import sys, getopt, os def usage(): print(' USAGE: ./myPKI.py [OPTIONS]') print(' OPTIONS:') print('\t-A --initall\t-i -g -d -s') print('\t-i --init\tInitialise directorys of PKI') print('\t-g --genca\tGenerate CA root') print('\t-d --gender\tGenerate DER cert for browser know my self-signed cert') print('\t-s --gensign\tGenerate and sign certificate for hosts') print('\t-n --genauth\tGenerate and sign certificate for client authenticationf in .pfx format') print('\t-h --help\tShows this help') def generate_client_auth_cert(): tld = input("=> TLD of your certificate :") client_name = input("=> Client Name :") # Changement du fichier de config os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config') os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config') print("=> Création du certificat client") os.system("openssl genrsa -out ./certificats/" +client_name+ "_" +tld+ ".key 4096") print("[*] " +client_name+"_"+tld+".key is done") os.system('openssl req -new -config config/ca.config -key ./certificats/'+client_name+ '_' +tld+ '.key -out ./certificats/'+ client_name +'-remote.csr') print("[*] CSR Request completed !") os.system('openssl x509 -req -days 3650 -in ./certificats/'+client_name+'-remote.csr -CA ./certificats/ca.crt -CAkey ./certificats/ca.key -set_serial 001 -out ./certificats/'+client_name+'-remote.pem') print("[*] Sign OK") os.system("openssl pkcs12 -export -out ./"+client_name+".full.pfx -inkey ./certificats/"+client_name+'_'+tld+".key -in ./certificats/"+client_name+"-remote.pem -certfile ./certificats/ca.crt") print("[*] Certificate OK") def generate_sign(): tld = input("=> TLD of your certificate :") ip_addr = input("=> IPv4 :") # Changement du fichier de config os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config') os.system('sed -i "s/0.0.0.0/'+ ip_addr +'/" ./config/ca.config') os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config') # Création des certificats os.system("openssl genrsa -out ./certificats/"+tld+".key 4096") os.system("openssl req -days 3650 -new -config config/ca.config -key ./certificats/"+tld+".key -out certificats/"+tld+".csr") os.system("openssl ca -out "+tld+".crt -config config/ca.config -infiles certificats/"+tld+".csr ") # On restaure ca.config d'origine os.system('sed -i "s/'+ tld +'/DNSCHANGEME/" ./config/ca.config') os.system('sed -i "s/'+ ip_addr +'/0.0.0.0/" ./config/ca.config') os.system('sed -i "s/'+ tld +'/Root Certificate/" ./config/ca.config') print("[*] Certificate Signed !") def generate_der(): os.system("openssl x509 -in certificats/ca.crt -outform DER -out certificats/ca.der") print("[*] Put public CA ./certificats/ca.der on all browser you see !") def generate_ca(): if not os.path.isfile("./certificats/ca.key"): os.system("openssl genrsa -out ./certificats/ca.key 4096") os.system("openssl req -utf8 -new -x509 -days 3000 -config ./config/ca.config -key ./certificats/ca.key -out ./certificats/ca.crt") print("[*] CA Certificate done !") else: print("[x] CA Certificate already exist...") def init_dir(): if not os.path.exists("./db/ca.db.certs"): print("[*] Creating directories") os.makedirs("./db/ca.db.certs") os.makedirs("./config") os.makedirs("./certificats") os.system("echo '01'> ./db/ca.db.serial") os.system("cp /dev/null ./db/ca.db.index") os.system("cp ./ca.config.sample ./config/ca.config") os.system("touch ./db/ca.db.index.attr") else: print("[x] Directorys already exist") def main(): try: opts, args = getopt.getopt(sys.argv[1:], "Ahigdsn", ["initall", "help", "init", "genca", "gender", "gensign", "genauth"]) for o, a in opts: if o in ("--help"): usage() sys.exit() elif o in ("--genca"): generate_ca() elif o in ("--init"): init_dir() elif o in ("--gender"): generate_der() elif o in ("--gensign"): generate_sign() elif o in ("--genauth"): generate_client_auth_cert() elif o in ("--initall"): init_dir() generate_ca() generate_der() generate_sign() sys.exit() except getopt.GetoptError as err: sys.stderr.write(str(err)) usage() sys.exit(2) if __name__ == "__main__": main()