-rsa/keys/openvpn-startup /etc/openvpn/easy-rsa/keys/openvpn-shutdown
chmod a+x /etc/openvpn/easy-rsa/keys/openvpn-startup /etc/openvpn/easy-rsa/keys/openvpn-shutdown


#copy credential set for vpn client
mkdir -p /etc/openvpn/easy-rsa/keys/client && cd keys
cp ca.crt ec2-vpnclient.crt client.conf ec2-vpnclient.key.nopass openvpn-startup openvpn-shutdown /etc/openvpn/ta.key client

#swtich stdout fd 1
exec 1>&3 2>&1

exit 0

htpasswd -b -c -m /etc/httpd/conf/.htpasswd client ${CLIENT_ZIP_PASS}
chmod 644 /etc/httpd/conf/.htpasswd
cp /etc/openvpn/easy-rsa/keys/client/client.zip /opt/adc/keys