#!/usr/bin/env python3 import sys, getopt, os def usage(): print(' USAGE: ./myPKI.py [OPTIONS]') print(' OPTIONS:') print('\t-A --initall\t-i -g -d -s') print('\t-i --init\tInitialise directorys of PKI') print('\t-g --genca\tGenerate CA root') print('\t-d --gender\tGenerate DER cert for browser know my self-signed cert') print('\t-s --gensign\tGenerate and sign certificate for hosts') print('\t-n --genauth\tGenerate and sign certificate for client authenticationf in .pfx format') print('\t-h --help\tShows this help') def generate_client_auth_cert(): print("\n\nGénération d'un certificat client pour authentification") print("=========================================================\n") tld = input("=> TLD of your certificate :") client_name = input("=> Client Name :") with open('./config/ca.config', 'r') as file: newText = file.read().replace('DNSCHANGEME', tld) newText = newText.replace('Root Certificate', tld) with open('./config/ca.config', 'w') as file: file.write(newText) print("=> Création du certificat client") os.system("openssl genrsa -out ./certificats/" +client_name+ "_" +tld+ ".key 4096") print("[*] " +client_name+"_"+tld+".key is done") os.system('openssl req -new -config config/ca.config -key ./certificats/'+client_name+ '_' +tld+ '.key -out ./certificats/'+ client_name +'-remote.csr') print("[*] CSR Request completed !") os.system('openssl req -x509 -days 3650 -in ./certificats/'+client_name+'-remote.csr -CA ./certificats/ca.crt -CAkey ./certificats/ca.key -set_serial 001 -out ./certificats/'+client_name+'-remote.pem') print("[*] Sign OK") os.system("openssl pkcs12 -export -out ./"+client_name+".full.pfx -inkey ./certificats/"+client_name+'_'+tld+".key -in ./certificats/"+client_name+"-remote.pem -certfile ./certificats/ca.crt") print("[*] Certificate OK") # restauration du fichier de config with open('./config/ca.config', 'r') as file: newText = file.read().replace(tld, 'DNSCHANGEME') newText = newText.replace(tld, 'Root Certificate') with open('./config/ca.config', 'w') as file: file.write(newText) def generate_sign(): print("\n\nGénération d'un certificat pour un hôte") print("=====================================\n") tld = input("=> TLD of your certificate :") ip_addr = input("=> IPv4 :") # Changement du fichier de config with open('./config/ca.config', 'r') as file: newText = file.read().replace('DNSCHANGEME', tld) newText = newText.replace('0.0.0.0', ip_addr) newText = newText.replace('Root Certificate', tld) with open('./config/ca.config', 'w') as file: file.write(newText) # Création des certificats print("=> Création du certificat pour " + tld) os.system("openssl genrsa -out ./certificats/"+tld+".key 4096") print("[*] "+tld+".key is donei") print("=> Création de la CSR") os.system("openssl req -new -config config/ca.config -key ./certificats/"+tld+".key -out certificats/"+tld+".csr") print("[*] CSR Request completed !") print("=> Signature du certificat") os.system("openssl ca -out "+tld+".crt -config config/ca.config -infiles certificats/"+tld+".csr ") print("[*] Sign OK") # On restaure ca.config d'origine with open('./config/ca.config', 'r') as file: newText = file.read().replace(tld, 'DNSCHANGEME') newText = newText.replace(ip_addr, '0.0.0.0') newText = newText.replace(tld, 'Root Certificate') with open('./config/ca.config', 'w') as file: file.write(newText) print("[*] Certificate Signed !") def generate_der(): print("\n\nGénération d'un certificat DER pour les navigateurs") print("=================================================\n") if not os.path.isfile("./certificats/ca.der"): os.system("openssl x509 -in certificats/ca.crt -outform DER -out certificats/ca.der") print("[*] Put public CA ./certificats/ca.der on all browser you see !") else: print("[x] DER Certificate already exist...") def generate_ca(): print("\n\nGénération d'une autorité de certification") print("========================================\n") if not os.path.isfile("./certificats/ca.key"): os.system("openssl genrsa -out ./certificats/ca.key 4096") os.system("openssl req -utf8 -new -x509 -days 3000 -config ./config/ca.config -key ./certificats/ca.key -out ./certificats/ca.crt") print("[*] CA Certificate done !") else: print("[x] CA Certificate already exist...") def init_dir(): print("\n\nInitialisation des répertoires") print("================================\n") if not os.path.exists("./db/ca.db.certs"): print("[*] Creating directories") os.makedirs("./db/ca.db.certs") os.makedirs("./config") os.makedirs("./certificats") os.system("echo '01'> ./db/ca.db.serial") os.system("cp /dev/null ./db/ca.db.index") os.system("cp ./ca.config.sample ./config/ca.config") os.system("touch ./db/ca.db.index.attr") else: print("[x] Directorys already exist") def main(): try: opts, args = getopt.getopt(sys.argv[1:], "Ahigdsn", ["initall", "help", "init", "genca", "gender", "gensign", "genauth"]) for o, a in opts: if o in ("--help"): usage() sys.exit() elif o in ("--genca"): generate_ca() elif o in ("--init"): init_dir() elif o in ("--gender"): generate_der() elif o in ("--gensign"): generate_sign() elif o in ("--genauth"): generate_client_auth_cert() elif o in ("--initall"): init_dir() generate_ca() generate_der() generate_sign() sys.exit() if not opts: usage() sys.exit() except getopt.GetoptError as err: sys.stderr.write(str(err)) usage() sys.exit(2) if __name__ == "__main__": main()