| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 |
- #!/usr/bin/env python3
- import sys, getopt, os
- def usage():
- print(' USAGE: ./myPKI.py [OPTIONS]')
- print(' OPTIONS:')
- print('\t-A --initall\t-i -g -d -s')
- print('\t-i --init\tInitialise directorys of PKI')
- print('\t-g --genca\tGenerate CA root')
- print('\t-d --gender\tGenerate DER cert for browser know my self-signed cert')
- print('\t-s --gensign\tGenerate and sign certificate for hosts')
- print('\t-n --genauth\tGenerate and sign certificate for client authenticationf in .pfx format')
- print('\t-h --help\tShows this help')
- def generate_client_auth_cert():
- print("\n\nGénération d'un certificat client pour authentification")
- print("=========================================================\n")
- tld = input("=> TLD of your certificate :")
- client_name = input("=> Client Name :")
- with open('./config/ca.config', 'r') as file:
- newText = file.read().replace('DNSCHANGEME', tld)
- newText = newText.replace('Root Certificate', tld)
- with open('./config/ca.config', 'w') as file:
- file.write(newText)
- print("=> Création du certificat client")
- os.system("openssl genrsa -out ./certificats/" +client_name+ "_" +tld+ ".key 4096")
- print("[*] " +client_name+"_"+tld+".key is done")
- os.system('openssl req -new -config config/ca.config -key ./certificats/'+client_name+ '_' +tld+ '.key -out ./certificats/'+ client_name +'-remote.csr')
- print("[*] CSR Request completed !")
- os.system('openssl req -x509 -days 3650 -in ./certificats/'+client_name+'-remote.csr -CA ./certificats/ca.crt -CAkey ./certificats/ca.key -set_serial 001 -out ./certificats/'+client_name+'-remote.pem')
- print("[*] Sign OK")
- os.system("openssl pkcs12 -export -out ./"+client_name+".full.pfx -inkey ./certificats/"+client_name+'_'+tld+".key -in ./certificats/"+client_name+"-remote.pem -certfile ./certificats/ca.crt")
- print("[*] Certificate OK")
- # restauration du fichier de config
- with open('./config/ca.config', 'r') as file:
- newText = file.read().replace(tld, 'DNSCHANGEME')
- newText = newText.replace(tld, 'Root Certificate')
- with open('./config/ca.config', 'w') as file:
- file.write(newText)
- def generate_sign():
- print("\n\nGénération d'un certificat pour un hôte")
- print("=====================================\n")
- tld = input("=> TLD of your certificate :")
- ip_addr = input("=> IPv4 :")
- # Changement du fichier de config
- with open('./config/ca.config', 'r') as file:
- newText = file.read().replace('DNSCHANGEME', tld)
- newText = newText.replace('0.0.0.0', ip_addr)
- newText = newText.replace('Root Certificate', tld)
- with open('./config/ca.config', 'w') as file:
- file.write(newText)
- # Création des certificats
- print("=> Création du certificat pour " + tld)
- os.system("openssl genrsa -out ./certificats/"+tld+".key 4096")
- print("[*] "+tld+".key is donei")
- print("=> Création de la CSR")
- os.system("openssl req -new -config config/ca.config -key ./certificats/"+tld+".key -out certificats/"+tld+".csr")
- print("[*] CSR Request completed !")
- print("=> Signature du certificat")
- os.system("openssl ca -out "+tld+".crt -config config/ca.config -infiles certificats/"+tld+".csr ")
- print("[*] Sign OK")
- # On restaure ca.config d'origine
- with open('./config/ca.config', 'r') as file:
- newText = file.read().replace(tld, 'DNSCHANGEME')
- newText = newText.replace(ip_addr, '0.0.0.0')
- newText = newText.replace(tld, 'Root Certificate')
- with open('./config/ca.config', 'w') as file:
- file.write(newText)
- print("[*] Certificate Signed !")
- def generate_der():
- print("\n\nGénération d'un certificat DER pour les navigateurs")
- print("=================================================\n")
- if not os.path.isfile("./certificats/ca.der"):
- os.system("openssl x509 -in certificats/ca.crt -outform DER -out certificats/ca.der")
- print("[*] Put public CA ./certificats/ca.der on all browser you see !")
- else:
- print("[x] DER Certificate already exist...")
- def generate_ca():
- print("\n\nGénération d'une autorité de certification")
- print("========================================\n")
- if not os.path.isfile("./certificats/ca.key"):
- os.system("openssl genrsa -out ./certificats/ca.key 4096")
- os.system("openssl req -utf8 -new -x509 -days 3000 -config ./config/ca.config -key ./certificats/ca.key -out ./certificats/ca.crt")
- print("[*] CA Certificate done !")
- else:
- print("[x] CA Certificate already exist...")
- def init_dir():
- print("\n\nInitialisation des répertoires")
- print("================================\n")
- if not os.path.exists("./db/ca.db.certs"):
- print("[*] Creating directories")
- os.makedirs("./db/ca.db.certs")
- os.makedirs("./config")
- os.makedirs("./certificats")
- os.system("echo '01'> ./db/ca.db.serial")
- os.system("cp /dev/null ./db/ca.db.index")
- os.system("cp ./ca.config.sample ./config/ca.config")
- os.system("touch ./db/ca.db.index.attr")
- else:
- print("[x] Directorys already exist")
- def main():
- try:
- opts, args = getopt.getopt(sys.argv[1:], "Ahigdsn", ["initall", "help", "init", "genca", "gender", "gensign", "genauth"])
- for o, a in opts:
- if o in ("--help"):
- usage()
- sys.exit()
- elif o in ("--genca"):
- generate_ca()
- elif o in ("--init"):
- init_dir()
- elif o in ("--gender"):
- generate_der()
- elif o in ("--gensign"):
- generate_sign()
- elif o in ("--genauth"):
- generate_client_auth_cert()
- elif o in ("--initall"):
- init_dir()
- generate_ca()
- generate_der()
- generate_sign()
- sys.exit()
- if not opts:
- usage()
- sys.exit()
- except getopt.GetoptError as err:
- sys.stderr.write(str(err))
- usage()
- sys.exit(2)
- if __name__ == "__main__":
- main()
|
